DailyBubble News
DailyBubble News

Stellar Cyber Security Operations Platform for MSSPs

As threat complexity increases and the boundaries of an organization have all but disappeared, security teams are more challenged than ever to deliver consistent security outcomes. One company aiming to help security teams meet this challenge is Stellar Cyber.

Stellar Cyber claims to address the needs of MSSPs by providing capabilities typically found in NG-SIEM, NDR, and SOAR products in their Open XDR platform, managed with a single license. According to Stellar Cyber, this consolidation means faster security analyst ramp time and customer onboarding with far less manually intensive tasks required. Stellar Cyber currently counts 20+ of the top MSSP providers as customers, providing security for over 3 million assets. In addition, stellar Cyber claims after deployment, users see up to 20x faster mean time to respond (MTTR), a bold claim.

We recently took a closer look at the Stellar Cyber Security Operations Platform.

Before we begin

Before digging into the platform, here are a few things MSSPs should know about Stellar Cyber:

  • Works with any EDR: Stellar Cyber could be classified as an Open XDR as it delivers visibility across your customer’s environments; however, it is not an extension of an EDR product. Conversely, Stellar Cyber offers pre-built integrations to any major EDR vendors meaning your customers can use whatever EDR they want if you use Stellar Cyber.
  • It’s Multi-Tenant: Stellar Cyber is a multi-tenant solution meaning that your customer’s data will not be commingled, enabling you to offer your services in regions specifically concerned about data privacy. Further, this multi-tenancy approach can drive better analyst-to-customer ratios. In certain situations, work done for one customer can be applied to another with zero loss of data integrity.

To facilitate this product review, the team at Stellar Cyber gave us access to the cloud-based version of their product, so after a brief product walkthrough delivered by a Stellar Cyber support person, we logged into the product.

Responding to an Incident from the Home page

This is the initial screen you see when logging into Stellar Cyber. You would expect to see many elements on the analyst home screen, such as top incidents and riskiest assets. An interesting piece on this screen is what Stellar Cyber calls the Open XDR Kill Chain. By clicking on any segment of the kill chain, you can access the threats associated with that portion of the attack chain. For example, I clicked on “Initial Attempts” to access this screen.

Here I can see these alerts with the stage “Initial Attempts” set by Stellar Cyber automatically. Further down the rabbit hole, I see more information about the alert when I click “View” on any of the alerts. Initially, I was presented with some summary graphs, then scrolling down the screen a bit, I saw a “more info” hyperlink, so I clicked it and got this in return.

Here I can read about the incident, dig into the details, and review the raw data behind this incident as well as the JSON, which I can conveniently copy to a clipboard if necessary.

Here is where I thought things got a bit more interesting. While the presentation of the data in Stellar Cyber is easy to understand and logical, the product’s true power was not evident to me until I clicked on the “Actions” button on the screen above.

As you can see, I can take my response actions right from this screen, such as “add a filter, trigger an email, or take external action. Clicking on external action, I get another picklist. When I click on Endpoint, I get a long list of options from contain host to shutdown host.

When clicking on an action, like contain host, a configuration dialog displays where I can select the connector to use, the target of the action, and any other options required to initiate the action chosen. So, in summary, I can see how security analysts, especially junior ones, will find this workflow very useful in that they can a) easily dig into the details of an incident from the home screen, b) review even more details by going deeper into the data, and c) take a remediation action from this screen without writing any scripts or tinkering with a code.

For MSSPs, I could see onboarding new analysts to work on this view initially to familiarize them with the platform while still helping meet customer service level agreements. However, my gut tells me that there is much more to learn about this Stellar Cyber platform so let’s see if there is another path to investigating incidents.

Exploring Incidents

Now instead of clicking on the Open XDR Kill Chain, I am going to click on the menu item “Incidents” and get this screen in return.

When I clicked on the carrot in the blue circle, it expanded a filtering list that enabled me to hone in on a…

Read More: Stellar Cyber Security Operations Platform for MSSPs

Comments are closed.