What's in this page
Latacora provides a cost-effective, transparent, low-commitment detection & response program.
Building and scaling an effective detection and response practice is a complex ordeal. There is an entire alphabet soup of industry marketing terms (SIEM, IR, EDR, MDR, XDR, SOAR…) with subtly different and overlapping interpretations across different vendors. This program is a scalable answer to that problem. We combine our expertise with economies of scale to create something that works for a range of clients. Because we buy in bulk, we can service even the smallest clients with a broad range of top-shelf capabilities that would never make sense for those clients to acquire individually.
Like other Latacora services, this program starts by running relatively autonomously, with the client providing oversight and strategic direction but us handling the day-to-day. Over time, clients become more involved in this process, all the way to us potentially handing it off.
Our sibling firm, IntrusionOps, performs much of the underlying service delivery. IntrusionOps services everything from the smallest Latacora clients to Fortune 500s, giving you the option for continuity when Latacora no longer makes sense. We offer gradual transition options, where you bring certain capabilities in-house or even move off the program entirety while ensuring operational continuity.
This section covers major customer-visible components unique to this program. It doesn’t include certain pilot project components or components that this program leverages but are managed by other Latacora teams, such as e.g. Cloud infrastructure tooling.
Latacora continually curates that set of tools and capabilities. We regularly add capabilities that aren’t a good fit for every client. We’ll occasionally shift vendors while maintaining or increasing capability. Rarely we’ll get rid of a specific tool or capability that just isn’t working. If the latter happens and that’s likely to impact you, you’ll get plenty of warning.
(SIEM is a term of art for a tool that aggregates security-relevant logs and enables efficient querying and alerting.)
One of the cornerstones of security is visibility: knowing what’s going on across the services and platforms that you rely on and making sure we capture events with security implications. Latacora has many visibility tools and capabilities, but the SIEM is the centerpiece of the detection and response story.
While SIEMs are usually associated with larger organizations, we believe that’s mainly due to two reasons. Firstly, security tools are often expensive, require expertise to deploy and operate, and often have sales cycles that are a poor fit for small organizations. Secondly, organizations tend to delay this until they find out they’re unprepared for an incident the hard way. We don’t think those reasons are intrinsic to the problem space, and the capability makes sense for organizations of any size.
After extensive evaluation, this iteration of Latacora SIEM is built on top of the Panther platform. Panther is a mature, scalable, and commercially available SIEM that uses Snowflake as a backing store. Like most Latacora tooling, your Panther instance is single-tenant and not shared with other clients. All of this is done so we can provide you with excellent capabilities now while making future handoffs from Latacora to clients as smooth as possible.
MDR includes ongoing rule tuning, detection engineering development, prioritizing data sources to add, troubleshooting issues, writing custom client-specific rules, and responding to incidents and alerts.
For early customers, this typically means getting a broad set of infrastructure and audit logs with a bunch of tuning to turn intentionally broad alerts into carefully crafted ones that accurately capture your environment and business practices.
As customers become more sophisticated in their detection capabilities, we make sure your application itself is also turned into an asset for detection and response. Specifically, we’ll work with you to develop the right types of audit logging in your application stack, ensuring they’re ingested and get custom rule development and tuning. This can often be done in collaboration with existing observability efforts.
EDR focuses on the computers your staff uses directly every day. Unlike traditional security solutions that focus on signature-based detection, EDR uses machine learning algorithms to analyze endpoint data in real-time, identifying potential threats before they can cause harm. This allows for rapid containment and elimination of threats, reducing the window of attack and minimizing the risk of lateral movement, right where it’s most effective..
We deliver SentinelOne Complete and manage it as part of this program. That includes proactive threat hunts, as well as more sophisticated additional SKUs and behavior, such as network visibility tooling as well as 24/7 triage tied into our MDR and IR practices.
IR is the 24x7 escalation support for when things have already gone wrong. We’ll provide service ranging from investigation, forensics, retrospectives, and rebuilds, as necessary.
Our detection & response program establishes a no-up-front cost IR escalation relationship that allows enrolled clients to declare an incident and receive a response with an aggressive SLA timeline. Investigation hours are available at a guaranteed rate without a requirement to pre-buy bulk hours, though discounts are available for clients who want them.
When it comes to resolving incidents, timing is often of the essence. Our complete, integrated and familiar package of tools ensures no time is wasted and all efforts go immediately towards resolving incidents quickly and efficiently.
Modern IR firms and SOCs perform initial readiness assessments to document a client’s systems and external services. Even then, they don’t have the familiarity and access to be immediately ready to run an investigation. Time spent refamiliarizing ourselves with what your company does, where critical data is stored, and where authoritative logs and the like are stored is time wasted on figuring out how to limit the impact of an ongoing incident. Large firms use rotating staff for all but the largest accounts. That staff likely won’t see any preparatory documents before an incident.
By contrast: Latacora understands your business and your tech stack. Thanks to consistency in security tooling, we have immediate access to the queries and reports we need to start digging into what’s happening. Providing access to those systems is a trivial process.
Threat hunts and incidents often turn out to be false positives. Latacora’s embedded team and processes mean faster investigations while drastically reducing false positive escalations, all of which reduce cost.
Incidents happen in the places that slip through the net. If you knew the issue in advance, you’d probably have addressed it already. Attackers exploit the gaps, so you often don’t know what expertise you’ll need. You may have a technical team that understands your application code and its infrastructure in extreme detail, but that doesn’t help if your data breach involves understanding Hubspot’s authorization model. We’ve got a deep bench of experts, in-house or on retainer, covering a huge swath of eventualities.
Sometimes, an incident calls for specialized tools as well as expertise. Those could be professional digital forensics, post-compromise endpoint visibility, or reverse engineering tools. IntrusionOps comes with these pre-equipped, and this program includes unmetered access. For example, if you don’t have a sufficient EDR tool (e.g., because you haven’t deployed SentinelOne on every machine), IntrusionOps uses its SentinelOne IR license to deploy enterprise-wide across all major operating systems instantaneously.
Major breaches are often first discovered by researchers handled by third parties like CISA or discussed via backchannels. We often get advance notice before these become public. Generally speaking, this information is subject to an embargo. Therefore, we can’t discuss specifics until they’re made public. We will often be able to identify a potential compromise well before public disclosure, and embargo protocols typically allow notifying clients confirmed or reasonably suspected to be impacted before an embargo is lifted.
A common gotcha with some IR services is that the scope of the SLA is too limited to be useful. For example, it could just be an acknowledgment from a dispatcher without any substantive technical response. Our IR differs because the SLA criterion is only satisfied when we’ve responded with qualified technical personnel.
Like other firms, we have someone available to answer our incident hotline 24x7. That person may not always be the primary incident response consultant who will work through the incident with you. Your SLA is satisfied when a competent incident response consultant becomes involved, not when someone perfunctorily answers the phone.
Therefore, we split the SLA into triage and response, which helps highlight what you can expect when you need it most. The triage SLA covers the time until competent staff has acknowledged the problem and begun examining it. The difference between that and a response SLA is that the IR staff may only be able to perform some IR-related tasks for the triage SLA. The triage SLA, for example, might be satisfied by a competent IR professional currently stuck in traffic or walking their dog. The response SLA requires staff to be fully operational (e.g., in front of their computer, not doing anything else, et cetera). Most of the time, both SLAs are satisfied simultaneously.