Security Service Providers
SecOps Cloud Platform Guide for Service Providers
Improve security operations and compete more effectively.
A guide for cybersecurity service providers
The LimaCharlie SecOps Cloud Platform (SCP) is a unified platform for modern cybersecurity operations.
The SCP delivers core cybersecurity capabilities and infrastructure via a public cloud model: on-demand, pay-per-use, and API-first. For the cybersecurity industry, this is a paradigm shift comparable to how the IT public cloud revolutionized IT.
For managed security services providers (MSSPs), managed detection and response (MDR) firms, and all those involved in digital forensics and incident response (DFIR), the SecOps Cloud Platform is a powerful way to improve security operations and compete more effectively. With the SCP, service providers can deliver security services at scale, control costs, consolidate and customize security tooling, take on new businesses with confidence, and much more.
The platform's public cloud-like delivery model also helps service providers integrate the SCP into their operations gradually and safely. Flexible pay-as-you-go pricing means you only pay for the capabilities you need, and only for as long as you use them—without long-term contracts, complex licensing, capacity planning, price modeling, or termination fees.
New to LimaCharlie: Bi-directionality
LimaCharlie is enhancing the capabilities of the SCP with the addition of bi-directionality, offering a strategic advancement in how detection rules and response actions are intertwined.
This innovative growth to the SCP transforms how detection rules and response actions interact by enabling automated and direct responses to threats across platforms. By moving beyond the constraints of manual actions and playbooks, bi-directionality paves the way for service providers to respond to threats more swiftly and efficiently with automation of containment and remediation in one place.
The function of bi-directionality not only expedites the process of threat mitigation, but it also significantly reduces the strain on SOC teams.
Bi-directionality in the SCP is designed to operationalize any source, working within existing tool sprawl or to help dismantle reliance on complicated workflows. This empowers security analysts to focus on more strategic issues, while slashing mean time to remediate (MTTR).
Experience how bi-directionality can unlock the true power of LimaCharlie's detection and response capabilities, reduce SOC workload, automate containment and remediation, and significantly improve incident resolution.
Paul Ihme
Managing Principal, Soteria
Implementation strategies for quick wins
The SecOps Cloud Platform contains numerous capabilities and is designed to be highly flexible and customizable. Nevertheless, there are some common implementation strategies that MSSP users have found to be good starting points with the platform. Here are three easy ways that the SCP can help service providers improve security operations and expand their businesses immediately:
Gain greater visibility into client environments
The SCP can help service providers gain greater visibility into client environments—and bring telemetry data under a single plane for a more unified view. This is one of the first realizations of value for service providers using the SCP platform. Here's an outline of what this looks like:
-
Decide what telemetry data you need to support security operations. Your options here are extensive. In the SCP, there are two main sources of telemetry:
First, there are the platform's endpoint detection and response (EDR)-type sensors, which can be deployed directly on Windows, Mac, and Linux endpoints with full feature parity across these OSes to capture system events and other telemetry data. There are also browser-based sensors for Chrome and Edge. Sensors stream telemetry data and artifacts into the SCP in real time (and can also be used to take response actions on endpoints). Importing event data from third-party EDR tools such as VMWare Carbon Black, CrowdStrike, and Microsoft Defender is also possible.
The second source of telemetry data can be classed as log-type data. This data can be brought into the SCP using a system of adapters or via webhook. The options are too numerous to list here in full, but supported log data sources include O365, 1Password, AWS CloudTrail, Google Cloud Platform (GCP), Slack Audit logs, and more. For a more comprehensive list, refer to the SCP documentation.
-
Configure client organizations to provide the required visibility. The SCP web interface makes this as simple as making a few clicks to set up the required installation keys. More advanced configuration management options using a REST API or a command-line interface (CLI) are also available. After setup, your client organizations' configurations—including what telemetry you want to bring into the SecOps Cloud Platform—will be stored as simple YAML files. Note here that it's possible to use the SCP's multitenancy and organization management features to make configuration changes to multiple organizations at the same time. For a more detailed example of what this might look like, see this demo MSSP setup.
-
Bring your data under a single plane. All telemetry data brought into the SCP is normalized to a common JSON format and explorable through a single interface. In itself, this represents a huge step forward for many service providers because they will no longer have to deal with a fragmented jumble of UIs or competing data formats in order to view and act on their telemetry data.
