DEV Community: LimaCharlie

Domain and IP intelligence with alphaMountain and LimaCharlie

charlton-lc — Wed, 07 Jun 2023 00:00:00 +0000

LimaCharlie gives you the ability to collate and correlate data of any type, enriching it with threat intelligence and allowing for real-time, actionable decisions. Today, we are excited to discuss our new integration with alphaMountain.

Utah-based alphaMountain provides domain and IP threat intelligence that helps security architects and analysts make better, faster decisions about the risks posed by a host on the internet. alphaMountain’s analysis uses machine learning to instantly render a threat score along with contextual enrichment including visitless site categorization, related hosts, threat factors, passive DNS, certificates, redirect chains and more. alphaMountain data is delivered in multiple formats, and is easily coupled with network-based telemetry in LimaCharlie.

We currently support three alphaMountain API-based lookups:

Domain Category (alphamountain-category)

Returns categorization for Internet URIs, generated by alphaMountain's own statistical and neural network models. For more information on alphaMountain's categories, visit their knowledge base.

Domain Popularity (alphamountain-popularity)

Returns the popularity of a domain, as measured by a combination of page-rank, daily traffic bandwidth, total number of requests, and passive DNS activity for a given hostname. For more information, visit their knowledge base.

Domain Threat (alphamountain-threat)

Returns threat ratings for Internet URIs, generated by alphaMountain's own statistical and neural network models, cross-validated by a variety of sources as appropriate. For more information, visit their knowledge base.

Telemetry Integration

With LimaCharlie’s free tier, you can easily get a test instance up and running without any charge, and begin integrating with alphaMountain’s data in minutes.

alphaMountain’s API integrations can be enabled from the API Marketplace. Please note, you’ll need an API key in order to successfully query alphaMountain data. (You can request your free trial alphaMountain API key at www.alphamountain.ai.)

Once enabled, you can make calls to the respective API(s) directly from a detection and response rule. For example, the following rule will perform a Domain Category lookup against domains found in DNS_REQUEST events.

Along with typical D&R rule data, you will also receive alphaMountain-specific metadata. These metadata results can also be referenced via LimaCharlie’s metadata_rules. For additional automated actions, LimaCharlie also adds a threatYeti URL. See below:

References to the other alphaMountain APIs will be similar in request and response, allowing you to craft custom detection rules based on API results.

Getting Started with LimaCharlie and alphaMountain

To explore the integration with LimaCharlie and alphaMountain, try our full-featured free tier or schedule a demo with our solution engineers.

Additionally, we'll be hosting a live webinar on June 13, 2023 at 10:00am PT discussing the integration in more detail. Register for the event.

Early Warnings with LimaCharlie + Canarytokens

charlton-lc — Mon, 24 Apr 2023 00:00:00 +0000

Here at LimaCharlie, we believe in utilizing as much telemetry as possible to gain insight into suspicious activity within your environment. Our platform allows for you to create or import detection rules, like Sigma or SnapAttack, quickly, so your team can get up and running. Wider visibility means higher fidelity detections. However, what if we could utilize a simple, yet effective, tool to provide an earlier warning of potential attacks? This is where Canarytokens come in.

Thinkst Canarytokens is an innovative tool that allows you to place decoy files, URLs, and other bait on your network or endpoints. When a Canarytoken is triggered, you'll receive an alert, allowing you to take immediate action to prevent any potential threats. With LimaCharlie’s webhook ingestion, we can easily push Canarytoken alerts into LimaCharlie. Let’s walk through this process.

Getting started with the Canarytokens integration

Getting started with LimaCharlie and Canarytokens is easy. Simply sign up for a free account and follow the easy setup instructions. With LimaCharlie's user-friendly interface and Canarytokens' simple deployment process, you can have both systems up and running in no time.

Head over to Canarytokens.org and select the type of token you want to create. For this blog post, we’ll create a Canary that monitors for command execution. We’re going to monitor usage of ping.exe (you might want to modify this for sensitive commands, or deploy multiple Canaries on key systems). More information about this canary type is available on Canarytokens’ documentation.

Let’s head back to LimaCharlie to create a dedicated Canary Token input. We’ve made this super easy for you - simply select “Canary Token” as a new sensor type (This can also be done via the LimaCharlie API or CLI - more detailed documentation on this here):

You’ll need an Installation Key and a secret value, which can be an arbitrary value unique to this webhook:

Once created, you’ll have your webhook listed in the ‘Cloud Adapters’ section of the Sensors list.

The URL to push to this webhook, which you’ll need to finish the Canarytokens configuration, will include the following:

Grab this URL, head back to Canarytokens, and input it in the appropriate field. Give your Canary some metadata, the process name, and install the registry key on the system(s) of interest. Now, we wait for someone to bite!

Canary Webhook Data in LimaCharlie

Luckily, this is all the configuration needed to get Canarytokens data into LimaCharlie. Now, we wait for a Canary to get tripped, which will send an alert to the specified webhook URL. Navigating to the ‘Timeline’ data of our webhook sensor, there is a chance you’ll see an initial “this works” message:

We installed the Canary on a test system and executed our monitored binary - within a second or two, we had a Canary token event represented in our LimaCharlie timeline. Here’s an example alert:

Note that we have some useful metadata associated with the token, including command prompt user and hostnames. Other tokens, such as Office documents, provide significantly more metadata. Given the Canarytoken’s JSON format, the data ingests cleanly into LimaCharlie and requires little follow-up on our part.

Detecting on Canary Events

We’re almost done - the final step is to ensure that Canarytokens appear in our Detections menu, rather than just in the timeline. Remember, Canarytokens come with an inherent fidelity - if they are placed in key locations and opened/accessed/tripped, we are already suspicious of the activity. Thus, a Canarytoken alert itself is enough to generate a detection.

Quick Note: Why not just bring Canarytokens in as detections? We like the idea of keeping the data separate, so you can refer back to Canarytoken data in its own timeline, rather than having to browse through the detection data.

Looking at the Canarytokens’ data, we can see that the data is in simple structured JSON, and we can write a quick rule for it:

All we’re looking for is a token_hit from our canary_token platform - eliminating the need to pivot on sensor details for fidelity. However, notice we transform the reported name of the detection by incorporating the hostname of the system provided in the Canary.

By combining LimaCharlie's EDR capabilities with Canarytokens' early warning system, you can create a powerful, layered defense that will keep your organization safe from even the most sophisticated cyber attacks. To see for yourself how you can leverage Canarytokens with LimaCharlie, try our full-featured free tier or book a demo.

