Security Service Providers (MSSP, MSP, MDR)

The LimaCharlie SecOps Cloud Platform (SCP) is a unified platform for modern cybersecurity operations.

The SCP delivers core cybersecurity capabilities and infrastructure via a public cloud model: on-demand, pay-per-use, and API-first. For the cybersecurity industry, this is a paradigm shift comparable to how the IT public cloud revolutionized IT.

For managed security services providers (MSSPs), managed detection and response (MDR) firms, and all those involved in digital forensics and incident response (DFIR), the SecOps Cloud Platform is a powerful way to improve security operations and compete more effectively. With the SCP, service providers can deliver security services at scale, control costs, consolidate and customize security tooling, take on new businesses with confidence, and much more.

The platform's public cloud-like delivery model also helps service providers integrate the SCP into their operations gradually and safely. Flexible pay-as-you-go pricing means you only pay for the capabilities you need, and only for as long as you use them—without long-term contracts, complex licensing, capacity planning, price modeling, or termination fees.

Implementation strategies for quick wins

The SecOps Cloud Platform contains numerous capabilities and is designed to be highly flexible and customizable. Nevertheless, there are some common implementation strategies that MSSP users have found to be good starting points with the platform. Here are three easy ways that the SCP can help service providers improve security operations and expand their businesses immediately:

Gain greater visibility into client environments

The SCP can help service providers gain greater visibility into client environments—and bring telemetry data under a single plane for a more unified view. This is one of the first realizations of value for service providers using the SCP platform. Here's an outline of what this looks like:

Decide what telemetry data you need to support security operations. Your options here are extensive. In the SCP, there are two main sources of telemetry:

First, there are the platform's endpoint detection and response (EDR)-type sensors, which can be deployed directly on Windows, Mac, and Linux endpoints with full feature parity across these OSes to capture system events and other telemetry data. There are also browser-based sensors for Chrome and Edge. Sensors stream telemetry data and artifacts into the SCP in real time (and can also be used to take response actions on endpoints). Importing event data from third-party EDR tools such as VMWare Carbon Black, CrowdStrike, and Microsoft Defender is also possible.

The second source of telemetry data can be classed as log-type data. This data can be brought into the SCP using a system of adapters or via webhook. The options are too numerous to list here in full, but supported log data sources include O365, 1Password, AWS CloudTrail, Google Cloud Platform (GCP), Slack Audit logs, and more. For a more comprehensive list, refer to the SCP documentation.

Configure client organizations to provide the required visibility. The SCP web interface makes this as simple as making a few clicks to set up the required installation keys. More advanced configuration management options using a REST API or a command-line interface (CLI) are also available. After setup, your client organizations' configurations—including what telemetry you want to bring into the SecOps Cloud Platform—will be stored as simple YAML files. Note here that it's possible to use the SCP's multitenancy and organization management features to make configuration changes to multiple organizations at the same time. For a more detailed example of what this might look like, see this demo MSSP setup.

Bring your data under a single plane. All telemetry data brought into the SCP is normalized to a common JSON format and explorable through a single interface. In itself, this represents a huge step forward for many service providers because they will no longer have to deal with a fragmented jumble of UIs or competing data formats in order to view and act on their telemetry data.

Operationalize your telemetry data. Seeing into your clients' environments is an essential first step—but this is only the beginning of what is possible with the SecOps Cloud Platform. The SCP's advanced detection and response engine can act on every piece of telemetry brought into the platform, making it possible to apply sophisticated detection and response () logic to telemetry data. Applying D&R logic can be as tailored or as simple as you choose, from using custom detections that you write yourself to leveraging curated rulesets like Sigma, Soteria, or SOC Prime rules—or a combination of both approaches.

It's impossible to protect what you can't see. The SCP makes it possible to gain full visibility into a client environment, visualize that telemetry in a single interface and data format, and take action on telemetry data via a powerful detection, automation, and response engine.

Implement scalable SecOps and simplified client management

The SecOps Cloud Platform is multitenant by design, offers fine-grained role-based access control (RBAC), and supports an Infrastructure-as-Code (IaC) approach to configuration management. These core aspects of the SCP enable service providers to practice modern cybersecurity operations at scale.