-
Operationalize your telemetry data. Seeing into your clients' environments is an essential first step—but this is only the beginning of what is possible with the SecOps Cloud Platform. The SCP's advanced detection and response engine can act on every piece of telemetry brought into the platform, making it possible to apply sophisticated detection and response (D&R) logic to telemetry data. Applying D&R logic can be as tailored or as simple as you choose, from using custom detections that you write yourself to leveraging curated rulesets like Sigma, Soteria, or SOC Prime rules—or a combination of both approaches.
It's impossible to protect what you can't see. The SCP makes it possible to gain full visibility into a client environment, visualize that telemetry in a single interface and data format, and take action on telemetry data via a powerful detection, automation, and response engine.
Implement scalable SecOps and simplified client management
The SecOps Cloud Platform is multitenant by design, offers fine-grained role-based access control (RBAC), and supports an infrastructure-as-code (IaC) approach to configuration management. These core aspects of the SCP enable service providers to practice modern cybersecurity operations at scale.
-
Separate client environments intelligently. The multitenancy of the SCP allows service providers to create a logical boundary between their client organizations' data while still being able to view and manage everything from a single platform. Multitenancy makes it easier to avoid commingling client data—and comply with regional regulatory requirements such as data residency rules.
-
Manage access and permissions more effectively. RBAC allows you to grant users the access to organizations and the permissions that they need. You can give individual users permissions on a per-organization basis if you choose. But for more efficient access management, you can use Organization Groups, which are groupings of client organizations, permissions, and users.
Organization Groups give the same permissions and organizational access to any user added to the group. Typically, Organization Groups are set up by job function. For example, you might create an Organization Group for security engineers that allows members to edit telemetry ingestion configurations for all of your client organizations, and a separate Organization Group for non-technical roles that provides read-only access or the ability to view general organizational information.
-
Build SecOps workflows that scale. The SecOps Cloud Platform enables service providers to take an infrastructure-as-code approach to security operations. All of your client organizations' security configurations—from D&R rules to data forwarding and output settings—can be stored and managed as simple YAML files.
Create new organizations quickly by cloning an existing organization's configurations or using a configuration template. Maintain a global set of configuration settings for all client organizations and then add per-client config files as needed. If you need to make changes to multiple client organizations, this is as simple as editing a global configuration file via CLI or web UI and pushing out the change to all of your organizations at scale.
The SecOps Cloud Platform helps service providers adopt a truly modern and scalable approach to cybersecurity operations. For a more detailed look at how these SCP concepts work in practice, watch Setting Up an MSSP with LimaCharlie.
Improve incident response times and offer unbeatable service-level agreements
The SecOps Cloud Platform can be tremendously valuable for service providers doing incident response (IR) work. Here are some of the most significant capabilities for IR teams:
-
Begin IR engagements without delay. The on-demand nature of the SecOps Cloud Platform means you will never need to talk to a vendor sales representative or renegotiate a contract before starting an IR engagement. With the SCP, you log into your account, use a credit card or increase your existing sensor quota, and begin.
In addition, it's possible to preconfigure tenants ahead of an IR engagement. Set up your desired SCP IR configuration using custom D&R rulesets, curated rulesets, memory dump capabilities, YARA scanning, and more. Then, export the configuration files for your IR tenant and reuse them whenever you have a new IR engagement to hit the ground running.
-
Take the fight to the adversary. During IR engagements with an active attacker in the environment, the SecOps Cloud Platform gives you a robust response capability on your client's endpoints.
Mass-deploy SCP sensors using an enterprise deployment tool. Then, use those sensors to gather real-time event data, run shell commands and executables on endpoints, deploy security tools and remediation packages at scale, or isolate compromised machines from the network—all with minimal impact on the client's operations and mission-critical IT infrastructure.
-
Use security intelligence as soon as you have it. The SCP's IaC approach means you don't have to rely on a vendor to update a tool or publish an indicator of compromise (IoC) in an emergency. For example, imagine a scenario in which you're dealing with a 0-day compromise. If you have early access to an IoC via an information-sharing network or a colleague, you can literally copy-paste the relevant IoC data from a Slack message into a new SCP D&R rule, update the relevant config file, and push out the change to your client's environment—while the all of the vendor-dependent service providers are still waiting on someone else to act.