Blumira speeds time to market by building with LimaCharlie

charlton-lc — Tue, 18 Apr 2023 00:00:00 +0000

Learn how this cloud SIEM provider leveraged LimaCharlie to develop a new cybersecurity product for SMBs

Enterprise-grade security for SMBs

Like all cybersecurity providers, Blumira has had to respond to the rise of remote and hybrid work models. But given Blumira’s focus on SMBs and mid-market companies, they found many businesses in their target market priced out of mature endpoint monitoring solutions—or without the technical ability and infrastructure to run the endpoint agents a larger organization might use.

For this reason, Blumira decided to offer its own endpoint monitoring solution: a product that could collect Windows endpoint logs and send them to Blumira's cloud SIEM platform for analysis, detection and threat response without requiring additional infrastructure or management on the part of the customer.

However, after some initial planning, Blumira’s leadership team decided not to develop the endpoint agent independently. “We had the technical ability to build the entire product from scratch,” says Jake Payton, Director of Engineering at Blumira. “But getting an agent to maturity ourselves—on top of everything else we wanted to do on our timeline—just wasn’t realistic.”

Mature capabilities, delivered on demand

Blumira began looking for a technology that could support their proposed endpoint monitoring solution, Blumira Agent, while also integrating well with the rest of their platform.

“The biggest challenge was finding a mature enough solution that we could build on quickly and still end up with something as good as what we had elsewhere,” says Payton. “We also wanted a real partner during the development process. We didn’t want to just buy something off the shelf and have to read a manual hoping to figure things out at every step of the way.”

After considering NXlog, winlogbeat, Telegraf, and a number of potential agents, Blumira found that cybersecurity middleware vendor LimaCharlie offered the best balance of capabilities, cost, and support.

LimaCharlie takes an unusual approach to cybersecurity. The company offers users an ecosystem of 100+ mature capabilities and integrations as cloud-native primitives. Similar to the way AWS provides IT capabilities and web services, LimaCharlie uses an IaaS model in which everything is delivered on-demand, as-needed, and API-first—no contracts, price modeling, or fixed minimums required.

“LimaCharlie is like a box of Lego blocks for cybersecurity,” says company co-founder Christopher Luft. “There is no one-size-fits-all solution to cybersecurity problems. Our approach gives teams the flexibility to build and customize solutions as needed.”

Concept to GA in five months

As development began, Blumira soon noticed the advantages of working with an infrastructure-first, engineering-centric cybersecurity vendor.

One of LimaCharlie’s core capabilities is multi-source telemetry ingestion. On endpoints, this is accomplished via the lightweight, multi-platform LimaCharlie agent. Telemetry data is pulled into the LimaCharlie cloud and standardized to a common data format. From there, data can be exported to any destination. This functionality gave Blumira an agent that would offer excellent visibility into remote Windows endpoints without straining user resources—grabbing Windows events and log data from hosts and sending them on to the Blumira cloud for processing. In addition, because the LimaCharlie agent is able to take action on endpoints, Blumira would also be able to monitor and/or halt ingestion and take appropriate response actions as needed.

Access to cloud-native primitives meant that Blumira’s developers could integrate advanced capabilities into their existing SIEM infrastructure quickly and easily. This was often as simple as setting up an API call between the two platforms, and was essential in shortening time to market. Development work began in August 2022, and Blumira Agent launched in January 2023. In the time that most vendors would take to perform feasibility studies, Blumira had delivered an advanced remote endpoint monitoring solution for SMBs.

Blumira says that the product has been a resounding success. Agent is the powerful and easy-to-use solution that the company had envisioned. Users find the installation process to be fast and simple. After installation, management is hands-off, as intended.

As for the experience of building with LimaCharlie, Blumira was extremely satisfied:

“At every step of the way, the technology more than met our needs,” says Payton. “And in terms of the partnership, it was always easy to get information and guidance. If we had a question, we got the answers we needed very, very quickly. The LimaCharlie team was a joy to work with.”

A platform built for builders

For Blumira, one of the added benefits of working with LimaCharlie was that they could use just as much of the platform as they wanted—without being forced to purchase features and capabilities they didn’t need.

The LimaCharlie platform is extensive. Built on an advanced Detection, Automation, and Response Engine, it is designed for cybersecurity automation and sophisticated security disciplines such as detection engineering. Use cases are thus broad, and encompass MSSP, DFIR, and enterprise SOCs.

But in building Blumira Agent, the company’s developers were able to choose the capabilities that worked for them, and leave the rest aside for the future—a future that Payton views with optimism:

“We aren’t even close to using all of the capabilities in LimaCharlie. We're still just scratching the surface of our partnership together. I'm already excited about this partnership—and I’m excited about where it’s going to go in the years to come.”

In terms of their own vision for the future, LimaCharlie believes that the on-demand, engineering-centric model they’ve pioneered is the way to move the industry forward.

“LimaCharlie is security done differently—and our technology partners benefit from that difference,” says Luft. “It’s a very new approach, but we feel that in time cybersecurity professionals will stop asking “Should we do it this way” and will instead ask “Why would we do it any other way?”

type: asset-hyperlink id: 25K1Lmhrg68aG4rR35w2U9

About LimaCharlie

LimaCharlie is cybersecurity middleware that gives teams full control and visibility over their security posture. Build on an advanced Detection, Automation, and Response Engine. Lower startup costs with our free tier and pay-per-use infrastructure. Shorten time to market by leveraging a public API and a powerful ecosystem of 100+ infrastructure components and integrations. Then scale with confidence by taking advantage of our transparent, predictable pricing and pure usage-based billing options.

About Blumira

Blumira makes security easy and effective, especially for mid-market and smaller companies, helping them detect and respond to cybersecurity threats faster to stop breaches and ransomware. Blumira's all-in-one SIEM platform combines logging with endpoint security and automated detection and response for better outcomes and consolidated security spend. Blumira was recognized by G2 as a Momentum leader, ranked as “Fastest Implementation,” “Easiest to Use,” and “Best Results” in the G2 Winter 2023 Grid® Reports. Meet compliance controls, save time on security tasks, focus on real threats and protect against a breach faster than ever with Blumira.

Start building with LimaCharlie

To explore what you can build with LimaCharlie, try our full-featured free tier or schedule a demo with our solution engineers.

Creating a cybersecurity startup with LimaCharlie

charlton-lc — Tue, 11 Apr 2023 00:00:00 +0000

LimaCharlie takes a radically different approach to cybersecurity, providing mature security capabilities and infrastructure in an on-demand, pay-per-use way. This opens up exciting opportunities for entrepreneurs who want to create their own cybersecurity startup using LimaCharlie.

The challenges faced by cybersecurity startups

Before we talk about why LimaCharlie makes such a great foundation for a cybersecurity business, it will be helpful to review the challenges faced by startups in the space.

