As risk complexity will increase and the boundaries of a company have all however disappeared, safety groups are extra challenged than ever to ship constant safety outcomes. One firm aiming to assist safety groups meet this problem is Stellar Cyber.
Stellar Cyber claims to handle the wants of MSSPs by offering capabilities sometimes present in NG-SIEM, NDR, and SOAR merchandise of their Open XDR platform, managed with a single license. In keeping with Stellar Cyber, this consolidation means sooner safety analyst ramp time and buyer onboarding with far much less manually intensive duties required. Stellar Cyber at the moment counts 20+ of the highest MSSP suppliers as clients, offering safety for over 3 million belongings. As well as, stellar Cyber claims after deployment, customers see as much as 20x sooner imply time to reply (MTTR), a daring declare.
We lately took a better take a look at the Stellar Cyber Safety Operations Platform.
Earlier than we start
Earlier than digging into the platform, right here are some things MSSPs ought to find out about Stellar Cyber:
- Works with any EDR: Stellar Cyber might be labeled as an Open XDR because it delivers visibility throughout your buyer’s environments; nevertheless, it isn’t an extension of an EDR product. Conversely, Stellar Cyber provides pre-built integrations to any main EDR distributors which means your clients can use no matter EDR they need should you use Stellar Cyber.
- It is Multi-Tenant: Stellar Cyber is a multi-tenant answer which means that your buyer’s information won’t be commingled, enabling you to supply your companies in areas particularly involved about information privateness. Additional, this multi-tenancy strategy can drive higher analyst-to-customer ratios. In sure conditions, work executed for one buyer might be utilized to a different with zero lack of information integrity.
To facilitate this product evaluate, the workforce at Stellar Cyber gave us entry to the cloud-based model of their product, so after a short product walkthrough delivered by a Stellar Cyber assist individual, we logged into the product.
Responding to an Incident from the Dwelling web page
That is the preliminary display screen you see when logging into Stellar Cyber. You’ll anticipate to see many components on the analyst residence display screen, similar to prime incidents and riskiest belongings. An fascinating piece on this display screen is what Stellar Cyber calls the Open XDR Kill Chain. By clicking on any phase of the kill chain, you’ll be able to entry the threats related to that portion of the assault chain. For instance, I clicked on “Preliminary Makes an attempt” to entry this display screen.
Right here I can see these alerts with the stage “Preliminary Makes an attempt” set by Stellar Cyber mechanically. Additional down the rabbit gap, I see extra details about the alert after I click on “View” on any of the alerts. Initially, I used to be offered with some abstract graphs, then scrolling down the display screen a bit, I noticed a “extra data” hyperlink, so I clicked it and obtained this in return.
Right here I can learn in regards to the incident, dig into the main points, and evaluate the uncooked information behind this incident in addition to the JSON, which I can conveniently copy to a clipboard if obligatory.
Right here is the place I assumed issues obtained a bit extra fascinating. Whereas the presentation of the info in Stellar Cyber is simple to grasp and logical, the product’s true energy was not evident to me till I clicked on the “Actions” button on the display screen above.
As you’ll be able to see, I can take my response actions proper from this display screen, similar to “add a filter, set off an e-mail, or take exterior motion. Clicking on exterior motion, I get one other picklist. Once I click on on Endpoint, I get a protracted listing of choices from include host to shutdown host.
When clicking on an motion, like include host, a configuration dialog shows the place I can choose the connector to make use of, the goal of the motion, and another choices required to provoke the motion chosen. So, in abstract, I can see how safety analysts, particularly junior ones, will discover this workflow very helpful in that they will a) simply dig into the main points of an incident from the house display screen, b) evaluate much more particulars by going deeper into the info, and c) take a remediation motion from this display screen with out writing any scripts or tinkering with a code.
For MSSPs, I may see onboarding new analysts to work on this view initially to familiarize them with the platform whereas nonetheless serving to meet customer support stage agreements. Nonetheless, my intestine tells me that there’s far more to find out about this Stellar Cyber platform so let’s have a look at if there’s one other path to investigating incidents.
Exploring Incidents
Now as an alternative of clicking on the Open XDR Kill Chain, I’m going to click on on the menu merchandise “Incidents” and get this display screen in return.
Once I clicked on the carrot within the blue circle, it expanded a filtering listing that enabled me to hone in on a particular sort of incident. Since I’m in exploratory mode, I’m going on to the main points button to see what I can discover on this element view.
Now I can see how this incident occurred and propagated throughout a number of belongings. Additional, I can mechanically see the recordsdata, processes, customers, and companies related to the incident. There are other ways to view this information as properly. For instance, I may swap to the timeline view to get a readable historical past of this incident, like beneath:
Once I click on on the small “i,” I get to a well-known display screen.
I do know the story from right here, which is nice.
So, in abstract, I can see that analysts who’re used to working from a listing of alerts might like to begin their investigations from the incidents web page. For MSSPs, this view can be helpful because it exhibits all incidents throughout all tenants in a single view. After all, you’ll be able to restrict this view by analysts, clients, and many others.
Menace Looking and Response Actions in Stellar Cyber
By this time, I’m satisfied Stellar Cyber provides an fascinating strategy for MSSPs trying to streamline their safety operations. Frankly, at this level in my evaluate, I have not needed to write any particular scripts or do something apart from clicking some hyperlinks and scrolling round some screens to hypothetically reply to some nasty alerts, which isn’t the norm for all these merchandise.
Earlier than singing the praises of Stellar Cyber too extremely, I wished to check out a few different said options, Menace Looking and response actions (aka SOAR). Let’s begin with risk searching. Once I click on on “Menace Looking” from the menu, I’m offered with this display screen.
Whereas these stats are fascinating, I’m in search of actionable risk h; that is the place I see the search dialog field on the highest proper. I sort in login and spot the stats change dynamically. Scrolling down the display screen, I additionally see a listing of alerts that has been filtered base on my search time period. Right here I see the acquainted “extra data” possibility, so I do know the place that may take me.
I additionally seen one thing known as “correlation search” below the search dialog field. Once I click on that, my display screen adjustments to this.
I can load a saved question or add a brand new question. Clicking the add question, I see this question builder. This allows me to go looking basically any information Stellar Cyber shops to theoretically discover threats that went unnoticed. I can even entry the risk searching library to entry beforehand saved queries.
You can even create response actions that may run mechanically if the question you create returns any matches.
So, in abstract, Stellar Cyber provides a easy risk searching platform that does not require you to construct your personal ELK stack or be an influence scripter. For MSSPs, I can see this being a pleasant worth add they will supply clients when rising threats are found within the wild.
Conclusion
Stellar Cyber is a strong safety operations platform with many options for the MSSP person. In case you are out there for a brand new SecOps platform, it’s price looking at what Stellar Cyber has to supply.