-
Build a true rapid-response capability. LimaCharlie sensors can be pre-deployed to client environments in "sleeper" mode: i.e., with the telemetry collection settings tuned down to a bare minimum to keep costs to just pennies per month. If an incident occurs, the sensors are already there, ready and waiting on the endpoints, and can turned on for an immediate response. This use case has allowed SCP service provider partners to offer service-level agreements of as little as 20 minutes—a considerable advantage when it comes to pitching (and closing) new MDR or MSSP clients.
IR work is high-stakes and high-pressure—and, unfortunately, is far too often complicated by the cumbersome sales processes and technical limitations of legacy cybersecurity vendors. The SCP allows incident responders to take action quickly and independently during an incident. It also lets cybersecurity service providers improve their overall response capabilities, enabling attractive service-level agreements that can help win over prospective clients.
More SCP Use Cases for Service Providers
The implementation plans above represent "quick wins" with the SecOps Cloud Platform—the first steps most likely to help service providers get value out of the platform from day one. But because the SCP contains numerous capabilities and is highly customizable and extensible, many more potential use cases are available to service providers:
Simplify tooling
The SecOps Cloud Platform provides many core cybersecurity capabilities that service providers have historically had to build and maintain themselves or purchase from legacy vendors. The SCP helps service providers simplify their security stack by giving them complete control of a scalable, enterprise-grade toolset. Eliminate one-off vendors and services, gain greater control over your team's security tooling, and stop spending time on infrastructure maintenance that could be spent on security operations.
Solve narrow problems for clients
The SecOps Cloud Platform is on-demand and pay-per-use—which means capabilities and add-ons can be enabled for an individual client as needed. If a customer comes to you with a special request, you no longer have to worry about the cost and complexity of onboarding an additional tool or vendor to accommodate their need. The SCP helps service providers say "yes" to their clients more often.
Expand the platform
The SecOps Cloud Platform contains the core tools and infrastructure required for modern cybersecurity operations—but we recognize that some users will have needs beyond the SCP's native capabilities. For this reason, we've developed a rich ecosystem of integrations that service providers can enable without ever leaving the platform, including Velociraptor, Atomic Red Team, AlienVault OTX, SnapAttack Community Edition, PagerDuty, Thinkst Canarytokens, and more.
Reduce SIEM and SOAR costs
All telemetry data brought into the SecOps Cloud Platform can be outputted to any destination and is stored for one year at no additional cost. The SCP is not a replacement for your security information and event management (SIEM) or security orchestration, automation, and response (SOAR) solution, but it can help you gain greater control over where your data is going—and how much that costs you month to month. Save money by sending only necessary data to your high-cost tools while routing the rest to lower-cost storage solutions or retaining it in the SCP cloud for free.
Improve triage and alerting
The telemetry data output function of the SCP also makes it possible to automate alerts in a fine-grained way. Make sure your teams see high-priority alerts as they happen by sending critical detections to a monitored Slack channel, triggering a PagerDuty notification, or sending a simple text message or email.
Validate detections with Replay
The SCP's Replay function allows you to run a D&R rule against historical traffic. If a security engineer is writing a new rule, they can use Replay to test it against actual traffic from clients before deployment. This allows security teams to be sure that the rule will detect what it's supposed to detect—and that it won't generate false positives.
Partnering with LimaCharlie
LimaCharlie's SecOps Cloud Platform is intended to create a new paradigm for security operations teams and a better future for the cybersecurity industry.
LimaCharlie is 100% committed to its technology partners and platform users—and as such, extensive support is available to all SCP users.
- The SCP community Slack channel provides a forum to talk to other SCP users and to get help from the LimaCharlie team.
- The MSSP Partner Program gives service providers access to custom security engineering help, preferred billing rates, client referrals, and joint marketing opportunities.
- The SCP’s rich documentation, LC 101 video series, and on-demand webinar series help new users get started with the platform quickly and get more value from it as they expand their integration.
- Above all, the LimaCharlie team is always available to answer questions about your deployment, talk about a potential use case, discuss a feature request, or help in any way possible.