Cybersecurity startups have to solve the same problems that all fledgling companies do—plus a few that are unique to the industry:

The difficulty of staking out space in a competitive—and crowded—marketplace : There are thousands of cybersecurity companies today, and organizations are sensitive to the problem of cybersecurity vendor sprawl. For a cybersecurity startup, differentiating yourself, or convincing a company to add you to their burgeoning list of security vendors, is a major hurdle.

The need to deliver value while controlling costs : It’s a universal quandary for new businesses: How do you offer enterprise-class products and services on a ramen budget? There’s no easy answer—and that leads to overspending or, perhaps just as harmful, accepting investor funding with too many strings attached. Unfortunately, this often results in insolvency and/or the loss of control of one’s vision.

A low tolerance for failure : Cybersecurity is an unusually unforgiving environment for startups because the stakes are so high. The cost of a cyber incident at a large company can be staggering. And at a small one, it can be fatal: Statistics show that 60% of small businesses close within six months of a cyber attack. This has two effects. First, if you ask a company to trust you with their security, you’re essentially asking them to trust you with their business. Initial sales are more challenging in cybersecurity. In addition, the reputational damage to cybersecurity startups from a single failure or mistake can be catastrophic. Vendors in other spaces are given second chances. Security providers, not so much.

The need to find a fit when the clock is ticking : Like any new company, a cybersecurity startup needs to go to market, get feedback, and begin to iterate as quickly as possible—hopefully in time to develop a profitable product or service with strong demand and good growth potential. But for the majority of startups, the race to find that elusive product-market fit ends in failure, either because they run out of cash or fail to secure funding before they do.

The opportunities for cybersecurity startups

It’s not all doom and gloom for cybersecurity startups, however. There are some excellent opportunities in the security space—some of which aren’t found in other industries:

A trend toward products that scale : When you’re dealing with security technologies and software, it’s significantly easier to scale. Physical infrastructure, for example, is not as much of an issue as it is manufacturing. Security products delivered on an SaaS model are almost infinitely scalable, as long as your infrastructure is robust and your hiring keeps pace with the needs of your users.

Customers who are receptive to innovation : Some industries are notoriously hidebound, and insist on doing things the way they’ve always been done. But when it comes to cybersecurity, almost every company is looking for innovative new security technologies—because they’ve seen that cyber threats are growing worse, and that legacy tools don’t seem to be helping much. Innovative cybersecurity companies that can demonstrate their value will receive a warm welcome in most businesses.

A marked preference for automation : Startups in every sector face the challenge of delivering outsized performance with just a handful of employees. The good news for cybersecurity startups is that their potential customers are already looking for solutions that incorporate automation. That confers a dual advantage to cybersecurity startups, because the use of automation technology answers two needs at the same time: It makes it possible to deliver high-performance products and services with a small team—and it offers buyers what they’re already asking for.

Why LimaCharlie is a game-changer for startups

In light of the above, it’s easy to see how LimaCharlie’s unique approach to security provides massive benefits to cybersecurity startups. Here are the most important ones:

LimaCharlie speeds time to market. LimaCharlie provides mature cybersecurity capabilities and infrastructure in a modular way.Similar to what AWS does for IT, LimaCharlie gives startups the abstract ability to “do cybersecurity,” rather than attempting to sell them a prepackaged product. LimaCharlie is built on a powerful Detection, Automation, and Response Engine, giving security teams a solid foundation on which to build a product or service offering.

LimaCharlie makes it easier for startups to differentiate themselves. LimaCharlie is not just some product for startups to white-label. Rather, our platform is an ecosystem of advanced security technologies and infrastructure, delivered on-demand and via an open API, that can be used, rearranged, or modified as needed to deliver a truly customized product or service offering. It’s why we sometimes compare LimaCharlie to a box full of Lego blocks for cybersecurity professionals—and why the platform is built for customization and differentiation.

Predictable pricing, cost savings, and flexibility. Everything in LimaCharlie is pay-per-use and on-demand, with no contracts, price modeling, or capacity planning. Pricing is transparent and easy to understand—and also happens to be extremely competitive when compared with other vendors. All of this makes it easier for startups to plan ahead, stay within their budget, and scale up or down as needed without worry. We even offer a full-featured free tier, making it possible to begin your initial research and development work at zero cost.

An engineering-centric approach. LimaCharlie takes an engineering approach to cybersecurity. For established security teams, this makes it easier to practice advanced cybersecurity disciplines like detection engineering. But for startups, the point to remember is that our platform is built with iteration in mind. This greatly speeds development work, allowing you to pivot quickly in order to address customer feedback and improve your offerings.

A vendor that is invested in your success. To quote our founder and CEO Maxime Lamothe-Brassard, “We are 100% a technology company and do not compete with the people and companies we provide tools and infrastructure for. We are vendor-neutral providers of tools and infrastructure for security professionals.” No other company in the cybersecurity industry today can make that claim. Because of this unique model, we are 100% invested in the success of the companies that we serve. We offer open access to our extensive documentation and education and training modules, regular office hours, and a public community Slack channel. Startups that use LimaCharlie have access to our development and support teams as well. We believe that LimaCharlie is hands down the best platform for builders, innovators, and entrepreneurs in the cybersecurity space—so much so that we started a Cybersecurity Infrastructure Grant program: a $1000 credit to help qualified businesses and individuals develop any project they want with LimaCharlie.

Taking the first step with LimaCharlie

To learn more about how you can create a cybersecurity startup with LimaCharlie, stop by our office hours this week for a chat, join our community Slack, book a demo, or begin using our full-featured free tier today.

Cybersecurity middleware: abstraction layer for cybersecurity

charlton-lc — Tue, 04 Apr 2023 00:00:00 +0000

The origins of cybersecurity middleware

Almost eight years ago, Christof Jungo, who was at the time head of security architecture and engineering at Swisscom, proposed the idea of cybersecurity middleware. Christof’s idea was that although it is easy to collect all security telemetry in one place, it is difficult to operationalize it for fast and efficient incident response. He proposed a concept of interchangeable and interoperable parts that can act as a middleware, a higher-level abstraction layer for security. Jon Oltsik, a senior principal analyst at ESG, attended Christof’s presentation and wrote two fantastic pieces about it:

Fast forward to 2023, and the concept of cybersecurity middleware has finally become a reality.

The case for cybersecurity middleware

The easiest way to understand the concept of cybersecurity middleware is to look at the evolution of IT.