Separate client environments intelligently. The multitenancy of the SCP allows service providers to create a logical boundary between their client organizations' data while still being able to view and manage everything from a single platform. Multitenancy makes it easier to avoid commingling client data—and comply with regional regulatory requirements such as data residency rules.

Manage access and permissions more effectively. RBAC allows you to grant users the access to organizations and the permissions that they need. You can give individual users permissions on a per-organization basis if you choose. But for more efficient access management, you can use Organization Groups, which are groupings of client organizations, permissions, and users.

Organization Groups give the same permissions and organizational access to any user added to the group. Typically, Organization Groups are set up by job function. For example, you might create an Organization Group for security engineers that allows members to edit telemetry ingestion configurations for all of your client organizations, and a separate Organization Group for non-technical roles that provides read-only access or the ability to view general organizational information.

Build SecOps workflows that scale. The SecOps Cloud Platform enables service providers to take an infrastructure-as-code approach to security operations. All of your client organizations' security configurations—from D&R rules to data forwarding and output settings—can be stored and managed as simple YAML files.

Create new organizations quickly by cloning an existing organization's configurations or using a configuration template. Maintain a global set of configuration settings for all client organizations and then add per-client config files as needed. If you need to make changes to multiple client organizations, this is as simple as editing a global configuration file via CLI or web UI and pushing out the change to all of your organizations at scale.

The SecOps Cloud Platform helps service providers adopt a truly modern and scalable approach to cybersecurity operations. For a more detailed look at how these SCP concepts work in practice, watch  Setting Up an MSSP with LimaCharlie.

Improve incident response times and offer unbeatable service-level agreements

The SecOps Cloud Platform can be tremendously valuable for service providers doing incident response (IR) work. Here are some of the most significant capabilities for IR teams:

Begin IR engagements without delay. The on-demand nature of the SecOps Cloud Platform means you will never need to talk to a vendor sales representative or renegotiate a contract before starting an IR engagement. With the SCP, you log into your account, use a credit card or increase your existing sensor quota, and begin.

In addition, it's possible to preconfigure tenants ahead of an IR engagement. Set up your desired SCP IR configuration using custom D&R rulesets, curated rulesets, memory dump capabilities, YARA scanning, and more. Then, export the configuration files for your IR tenant and reuse them whenever you have a new IR engagement to hit the ground running.

Take the fight to the adversary. During IR engagements with an active attacker in the environment, the SecOps Cloud Platform gives you a robust response capability on your client's endpoints.

Mass-deploy SCP sensors using an enterprise deployment tool. Then, use those sensors to gather real-time event data, run shell commands and executables on endpoints, deploy security tools and remediation packages at scale, or isolate compromised machines from the network—all with minimal impact on the client's operations and mission-critical IT infrastructure.

Use security intelligence as soon as you have it. The SCP's IaC approach means you don't have to rely on a vendor to update a tool or publish an indicator of compromise (IoC) in an emergency. For example, imagine a scenario in which you're dealing with a 0-day compromise. If you have early access to an IoC via an information-sharing network or a colleague, you can literally copy-paste the relevant IoC data from a Slack message into a new SCP D&R rule, update the relevant config file, and push out the change to your client's environment—while the all of the vendor-dependent service providers are still waiting on someone else to act.

Build a true rapid-response capability. LimaCharlie sensors can be pre-deployed to client environments in "sleeper" mode: i.e., with the telemetry collection settings tuned down to a bare minimum to keep costs to just pennies per month. If an incident occurs, the sensors are already there, ready and waiting on the endpoints, and can turned on for an immediate response. This use case has allowed SCP service provider partners to offer service-level agreements of as little as 20 minutes—a considerable advantage when it comes to pitching (and closing) new MDR or MSSP clients.

IR work is high-stakes and high-pressure—and, unfortunately, is far too often complicated by the cumbersome sales processes and technical limitations of legacy cybersecurity vendors. The SCP allows incident responders to take action quickly and independently during an incident. It also lets cybersecurity service providers improve their overall response capabilities, enabling attractive service-level agreements that can help win over prospective clients.