Advancements in cybersecurity technology give us unprecedented levels of visibility and control over enterprise networks. Yet many of these tools are difficult to deploy, manage and effectively utilize. Critical Start has created a Cloud Security Operations Center using cloud based systems, automation, orchestration and advanced analytics technology and techniques to maximize the efficiency and visibility of deployed tools. Leveraging the cloud allows Critical Start to deploy complete solutions in days so your team can focus on adding value to the business without the management and operational overhead.
Reduce Security Incidents by 99%
The table above shows a Critical Start MSSP customer who is sending all their security events to the Critical Start Cloud SOC and experienced a 99.97% reduction in incidents created. Other MSSPs increase alert thresholds and restrict security events, while Critical Start reduces the number of security events that create incidents by typically > 99%.
Out of 230 Tier 1 incidents, the Critical Start SOC triaged 95% and only forwarded a single Tier 2 incident per day to the customer. The customer has better coverage of security events investigated while reducing time on Tier 1 investigation by > 90%.
Technology & Differentiators
Most of our clients articulate common approaches to investigating security events:
- Take in all security alerts and somehow try to pick and choose what incidents to investigate while ignoring others
- Use a MSSP that forwards virtually all security events and overwhelms the client with alerts of low quality
- Reduce the number and/or type of security events ingested, which is the most common response. MSSPs and end users will increase alert thresholds, turn off security feeds, and restrict types of security events to reduce the number of incidents created.
The key technology component of the Critical Start MSSP is our Alert Classification Engine that collects ALL security events from an organization and massively reduces the number of security events requiring investigation – in many cases by > 99.9%. This is accomplished via multiple mechanisms:
- Human Supervised Machine Learning (Filters/Whitelists)
- API Plugins to vendors
- Security Orchestration that fully automates the manual tasks typically performed by a security analyst during investigation
- Network effect from having a cloud-based multi-tenant system – Critical Start takes information learned from one customer and applies to all other clients when applicable. 75% of triage decisions apply to multiple organizations regardless of size. It’s the number of organizations that is important, versus the total number of endpoints.
Technologies like SIEM try to create rules to determine known bad – essentially a signature based approach used by IDS and traditional anti-virus. It doesn’t work well and misses new attack methods.
Critical Start uses a security model that assumes every security event should be an incident unless previously investigated to be a “known good” or not requiring investigation. The network effect combined with the human supervised machine learning enables the Alert Classification Engine to scale and increase effectiveness as the number of customers and endpoints increase(s). Core elements of our approach:
- Decrease the number of alerts with better prevention tools on the endpoint and using the Alert Classification Engine (ACE) to eliminate false positives
- Reduce time to resolve incidents by providing comprehensive infrastructure visibility using network information, logs, and endpoint detection/response (EDR)
- Augment staff for our clients by using our Security Operations Center to provide Tier 1 incident investigation. Most investigations do NOT require detailed knowledge of the customer to investigate an incident. The Critical Start SOC can conduct the initial incident investigation and offload this work for our customers. We only escalate incidents that require client specific knowledge and expertise to resolve.
What Can You Expect from
- An extension of your team with expert staff to monitor, identify and escalate security events
- A viable solution to the cybersecurity workforce shortage—reduces the need to find, train and retain security experts in an increasingly competitive job market
- Increased efficiency and effectiveness of your risk management program
- System updates and ongoing maintenance
Event Management (SIEM)
Packet Analysis & Intrusion Detection
User Behavioral Analytics
Endpoint Detection & Response