About 15 years ago, IT had a large gap between developers and implementers. Most professionals in enterprise were implementers, taking the “boxed products” developed by vendors, and applying them as-is as solutions internally to their enterprise. Buyers purchased all-in-one solutions from vendors. As the IT industry grew in size and complexity, professionals also grew in maturity. More and more, professionals were expected to assemble more complex solutions from multiple parts in order to solve issues and infrastructures unique to their environment. The concept of a single vendor offering a cookie-cutter product that solves everything for everyone became laughable. IT professionals began looking for products that fit together like Lego blocks: primitives, not cookie-cutter solutions.

Filling this void in the product space was AWS. It offered new unique value propositions:

Bypass internal IT: no more requests to rack-and-stack servers months ahead of time.
Bypass legacy vendors: no more negotiating complex 3-year contracts over two months.
Primitives, not boxed products: each AWS product was a “primitive”, a core implementation of the solution required, designed to plug and play with other products

Shifting our view to cybersecurity, we can see the same shift happening. Security technologies that once were cutting-edge are now well understood by most practitioners. This is in turn driving a move away from promise-based security, where a vendor sells the promise that they are somehow the best around, to proof-based security, where a CISO has the ability to demonstrate what they are defending against. The MITRE framework took the old approach of buying many products based on marketing and flipped it on its head: figure out the threats to your business and then buy the specific products required to mitigate those threats.

Like any field growing in complexity (like IT), cybersecurity is formalizing its core concepts and moving to relying more on building block solutions than on promises. Given the increasing complexity of technologies and the enterprise landscape, a similar shift to the one IT has seen is inevitable.

LimaCharlie’s approach to security

LimaCharlie is a cybersecurity middleware platform that gives you full control and visibility over your security posture. As a toolkit of interoperable API-driven components, LimaCharlie can be used in a near limitless fashion depending on your specific use case. Cybersecurity middleware is not a new abbreviation of yet another security widget. Instead, it’s a way of delivering security capabilities.

LimaCharlie delivers core components of security infrastructure in a manner similar to that of AWS, GCP, or any other cloud provider:

Focus on providing security capabilities instead of boxed products
Ease of access to solutions, bypassing legacy procurement processes
Lego blocks (“primitives”) designed to work together
Built API-first, fully transparent, interoperable, and testable components of security infrastructure
Common fabric for integration and operationalization of security tools
Common building blocks for new cybersecurity companies looking to get to market faster

Over the past decade, it became clear that we cannot keep adding more and more point solutions, and hoping that it will help us future-proof our security operations. A new approach is needed, one that offers neutral security infrastructure that can be fully tailored to the individual organization’s environments. An approach similar to the one which enabled Henry Ford to make the Model T an affordable car for the masses, is needed to make cybersecurity more mature and more effective as a discipline. LimaCharlie is excited to be at the forefront of innovation and bring cybersecurity middleware to the industry.

Getting started with LimaCharlie

LimaCharlie’s cybersecurity middleware gives you full control and visibility over your security posture and helps you build the security program you’ve always wanted.

To see for yourself how LimaCharlie can be leveraged to defend against insider threats, try it for free or book a demo.

Defend against insider threats with LimaCharlie

charlton-lc — Thu, 30 Mar 2023 00:00:00 +0000

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) defines insider threat as “the potential for an insider to use their authorized access or understanding of an organization to harm that organization.”

The nature of insider threats is fairly wide-ranging. Most of us in the security field will naturally think of insider threats in cybersecurity terms, but CISA’s definition includes things like espionage, terrorism, and workplace violence.

CISA also notes that insider threats can sometimes be unintentional. For example, a developer who carelessly hard-codes credentials in a GitHub repository is an insider threat, even if they aren’t trying to be.

In this post, we’re going to be focusing on the cybersecurity side of insider threats—but as we’ll see, it’s important to understand that insider cyber threat mitigation is part of a much larger conversation. We will also examine how LimaCharlie can be a pivotal part of that mitigation strategy.

Holistic strategies, complex behaviors

Insider threat mitigation brings some unique challenges. It’s important to realize that there won’t always be a clear technical solution to the problem of insider threats. CISA’s Insider Threat Mitigation Guide stresses the importance of a holistic, all-hands approach. A comprehensive insider threat mitigation strategy accounts for elements like organizational culture, training, leadership, governance, and much more. Cybersecurity professionals need to understand that they’re part of a larger team effort, and that so-called soft skills like communication and collaboration are going to be essential.

In addition, the special characteristics of insider threats mean that security teams will need to think outside the box when developing threat detections. CISA points out that “insider threat research has shown that potential insider threat perpetrators evolve over time, moving as if on a pathway, and potentially exhibiting multiple, overlapping, detectable and observable behaviors.” To prevent an insider cybersecurity incident, security teams will need to detect behaviors/clusters of behaviors that they may not be used to considering.

In short, cybersecurity teams have a vital role to play in the fight against insider threats—but it’s challenging and highly skilled work. Because of our unique approach to cybersecurity, LimaCharlie is especially well-suited to insider threat mitigation tasks.

3 ways LimaCharlie can help defend against insider threats

Develop sophisticated behavioral detections

Insider threats are insidious because they come from trusted sources—and because they involve attack vectors and malicious activities that off-the-shelf EDR solutions do not sufficiently account for.

As noted above, a focus on hunting for behaviors is essential to detecting insider threats. In this regard, LimaCharlie’s Detection, Automation, and Response Engine is extremely helpful.

The LimaCharlie EDR offers broad visibility into endpoint activity on multiple platforms—and the flexible YAML-based detection syntax means that security teams can use LimaCharlie to write highly customized detection rules. One example of how these capabilities might be applied to the problem of insider threats is to use LimaCharlie to monitor O365 logs and associated Azure data for insider threat behavior. For example, it’s possible to use LimaCharlie to monitor for insider threat events like data exfiltration and mass file deletions. For a walkthrough of how these kinds of rules are implemented, see: Enhance your SOC's visibility on Microsoft platforms with LimaCharlie.

In terms of the bigger picture, LimaCharlie’s flexibility and customizability means you can combine different event types and parameters to build a completely tailored detection logic. Rather than looking for the behaviors expected of a generic external adversary, LimaCharlie gives you the ability to detect against the likely behavioral profile of an insider threat in a specific industry or organization.

Automate alerting and response

For security teams, another challenge in dealing with insider threats is efficiently managing alerting and response. For example, it’s important not to surface too many events for priority review, because that might overwhelm personnel who are already stretched very thin.

The benefit of using LimaCharlie here is that it is an engineering-centric platform—which means, among other things, that it was built for cybersecurity automation. Insider threat detections can be written in an extremely fine-grained way, classifying events or combinations of events according to severity and responding to different event classes with an appropriate automated action. LimaCharlie’s integrations with no-code automation platforms like Tines and Torq make this even easier, allowing teams to automate entire cybersecurity workflows with a few clicks.

