SecOps Cloud Platform Guide for Service Providers

The SCP can help service providers gain greater visibility into client environments—and bring telemetry data under a single plane for a more unified view. This is one of the first realizations of value for service providers using the SCP platform. Here's an outline of what this looks like:

• Decide what telemetry data you need to support security operations. Your options here are extensive. In the SCP, there are two main sources of telemetry:

  First, there are the platform's endpoint detection and response (EDR)-type sensors, which can be deployed directly on Windows, Mac, and Linux endpoints with full feature parity across these OSes to capture system events and other telemetry data. There are also browser-based sensors for Chrome and Edge. Sensors stream telemetry data and artifacts into the SCP in real time (and can also be used to take response actions on endpoints). Importing event data from third-party EDR tools such as VMWare Carbon Black, CrowdStrike, and Microsoft Defender is also possible.

  The second source of telemetry data can be classed as log-type data. This data can be brought into the SCP using a system of adapters or via webhook. The options are too numerous to list here in full, but supported log data sources include O365, 1Password, AWS CloudTrail, Google Cloud Platform (GCP), Slack Audit logs, and more. For a more comprehensive list, refer to the SCP documentation.

• Configure client organizations to provide the required visibility. The SCP web interface makes this as simple as making a few clicks to set up the required installation keys. More advanced configuration management options using a REST API or a command-line interface (CLI) are also available. After setup, your client organizations' configurations—including what telemetry you want to bring into the SecOps Cloud Platform—will be stored as simple YAML files. Note here that it's possible to use the SCP's multitenancy and organization management features to make configuration changes to multiple organizations at the same time. For a more detailed example of what this might look like, see this demo MSSP setup.

• Bring your data under a single plane. All telemetry data brought into the SCP is normalized to a common JSON format and explorable through a single interface. In itself, this represents a huge step forward for many service providers because they will no longer have to deal with a fragmented jumble of UIs or competing data formats in order to view and act on their telemetry data.

• Operationalize your telemetry data. Seeing into your clients' environments is an essential first step—but this is only the beginning of what is possible with the SecOps Cloud Platform. The SCP's advanced detection and response engine can act on every piece of telemetry brought into the platform, making it possible to apply sophisticated detection and response (D&R) logic to telemetry data. Applying D&R logic can be as tailored or as simple as you choose, from using custom detections that you write yourself to leveraging curated rulesets like Sigma, Soteria, or SOC Prime rules—or a combination of both approaches.

It's impossible to protect what you can't see. The SCP makes it possible to gain full visibility into a client environment, visualize that telemetry in a single interface and data format, and take action on telemetry data via a powerful detection, automation, and response engine.

The SecOps Cloud Platform is multitenant by design, offers fine-grained role-based access control (RBAC), and supports an infrastructure-as-code (IaC) approach to configuration management. These core aspects of the SCP enable service providers to practice modern cybersecurity operations at scale.

• Separate client environments intelligently. The multitenancy of the SCP allows service providers to create a logical boundary between their client organizations' data while still being able to view and manage everything from a single platform. Multitenancy makes it easier to avoid commingling client data—and comply with regional regulatory requirements such as data residency rules.

• Manage access and permissions more effectively. RBAC allows you to grant users the access to organizations and the permissions that they need. You can give individual users permissions on a per-organization basis if you choose. But for more efficient access management, you can use Organization Groups, which are groupings of client organizations, permissions, and users.

  Organization Groups give the same permissions and organizational access to any user added to the group. Typically, Organization Groups are set up by job function. For example, you might create an Organization Group for security engineers that allows members to edit telemetry ingestion configurations for all of your client organizations, and a separate Organization Group for non-technical roles that provides read-only access or the ability to view general organizational information.

• Build SecOps workflows that scale. The SecOps Cloud Platform enables service providers to take an infrastructure-as-code approach to security operations. All of your client organizations' security configurations—from D&R rules to data forwarding and output settings—can be stored and managed as simple YAML files.

  Create new organizations quickly by cloning an existing organization's configurations or using a configuration template. Maintain a global set of configuration settings for all client organizations and then add per-client config files as needed. If you need to make changes to multiple client organizations, this is as simple as editing a global configuration file via CLI or web UI and pushing out the change to all of your organizations at scale.

The SecOps Cloud Platform helps service providers adopt a truly modern and scalable approach to cybersecurity operations. For a more detailed look at how these SCP concepts work in practice, watch Setting Up an MSSP with LimaCharlie.

The SecOps Cloud Platform can be tremendously valuable for service providers doing incident response (IR) work. Here are some of the most significant capabilities for IR teams:

• Begin IR engagements without delay. The on-demand nature of the SecOps Cloud Platform means you will never need to talk to a vendor sales representative or renegotiate a contract before starting an IR engagement. With the SCP, you log into your account, use a credit card or increase your existing sensor quota, and begin.

  In addition, it's possible to preconfigure tenants ahead of an IR engagement. Set up your desired SCP IR configuration using custom D&R rulesets, curated rulesets, memory dump capabilities, YARA scanning, and more. Then, export the configuration files for your IR tenant and reuse them whenever you have a new IR engagement to hit the ground running.

• Take the fight to the adversary. During IR engagements with an active attacker in the environment, the SecOps Cloud Platform gives you a robust response capability on your client's endpoints.

  Mass-deploy SCP sensors using an enterprise deployment tool. Then, use those sensors to gather real-time event data, run shell commands and executables on endpoints, deploy security tools and remediation packages at scale, or isolate compromised machines from the network—all with minimal impact on the client's operations and mission-critical IT infrastructure.

• Use security intelligence as soon as you have it. The SCP's IaC approach means you don't have to rely on a vendor to update a tool or publish an indicator of compromise (IoC) in an emergency. For example, imagine a scenario in which you're dealing with a 0-day compromise. If you have early access to an IoC via an information-sharing network or a colleague, you can literally copy-paste the relevant IoC data from a Slack message into a new SCP D&R rule, update the relevant config file, and push out the change to your client's environment—while the all of the vendor-dependent service providers are still waiting on someone else to act.

• Build a true rapid-response capability. LimaCharlie sensors can be pre-deployed to client environments in "sleeper" mode: i.e., with the telemetry collection settings tuned down to a bare minimum to keep costs to just pennies per month. If an incident occurs, the sensors are already there, ready and waiting on the endpoints, and can turned on for an immediate response. This use case has allowed SCP service provider partners to offer service-level agreements of as little as 20 minutes—a considerable advantage when it comes to pitching (and closing) new MDR or MSSP clients.

IR work is high-stakes and high-pressure—and, unfortunately, is far too often complicated by the cumbersome sales processes and technical limitations of legacy cybersecurity vendors. The SCP allows incident responders to take action quickly and independently during an incident. It also lets cybersecurity service providers improve their overall response capabilities, enabling attractive service-level agreements that can help win over prospective clients.

LimaCharlie's SecOps Cloud Platform is intended to create a new paradigm for security operations teams and a better future for the cybersecurity industry.

LimaCharlie is 100% committed to its technology partners and platform users—and as such, extensive support is available to all SCP users.

• The SCP community Slack channel provides a forum to talk to other SCP users and to get help from the LimaCharlie team.
• The MSSP Partner Program gives service providers access to custom security engineering help, preferred billing rates, client referrals, and joint marketing opportunities.
• The SCP’s rich documentation, LC 101 video series, and on-demand webinar series help new users get started with the platform quickly and get more value from it as they expand their integration.
• Above all, the LimaCharlie team is always available to answer questions about your deployment, talk about a potential use case, discuss a feature request, or help in any way possible.