October 6th, 2022
What makes LimaCharlie’s EDR different?
Christopher Luft
LimaCharlie’s endpoint detection and response (EDR) service is based on our unique approach to cybersecurity, which is why our EDR is so different from traditional EDRs. In this post, we’ll explain the differences—and why they matter for security teams.
A philosophical shift
At LimaCharlie, we take a very different approach to cybersecurity—one that we call security infrastructure as a service (SIaaS). SIaaS offers cybersecurity teams the building blocks of cybersecurity via an IaaS delivery model.
If you’re not familiar with LimaCharlie, here’s a quick rundown of what that means in practice. Our users get:
Full access to cloud-native primitives representing 100+ security capabilities and integrations
Visibility into their underlying security infrastructure and complete control over their data
Flexible, scalable infrastructure on demand—no contracts or minimum deployments required
A pay-per-use billing model that makes it easy to scale up and scale down as needed
To put it another way, we’re doing for cybersecurity what AWS did for IT. This approach underlies everything we do at LimaCharlie, including our EDR.
Three key differences
So what sets the LimaCharlie EDR apart from the other options on the market? There are a number of differences, but we believe that these are the three most important ones:
An API-first approach: Our EDR is available to users as an open API. This is obviously a major difference when compared to the proprietary, black-box EDR solutions sold by legacy vendors. Cybersecurity teams looking to build specialized capabilities or custom integrations have programmatic, bare-metal access to the LimaCharlie EDR. We also offer a web-based UI to make it easier for new users to get started quickly.
A unique billing model: LimaCharlie is security infrastructure as a service, which means we don’t require mandatory minimums or contracts. That’s yet another significant difference from most cybersecurity vendors. For our EDR service, this entails one of two billing models. Users can opt for simple per-endpoint billing, spinning up and down as needed and paying only for what they use. Or—and this is truly unlike anything else in the industry—users can choose a pure usage-billing mode. The latter option gives users fine-grained control over their usage, which is calculated by sensor connection time and how many events are processed and stored.
Easy integration with other tools: The SIaaS model is all about giving users control—rather than trying to control users to achieve vendor lock-in. For this reason, we make it easy to use the LimaCharlie EDR with other tools and infrastructure (even if they belong to our competitors). All telemetry is offered in a normalized JSON format that can be sent anywhere for storage, analysis, or coordination. The LimaCharlie EDR can also ingest telemetry from other EDRs. This data is treated just like standard endpoint telemetry, so users can apply detection and response rules to it or store/output it as needed.
In addition to these differentiators, it’s important to stress that the LimaCharlie EDR exists as part of a rich ecosystem of security tools and infrastructure. With native YARA and Sigma integrations, a marketplace of curated detection and response (D&R) rulesets, and the ability to correlate D&R rules across different telemetry streams, LimaCharlie users can write multi-telemetry detections of great complexity—while still retaining control of their tooling, data, and spending.
Benefits by use case
As you can see, there are some pretty substantial differences between LimaCharlie’s EDR and the EDR solutions sold by other vendors. On a practical level, here’s what this means for different types of user:
Incident response (IR) teamscan leverage the LimaCharlie EDR’s usage-based billing option to pre-deploy EDR sensors in “sleeper mode.” The sensors are present on the endpoints, ready for activation at a moment’s notice, but with all data usage turned down until they’re needed. Since billing is based entirely on sensor activity, the cost to keep a dormant sensor on an endpoint is only US$0.02 per endpoint per month. This gives IR teams a true rapid response capability at a very low cost. From a business standpoint, it also means that IR firms can offer highly competitive service-level agreements to their clients; some LimaCharlie DFIR users have SLAs of 20 minutes.
Managed security service providers (MSSPs) benefit from a full-featured and highly customizable EDR that they control—one that’s provided by a technology-focused company that doesn’t compete with them for business like traditional EDR vendors do. The open API allows MSSPs to engineer truly custom solutions for their clients, while the simplified and scalable pricing means they can take on new business without worrying about how much it’s going to cost them to do so. In addition, because the LimaCharlie EDR can ingest telemetry from other EDRs, MSSPs can easily onboard a new client that still has a contract with another EDR provider.
Startups that want to build their own cybersecurity products can also take advantage of our EDR’s usage-based billing option. Developers sometimes need specific functionalities that represent a narrower subset of what the full LimaCharlie EDR can do. The usage-based billing option gives them the capabilities they need at a reasonable cost, allowing them to save development time and create products with excellent margins.
How to get started with the LimaCharlie EDR
To learn more about how to use LimaCharlie for detection and response, check out the Basic Detection and Response course in our learning portal
If you’d like to see the EDR service in action for yourself, book a demo or experiment with LimaCharlie’s free tier on your own.