Furthermore, because LimaCharlie’s EDR sensors are able to issue commands on an endpoint, automation can also be used to respond to imminent threats instantaneously. LimaCharlie’s real-time, semi-persistent TLS connection to endpoints means that an automated response action can be taken fleetwide in around 100ms.

Operationalize telemetry for investigations and audits

LimaCharlie’s numerous capabilities around telemetry data can also be used to defend against insider threats.

To begin with, LimaCharlie offers users one free year of full telemetry data storage. Data is stored in a normalized and fully searchable data format. You can run detection and response (D&R) rules against the data using our Replay feature—or easily export it to another tool for analysis. In addition, the newly released LimaCharlie Query Language (LCQL) feature provides a flexible and cost-effective way to explore your stored telemetry data without ever leaving the LimaCharlie platform.

In terms of insider threat mitigation, this lets security teams hunt for signs of trouble proactively. It’s important to remember CISA’s point that a malicious insider threat event is almost always preceded by a progression of worrisome behaviors that lead up to it. So using LCQL, for example, you could search for GitHub security policy violations over the past 90 days, investigating a specific user further if warranted.

It’s also important to remember here that many insider threats are unintentional in nature. They’re still very serious, but in these cases the insiders aren’t setting out to do damage. Intervention and education is often the best mitigation strategy for this type of insider threat—if high-risk behaviors can be identified and detected early. Because LimaCharlie offers the ability to query stored telemetry data in a highly specific way, it can be used in service of an auditing program that pinpoints specific security policy infractions over a given time frame. The resulting information can then be used to facilitate feedback and corrective training if needed.

Getting started with LimaCharlie

LimaCharlie’s high degree of customizability, extensive automation capabilities, and rich telemetry features all make it an excellent tool for security teams trying to harden organizations against insider threats.

To see for yourself how LimaCharlie can be leveraged to defend against insider threats, try it for free or book a demo.

How to ingest LimaCharlie output into Datadog

charlton-lc — Fri, 17 Mar 2023 00:00:00 +0000

Integrating LimaCharlie with Datadog increases visibility for LimaCharlie users. In this article, we will look at two ways you can configure the integration to help security teams streamline workflows.

What is Datadog?

Datadog is a cloud-based monitoring and analytics platform that provides full-stack visibility and infrastructure management for organizations of all sizes. It integrates with various technologies, including cloud platforms, servers, databases, applications, and more, to collect and analyze data from various sources and provide real-time insights and metrics. With Datadog, organizations can monitor their entire stack and infrastructure, troubleshoot issues quickly, and optimize performance and capacity.

The benefits of using Datadog

Full-Stack Visibility : Datadog provides a unified view of all the components of an organization's technology stack, making it easier to identify and resolve issues.
Real-Time Insights : Datadog provides real-time metrics and analytics, so users can identify and respond to issues as they arise.
Improved Collaboration : Datadog's platform allows teams to work together more effectively by providing a single source of truth and enabling cross-functional collaboration.
Enhanced Troubleshooting : With Datadog's monitoring and logging capabilities, users can quickly diagnose and resolve issues, reducing downtime and improving system performance.
Optimized Performance : Datadog's performance metrics and analytics help users optimize their technology stack for maximum efficiency and capacity.
Compliance : Datadog helps organizations meet regulatory requirements by providing comprehensive logs and alerts for auditing purposes.
Integration : Datadog integrates with a wide range of technologies, enabling users to seamlessly monitor their entire stack from a single platform.

Datadog + LimaCharlie

With all relevant data in one place, integrating LimaCharlie and Datadog can help streamline the workflow for security teams giving them the ability to leverage functionalities such as pattern recognition, anomaly detection, etc.

For example, anomaly detection, as an algorithmic feature, can identify when a metric is behaving differently than it has in the past, taking into account trends, seasonal day-of-week, and time-of-day patterns (stateful realm).

Leveraging LimaCharlie-GCP output for Datadog integration

Datadog has comprehensive documentation on how to perform log collection - integrating Google Cloud Platform (GCP) which you can follow along here: Datadog documentation.

As a direct consequence, it is natively possible for Datadog to ingest LimaCharlie telemetry when configured with the proper Google Cloud output.

GCP gives users a lot of interesting features, but in the specific case of LimaCharlie telemetry, it is not solving an important problem: cost.

De-facto, three platforms are part of what we call the "long path" to integration:

LimaCharlie
Google Cloud
Datadog

As an alternative, we are documenting a simpler way to send data in a “cloud-to-cloud” fashion, from LimaCharlie to Datadog, without the need of an additional databank—considering that both LimaCharlie and Datadog include data retention (LimaCharlie includes one year of data retention at no additional cost).

Integrating LimaCharlie and Datadog with GCP

This procedure is pretty standard for those who are familiar with the Google Cloud Platform. In fact, GCP logs are collected via Stackdriver, sent to a Cloud Pub/Sub, and then to Datadog with a HTTP Push forwarder.

Here's a generic way to send LimaCharlie Google Cloud outputs to Datadog:

Configure a proper output in the LimaCharlie app:
Create a Subscription on Google Cloud:
Create a Sink on Google Cloud:
Check for telemetry flowing correctly using Google Cloud Logs Explorer:
Check for telemetry flowing correctly into Datadog platform:
The LimaCharlie → GCP → Datadog integration is complete:

Integrating LimaCharlie and DataDog directly

Retrieve (copy) the URL containing the intake datacenter and the assigned API key from the Datadog cloud configuration tab:
Use LimaCharlie webhook_bulk output for events and webhook for all the other cases:
Configure LimaCharlie output stream using (paste) the URL previously retrieved into the destination host field:
Save the new output on the LimaCharlie platform and done!

Telemetry will be flowing from LimaCharlie to Datadog in real time in a flawless way.

In the workbench we used for this test, we wanted to compare the real-time performance using both the “long” and the “short” path, and both solutions worked in a solid and smooth way with nearly zero delay between events being sent out and then represented into the several Datadog dashboards.

Learning more about LimaCharlie

LimaCharlie has an active community Slack channel and holds weekly office hours every Friday at 9:00 AM PT. These are great places to drop by and ask a question, get some help, or even request a new feature.

To see the Datadog integration discussed in this post in action, try LimaCharlie for free or book a demo today.

LimaCharlie vs a traditional SIEM

charlton-lc — Tue, 14 Mar 2023 00:00:00 +0000

LimaCharlie offers many of the capabilities of a security information and event management (SIEM) solution, although it is not a SIEM. In this article, we’ll talk about LimaCharlie vs traditional SIEMs—and explain how our platform can be used to reduce or replace SIEM usage and help cybersecurity teams save money.

