What's in this page
Latacora provides a cost-effective, transparent, low-commitment detection & response program.
Building and scaling an effective detection and response practice is a complex ordeal. There is an entire alphabet soup of industry marketing terms (SIEM, IR, EDR, MDR, XDR, SOAR…) with subtly different and overlapping interpretations across different vendors. We’ve leveraged our economies of scale and broad range of expertise to design a solution to these problems. We can serve even the smallest clients with a broad range of capabilities that would be out of reach for those clients independently.
Like other Latacora services, this program starts off by operating relatively autonomously, with the client providing oversight and strategic direction but us handling the day-to-day. Over time, some clients become more involved in this process, all the way to us potentially handing it off to them entirely once that makes sense. If you’d rather continue to have us handle this for you indefinitely, we’re happy to; we just don’t believe in vendor lock-in as a retention strategy.
Our sibling firm, IntrusionOps, delivers many of the underlying service components. IntrusionOps services everyone from the smallest Latacora clients to giant multinationals, giving you the option for continuity when Latacora no longer makes sense and you need something more a la carte. We offer gradual transition options, where you bring certain capabilities in-house or even move off the program entirety while ensuring operational continuity.
This section covers major customer-visible components we deliver. It doesn’t include certain pilot project components or components that this program leverages but are managed by other Latacora teams, such as e.g. Cloud infrastructure tooling.
Latacora continually curates that set of tools and capabilities. We regularly add capabilities that aren’t a good fit for every client. We’ll occasionally shift vendors while maintaining or increasing capability. Rarely we’ll get rid of a specific tool or capability that just isn’t working. If the latter happens and that’s likely to impact you, you’ll get plenty of warning.
(SIEM is a term of art for a tool that aggregates security-relevant logs and enables efficient querying and alerting.)
One of the cornerstones of security is visibility: knowing what’s going on across the services and platforms that you rely on and making sure we capture events with security implications. Latacora has many visibility tools and capabilities, but the SIEM is the centerpiece of the detection and response story.
While SIEMs are usually only deployed at larger and more mature organizations, we believe that’s mainly due to two reasons. Firstly, most security tools are expensive, require expertise to deploy and operate, and often have sales cycles that are a poor fit for small organizations. Secondly, organizations tend to delay this until they find out the hard way they’re unprepared for an incident. We don’t think those reasons are intrinsic to the problem space, so we designed our programs to address them.
After extensive evaluation, this iteration of Latacora SIEM is built on top of the Panther platform. Panther is a mature, scalable, and commercially available SIEM that uses Snowflake as a backing store. Like most Latacora tooling, your Panther instance is single-tenant and not shared with other clients. All of this is done so we can provide you with excellent capabilities now while making future handoffs from Latacora to clients as smooth as possible.
MDR includes ongoing rule tuning, detection engineering development, prioritizing data sources to add, troubleshooting issues, writing custom client-specific rules, and responding to incidents and alerts.
For early customers, this typically means getting a broad set of infrastructure and audit logs with a bunch of tuning to turn intentionally broad alerts into carefully crafted ones that accurately capture your environment and business practices.
As customers become more sophisticated in their detection capabilities, we make sure your application itself is also turned into an asset for detection and response. Specifically, we’ll work with you to develop the right types of audit logging in your application stack, ensuring they’re ingested and get custom rule development and tuning. This can often be done in collaboration with existing observability efforts.
EDR focuses on the computers your staff uses directly every day. Unlike traditional security solutions that focus on signature-based detection, EDR uses machine learning algorithms to analyze endpoint data in real-time, identifying potential threats before they can cause harm. This allows for rapid containment and elimination of threats, reducing the window of attack and minimizing the risk of lateral movement, right where it’s most effective.
We deliver SentinelOne and manage it as part of this program. That includes proactive threat hunts, as well as more sophisticated additional SKUs and behavior, such as network visibility tooling as well as 24/7 triage tied into our MDR and IR practices.
Already getting SentinelOne via a third party like your IT or HR provider? You should check what SKU you’re actually getting, and ask us why that matters. We don’t believe in cutting corners to lull you into a false sense of security.
IR is the 24x7 escalation support for when things have already gone wrong. We’ll provide service ranging from investigation, forensics, retrospectives, and rebuilds, as necessary.
Our detection & response program establishes a no-up-front cost IR escalation relationship that allows enrolled clients to declare an incident and receive a response with an aggressive SLA timeline. Investigation hours are available at a guaranteed rate without a requirement to pre-buy bulk hours, though discounts are available for clients who want them.
When it comes to resolving incidents, timing is often of the essence. Our complete, integrated and familiar package of tools ensures no time is wasted and all efforts go immediately towards resolving incidents quickly and efficiently.
E-mail continues to be a critical medium for nearly every company. Business E-mail Compromise (BEC) attacks have only gotten more prevalent in recent years.
Because the cost of mounting sophisticated e-mail based attacks has dropped precipitously, the modal attack a startup is likely to face is now a completely different beast from a few years ago. By contrast, the built-in security features of e-mail platforms have not kept up. We deploy and operationalize Sublime Security for customers to help them address this risk.
Like Panther, Sublime is a power tool. It gives you the configurability and transparency necessary to build an effective and trustworthy e-mail security program. This is in stark contrast with its competitors, which have either stagnated so as to no longer be responsive to the security or operational needs of a modern organization on Google Worksapce or Office 365, or are a black box that may stop some attacks but will also hinder legitimate communications, destroying your organization’s trust in the reliability of its IT systems.
Modern IR firms and SOCs perform initial readiness assessments to document a client’s systems and external services. Even then, they don’t have the familiarity and access to be immediately ready to run an investigation. Time spent refamiliarizing ourselves with what your company does, where critical data is stored, and where authoritative logs and the like are stored is time wasted on figuring out how to limit the impact of an ongoing incident. Large firms use rotating staff for all but the largest accounts. That staff likely won’t see any preparatory documents before an incident.
By contrast: Latacora understands your business and your tech stack. Thanks to consistency in security tooling, we have immediate access to the queries and reports we need to start digging into what’s happening. Providing access to those systems is a trivial process.
Threat hunts and incidents often turn out to be false positives. Latacora’s embedded team and processes mean faster investigations while drastically reducing false positive escalations, all of which reduce cost.
Incidents happen in the places that slip through the net. If you knew the issue in advance, you’d probably have addressed it already. Attackers exploit the gaps, so you often don’t know what expertise you’ll need. You may have a technical team that understands your application code and its infrastructure in extreme detail, but that doesn’t help if your data breach involves understanding Hubspot’s authorization model. We’ve got a deep bench of experts, in-house or on retainer, covering a huge swath of eventualities.
Sometimes, an incident calls for specialized tools as well as expertise. Those could be professional digital forensics, post-compromise endpoint visibility, or reverse engineering tools. IntrusionOps comes with these pre-equipped, and this program includes unmetered access. For example, if you don’t have a sufficient EDR tool (e.g., because you haven’t deployed SentinelOne on every machine), IntrusionOps uses its SentinelOne IR license to deploy enterprise-wide across all major operating systems instantaneously.
Major breaches are often first discovered by researchers handled by third parties like CISA or discussed via backchannels. We often get advance notice before these become public. Generally speaking, this information is subject to an embargo. Therefore, we can’t discuss specifics until they’re made public. We will often be able to identify a potential compromise well before public disclosure, and embargo protocols typically allow notifying clients confirmed or reasonably suspected to be impacted before an embargo is lifted.