What a SIEM does vs what a SIEM is

SIEMs handle many tasks in a modern security operations center (SOC): log management, event correlation, monitoring and alerting, data visualization, and telemetry storage. SIEMs are also useful in digital forensics work, since they retain historical log data in a unified, searchable format.

In SIEM product marketing, we often see these capabilities discussed as features of a SIEM. But we’d argue that there’s a different way of looking at SIEMs.

Features vs capabilities

It’s sometimes useful to ask basic questions. Here, that question would be: What is a feature, really?

For many years, there was only one answer to this question in cybersecurity: A feature is capability delivered by some vendor’s product.

But a feature and a capability aren’t the same thing, and never were. The “product feature model” has always been just one possible way of delivering capabilities to end users.

LimaCharlie began with an equally fundamental question: What if there’s a better way to give cybersecurity teams the capabilities they need?

Our answer is an approach that we call security infrastructure as a service (SIaaS). At a high level, SIaaS makes cybersecurity capabilities directly available to end users as interoperable, cloud-native primitives. These capabilities are offered self-service, on-demand, and pay-per-use, in much the same way that AWS delivers IT capabilities and infrastructure.

So to get back to what a SIEM is, we’d simply say that a SIEM is a tool that bundles together a number of useful cybersecurity capabilities. Among legacy vendors, these are presented as product features. But with an SIaaS model, security teams have access to these capabilities directly—without the downsides of traditional cybersecurity products such as unpredictable costs, multi-year contracts, and vendor lock-in.

And as we’ll see, the SIaaS model makes it possible for security teams to reduce or replace usage of their existing SIEM, offering significant cost savings without sacrificing essential capabilities.

Three ways to use LimaCharlie for SIEM functionality

LimaCharlie currently has a catalog of 100+ cybersecurity capabilities and integrations. This powerful ecosystem of cybersecurity technologies makes it possible for security professionals to do things that used to require the tooling or infrastructure of a large vendor. Here are three examples of how to use LimaCharlie to get some of the most attractive benefits of a SIEM:

1. Log management and data visualization

A big benefit of SIEMs is that they help security teams collect and collate security telemetry in one place and in one view.

LimaCharlie wasn’t designed to be a SIEM—but it was engineered for interoperability, automation, and customization. Because of this, the platform lets users collect telemetry from any source, normalizes everything to a unified data format, and displays it all in a single view. This includes endpoint, network, and browser telemetry data as well as log data from external sources.

As a data management tool for nontechnical users, SIEMs are admittedly excellent due to their reporting capabilities. But for many security teams, report generation features or templates will rarely be of use. And it’s worth noting here that LimaCharlie already offers one year of free telemetry storage in a fully searchable format. For many users, this may be enough, especially if they only need retention for basic compliance or for historical threat hunting.

Granted, in industries where there are heavy reporting requirements, it may be impossible for security groups to avoid using a SIEM altogether. But as we’ll discuss below, there is a way to leverage the capabilities of LimaCharlie in order to greatly reduce SIEM spending.

2. Understanding events in context

Another major benefit of SIEMs is that they make it easier to analyze security events in context—reducing the likelihood of false positives and improving the response to critical events.

LimaCharlie’s detection, automation, and response engine allows security teams to analyze endpoint events against thousands of rules and trigger automated response actions based on the results. The platform also lets users write customized detection and response rules, and integrates with third-party threat intelligence and threat hunting platforms like AlienVault OTX, VirusTotal, MISP, and SnapAttack. This makes it possible to build highly sophisticated detection rulesets—in particular, ones that interpret the meaning of events in a wider context and support sophisticated practices like behavioral detection.

To hear a conversation about how LimaCharlie can be used with third-party platforms to create complex detections, watch our webinar: Power your threat detections with SnapAttack and LimaCharlie.

3. Automating security workflows to reduce alert fatigue

LimaCharlie takes an engineering approach to cybersecurity. That means that automation capabilities are built into the platform whenever possible, providing many SIEM-like benefits natively. For example, YARA scans can be automated and run in the background across the entire fleet without impacting performance on the endpoint. The Schedule Events feature means that D&R rules (and just about anything else) can be set to run in an automated/scheduled way.

In addition, because LimaCharlie integrates with no-code security automation platforms like Tines and Torq, it’s possible to automate entire security workflows—bringing some sanity to the job of monitoring, alerting, and response in much the way that a SIEM does.

For example, LimaCharlie can be used to detect suspicious events that are automatically classified into different threat levels based on predefined rules. Using a platform like Tines or Torq, teams can then choose what automated action they want taken in response to different types of threats.

For more severe threats, a Slack message or PagerDuty alert might be warranted. For lower-level threats, a security team might decide to raise a ticket using an issue tracking system so that someone can follow up later.

The bottom line is that security professionals gain control over what alerts cross their desks on a day-to-day basis, surfacing high-risk events so they can respond in real time without getting bogged down by less urgent events.

For a full walkthrough of how this works in practice, see: Cybersecurity enhancement with Tines and LimaCharlie.

Intermediate use case: reduce SIEM storage costs

As mentioned above, some users will always need access to a SIEM—and others may not be ready to move to an SIaaS alternative right away. But one of the nice things about the security infrastructure of a service model is that it gives end users a great deal of flexibility and choice.

An interesting way to take advantage of this fact is to use LimaCharlie as an intermediate layer between endpoints and higher-cost tools like SIEMs, leveraging the LimaCharlie rules engine to classify, filter, and route telemetry data more intelligently.

If a security group needs to have certain types of data sent to the SIEM, they can use LimaCharlie to do this by writing a rule that sends that data to, e.g., Splunk as the output destination. Everything else can be sent to a lower-cost data lake or retained using LimaCharlie’s free year of telemetry storage.

In addition, we have recently rolled out LimaCharlie Query Language (LCQL) as a way to further operationalize that free year of storage. LCQL allows teams to query the entirety of the dataset already stored in the LimaCharlie cloud. It offers a cost-effective way to run ad hoc queries on all of your telemetry data in one place—and thus minimizes the number of times you’ll be forced to export data to a higher-cost tool like a SIEM in order to gain the insight you need.

For an in-depth demonstration of how to use LimaCharlie to cut unnecessary costs, see: Reduce spending on Splunk and other high-cost security data solutions through LimaCharlie.

For an hands-on introduction to LCQL, along with some possible use cases, see: Query data with greater flexibility using LimaCharlie Query Language (LCQL)

Exploring LimaCharlie for SIEM use cases

If you’d like to get started with using LimaCharlie for SIEM functionality, try LimaCharlie for free or book a demo today.

To discuss a different use case, or to talk about your needs in more detail, please drop by and chat on our community Slack channel or during our regular weekly office hours.

MSSN CTRL: Call for papers is now open

charlton-lc — Thu, 09 Mar 2023 00:00:00 +0000

The inaugural MSSN CTRL security engineering and automation conference will take place on October 5-6, 2023 in Arlington, VA. Get involved by submitting our call for proposals or get notified when registration is open.

Over the last couple of years we’ve seen our user base grow from a core group of early adopters to now thousands of users worldwide. And with that growth comes our dedication to our community and to learn from each other. Cybersecurity is continuously evolving and security practitioners need to look to their peers for inspiration, knowledge, and ideas.

Community at work

We’re creating the conference with you, the practitioner, in mind. We plan to shape the event around the cybersecurity community with workshops and discussions to give you a voice and the opportunity to share. In order to accomplish this, we need your help.

Do you have a topic you want to discuss with your peers? Did you build something on top of LimaCharlie that you want to share? Topics are not limited to the use of LimaCharlie. We’re all ears. Submit your talk idea in our call for proposals.

All proposals are due by April 16, 2023, at 11:59 pm PST.

All speakers will receive a professionally edited recoding of their session, professional photographs, comped ticket to the event, and the opportunity to speak at the first of many MSSN CTRL conferences.

We cannot wait to create this conference with you.

MSSN CTRL: Not just another cybersecurity conference

charlton-lc — Tue, 07 Mar 2023 00:00:00 +0000

MSSN CTRL is an exclusive security engineering and automation event that is focused on how innovators in cybersecurity are changing the way security has been practiced for the past decade and how they are finally able to fundamentally architect the security infrastructure they need to support what they do best.

The inaugural event hosted in Arlington, VA on October 5-6, 2023 , will be filled with deep technical training and informative hands-on sessions with direct takeaways on how you can leverage new methods and tools to protect your organization or your customers.

MSSN CTRL is an immersive experience that delivers the opportunity to meet with engineers, analysts, and leaders from the most prominent cybersecurity startups, security service providers, and some of the best SOC teams around the globe.

We are creating this conference with you, the practitioner, in mind. Hear directly from others in the field as they share real stories of what challenges they face and how they overcome them, debrief with peers, collaborate, expand your network, and leave inspired to do security differently.

Topics to expect at MSSN CTRL:

Incident Response, streamlined: approaches to responding to external incidents faster and more efficiently.
The modern SOC architecture: coping with the growing diversity in IT environments.
The problem with storage: strategies to deal with storage and its operationalization.

Who should attend MSSN CTRL?

Security engineers
Security architects
Security analysts
Detection engineers
Security leaders

If you are looking for new ways of thinking and new emerging technologies to solve your security problems, this is the event for you. If you have fallen victim to adding acronyms to your technology stack, we don’t blame you - but challenge you to open your mind to a new frontier.

Learn more about MSSN CTRL and get on the notification list

Tickets go on sale soon. Get on the list to get notified when they are available for purchase.

> Go to MSSN CTRL

Query data with greater flexibility using LimaCharlie Query Language (LCQL)

charlton-lc — Tue, 28 Feb 2023 00:00:00 +0000

If you’ve been following along our journey, you know that LimaCharlie makes it easy and cost effective to get security data from any source, normalized into a single hub with the unique added benefit of running detection, automation, and response rules at wire speed.

On top of being able to store all of your data within LimaCharlie, you get granular control and the ability to send data to any external destination. This means that you can send certain types of detections to Slack, certain types of events to Splunk, audit logs to an S3 bucket, and so on - with no lock-in and no limitations on what gets sent where.

Until recently, when you wanted to query all of your data, you would need to either send it all to a third-party SIEM or request for it to be sent on-demand—storing all data in LimaCharlie and instantaneously pushing the relevant logs and events into your SIEM when you need to run an investigation.

While these methods are unique and convenient, they were still limiting the ability for you to query all of your data in one place and forced you to rely on third-party tools and can be extremely cost prohibitive—limiting what you can do with your data.

That’s why we are happy to introduce LimaCharlie Query Language that solves this problem.

What is LimaCharlie Query Language?

LimaCharlie Query Language (LCQL) is designed to provide a flexible, intuitive, and interactive way to explore data in LimaCharlie enabling several new useful features at launch:

Dry Run mode to estimate the cost of running the query.
Paged queries, so querying for data over a long period of time is not all done at once, giving you the opportunities to get results without incurring the cost of the full query.
Querying, projection (only report specific values from matching elements) and aggregation (count, count_unique).

In future releases, we will support:

Event name and event element tab-completion. You don't have to remember the event names or paths to all the elements you want to query.
Display underlying D&R rules generated for the query, making it easier to use LCQL to prototype D&R rules.

LCQL has been available in Beta through the LimaCharlie CLI (install the LimaCharlie CLI and use: limacharlie query to launch the interactive mode) and now the functionality is built into the LimaCharlie web application. You can get started with LCQL by navigating to the Query Console in the web app.

With the introduction of LCQL, our focus is not to replace SIEM solutions, but to give you the choice and ability to query your telemetry within LimaCharlie.

This feature is built on top of the Replay feature and shares the same billing structure.

LimaCharlie Query Language use cases

Let’s explore some specific use cases of LCQL to help you understand the benefits and how you could potentially apply it to your organization:

Domain Count

Show me all domains resolved by Windows hosts that contain "google" in the last 10 minutes and the number of times each was resolved.

Domains Prevalence

Show me all domains resolved by Windows hosts that contain "google" in the last 10 minutes and the number of unique sensors that have resolved them.

GitHub Protected Branch Override

Show me all the GitHub branch protection override (force pushing to repo without all approvals) in the past 12h that came from a user outside the United States, with the repo, user and number of infractions.

Learning more about LimaCharlie Query Language

If you’d like to learn more about how you can use LimaCharlie Query Language to give you the ability to operationalize your historical telemetry more easily, schedule a call with our security engineers or get started for free and dive into the LCQL documentation.

With our transparent pricing model, you can get predictable pricing with no long term contracts, capacity planning, or price modeling. One year of full data storage is included at no cost.

You can also watch our introduction to LimaCharlie Query Language webinar.

LimaCharlie as a low-cost way to improve cyber resilience

charlton-lc — Thu, 23 Feb 2023 00:00:00 +0000

Organizations know that they need to become more cyber resilient, and are asking MSSPs and enterprise security teams to help. But in a time of economic uncertainty and shrinking budgets, the goal of cyber resilience is often at odds with what management is prepared to invest.

The good news is that LimaCharlie can be used to help security professionals improve cyber resilience—with a level of control and at a cost efficiency unparalleled industrywide.

The difficulty of building cyber resilient organizations

The National Institute of Standards and Technology (NIST) defines cyber resilience as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”

Clearly, that covers a lot of ground. Building a cyber resilient organization is a vast, all-hands undertaking—and is probably best understood as an ongoing process rather than a final state to be achieved.

For security professionals, the challenge is compounded by the fact that they're frequently working with leadership teams that have a limited grasp of cybersecurity. The ask may sound something like “just make us cyber resilient already,” without an understanding of what that entails…or how much it costs.

What makes LimaCharlie different

Fortunately, LimaCharlie offers unique advantages that security teams can use to build cyber resilient organizations:

A powerful Detection, Automation, and Response Engine that supports advanced cybersecurity disciplines like detection engineering and security automation.
An engineering-centric, API-first approach to delivering security tooling and infrastructure that provides direct access to cybersecurity capabilities in the form of interoperable, cloud-native primitives in a unified data format.
A platform that serves as versatile cybersecurity middleware, allowing cybersecurity teams to bring in telemetry from any source and output data to any destination—helping avoid vendor lock-in and optimize spending on high-cost tools.
An on-demand, usage-based delivery and billing model: no contracts or fixed minimums; fully transparent and predictable pricing.
One year of free telemetry retention in a searchable, normalized data format, easing compliance demands and helping to cut storage costs.

3 low-cost ways to improve cyber resilience with LimaCharlie

To give a sense of what’s possible with these capabilities, here are a three examples of low-cost ways that LimaCharlie might be used to improve cyber resilience:

1. Close gaps in detection coverage and improve visibility

A big part of cyber resilience is visibility and ease of asset management. IBM’s Cyber Resilient Organization Study 2021 found that in organizations with high levels of cyber resiliency, 65% of survey respondents said that the “ability to have visibility into applications and data assets” was a top priority for improving cyber resilience. Among organizations that had failed to improve cyber resilience, a lack of visibility into assets was one of the most commonly cited reasons for failure. For many organizations, issues of visibility are further compounded by an incomplete migration to the cloud. Cisco’s recent Security Outcomes Report: Achieving Security Resilience found “a 15% difference in resilience scores between early hybrid cloud environments that are difficult to manage and advanced cloud deployments that are simpler to manage.”

LimaCharlie’s Detection, Automation, and Response Engine has a strong detection footprint and can help to give greater visibility into assets and close gaps in coverage where they exist. We have EDR-tier sensors for Windows, Mac, Linux, Chrome, and Edge, providing broad coverage in almost any environment. We also support external telemetry ingestion via the LimaCharlie Adapter, giving you access to your data streams from 1Password, CarbonBlack, Office 365, and many more. For organizations that need help defending against CI/CD pipeline attacks, there is also a dedicated sensor for analyzing GitHub audit logs.

All telemetry data is brought into LimaCharlie in a unified data format and in a single view—a great help in securing hybrid environments, since you can easily combine multiple data types and better manage multi-source telemetry. Telemetry data can be analyzed and responded to at wire speed using our highly customizable detection and response (D&R) rules engine. Pricing of sensors is extremely competitive and completely transparent (see our pricing guide and pricing calculator for more details).

For a deeper dive into this LimaCharlie use case, see our webinar: Enhance your SOC's visibility on Microsoft platforms with LimaCharlie.

2. Automate security workflows and reduce alert fatigue

Another interesting finding of the IBM study was that the majority of highly cyber resilient organizations rely on security automation, AI, and machine learning. In a similar vein, the Cisco report found a 45% gap between the resilience scores of organizations that had made no progress toward XDR capabilities and those that had “mature XDR implementations,” which Cisco defines as XDR that incorporates automation/orchestration and threat intelligence.

LimaCharlie was designed for security automation—and for teams wanting to implement advanced detection and response. In the context of cyber resilience, this is a massive advantage, because you’re starting with a platform that was purpose built to do the kinds of things that produce dramatic increases in cyber resilience.

LimaCharlie also integrates with no-code security automation platforms such as Tines and Torq. This extends the already robust automation capabilities of LimaCharlie, allowing teams to automate cybersecurity workflows, better triage events in order to reduce alert fatigue, and use the time of security personnel more efficiently and cost effectively.

Last but not least, LimaCharlie offers an integration with the open-source Atomic Red Team library of tests, which makes it possible for security teams to automate security testing using the MITRE ATT&CK framework. This is an important benefit for cybersecurity practitioners attempting to improve organizational cyber resilience, as it enables them to understand their coverage in a systematic, evidence-based, and reproducible way.

To learn more, see:

Advanced Detection and Response with LimaCharlie

Automating MITRE ATT&CK Testing w/ Atomic Red Team & LimaCharlie

3. Respond to incidents faster and simplify remediation at scale

Implicit in the concept of cyber resilience is an acceptance that cyber attacks will happen. They can’t be avoided, it’s possible to be prepared for them—and to improve an organization’s readiness and response time.

LimaCharlie offers several features that help incident response (IR) teams prepare for and respond to cyber incidents more quickly and more effectively.

First, the fact that LimaCharlie is delivered on demand, self-serve, and without contracts makes it possible for IRs to come into a scenario and begin installing sensors immediately—without having to talk to salespeople or negotiate pricing. Sensors can be deployed using the LimaCharlie web interface, or by using mass deployment tools for greater efficiency.

In addition, LimaCharlie’s built-in automation features help to streamline remediation tasks, especially when working at scale. Because the LimaCharlie agent can be used to execute payloads on endpoints, emergency patches can be deployed in just minutes.

Lastly, LimaCharlie offers pure usage-based billing for teams that need it. Sensors can be deployed in sleeper mode at almost zero cost, allowing IR teams to pre-deploy sensors across a client’s fleet. In the event of an incident, the sensors are ready and waiting to be turned on—giving responders instant access to the full power of the LimaCharlie agent. From a cyber resilience standpoint, this means that an affordable rapid response capability is available to any organization that wants it. And cybersecurity companies, sleeper deployments also make it possible to offer extremely competitive service-level agreements to customers. Some IR shops that leverage LimaCharlie offer SLAs as low as 20 minutes.

For an example of how one DFIR team leveraged LimaCharlie to respond to a supply chain attack—and expand their customer relationship—read our incident response case study.

Learning more

To explore LimaCharlie’s capabilities for yourself, get started for free or book a demo today.

If you’d like to talk about a use case that wasn’t discussed in this post, drop us a line on our community Slack channel or stop by during our regular weekly office hours.