With the complexity of threats and the disappearance of virtually any organization’s boundaries, security teams face more challenges than ever to deliver consistent security outcomes. Stellar Cyber aims to help security teams meet this challenge.
Stellar Cyber claims to meet the needs of MSSPs by providing capabilities typically found in NG-SIEM, NDR, and SOAR products in their Open XDR platform, which is managed with a single license. According to Stellar Cyber, this integration means faster security analyst time and equipping customers with less manual-intensive tasks required. Stellar Cyber currently counts more than 20 of the best MSSPs as clients, providing security for over 3 million assets. Additionally, cyber stellar claims after posting, users see up to 20 times the average response time (MTTR), which is a bold claim.
We recently took a closer look at the Stellar Cyber Security Operations Platform.
before we start
Before researching the platform, here are a few things MSSPs should know about Stellar Cyber:
- Works with any EDR: Stellar Cyber can be categorized as Open XDR because it provides visibility across your customers’ environments; However, it is not an extension of the EDR product. Conversely, Stellar Cyber offers pre-made integrations for any of the major EDR vendors which means that your customers can use the EDR they want if you use Stellar Cyber.
- It is multi-tenant: Stellar Cyber is a multi-tenant solution which means that your customer data will not be mixed, allowing you to offer your services in areas specifically concerned with data privacy. Moreover, this multi-tenancy approach can improve analyst-to-client ratios. In certain cases, work done for one customer can be applied to another customer without losing data integrity.
To facilitate this product review, the team at Stellar Cyber gave us access to the cloud-based version of their product, so after a brief product review provided by a Stellar Cyber support person, we logged into the product.
Reply to an incident from the home page
This is the initial screen you see when you log into Stellar Cyber. You would expect to see many items on the main screen of the analyzer, such as the most important incidents and the most critical assets. An interesting piece on this screen is what Stellar Cyber calls Open XDR Kill Chain. By clicking on any part of the killing chain, you can access the threats associated with that part of the attack chain. For example, I clicked “Initial Attempts” to get to this screen.
Here I can see these alerts with the “Initial Attempts” phase set automatically by Stellar Cyber. At the bottom of the rabbit hole, I see more information about the alert when I click View on any of the alerts. At first I was presented with some summary infographics, then I scrolled down the screen a bit, and I saw a “more info” hyperlink, so I clicked on it and got it in return.
Here I can read about the crash, dig into the details, and review the raw data behind that crash as well as the JSON, which I can easily copy to the clipboard if needed.
Here is where I thought things got more interesting. While the data display in Stellar Cyber is easy to understand and makes sense, the true power of the product wasn’t apparent to me until I clicked the “Actions” button on the screen above.
As you can see, I can take response actions directly from this screen, such as “Add a filter, run an email, or take an external action. By clicking on an external action, I get another selection menu. And when I click on the endpoint, I get a long list of The options are from contain host to shutdown host.
When I click on an action, such as Contain a Host, a configuration dialog is displayed where I can select the connector to use, the action target, and any other options required to start the chosen action. So, in summary, I can see how security analysts, especially novice ones, will find this workflow very useful as they can a) easily search the details of an incident from the main screen, b) review more details by digging deeper into the data, and c) Take corrective action from this screen without writing any scripts or modifying code.
For MSSPs, I can see new analysts working on this view initially to familiarize them with the platform while still meeting customer service level agreements. However, my intuition tells me that there is a lot to learn about the Stellar Cyber platform, so let’s see if there is another way to investigate the incidents.
Now instead of clicking Open XDR Kill Chain, I’m going to click the “Incidents” menu item and get this screen in return.
When I clicked on the carrot in the blue circle, I expanded the filter menu that enabled me to focus on a specific type of incident. Since I’m in exploratory mode, I go directly to the details button to see what I can find in this detailed view.
I can now see how this incident occurred and spread across multiple origins. Furthermore, I can automatically see the files, processes, users, and services associated with the incident. There are different ways to view this data as well. For example, I can switch to the timeline view to get a readable history of this incident, as shown below:
When I click on the little “i”, I arrive at a familiar screen.
I know the story from here, and that’s fine.
So, in summary, I can see that analysts who used to work from the alerts list might want to start their investigations from the incidents page. For MSSPs, this view is also useful because it shows all incidents across all tenants in one view. Of course, this point of view can be determined by analysts, customers, etc.
Hunting Threats and Response Actions in Stellar Cyber
By this time, I’m convinced that Stellar Cyber offers an interesting approach for MSSPs looking to simplify their security operations. Honestly, at this point in my review, I didn’t have to write any special scripts or do anything other than click on some links and scroll around some screens to default to responding to some nasty alerts, which is not the norm for these types of products.
Before I sing the praises of Stellar Cyber so hard, I wanted to take a look at a couple of the other mentioned features, Threat Hunting and Action Response (also known as SOAR). Let’s start by hunting down threats. When I click “Threat Hunting” from the menu, this screen appears.
While these stats are interesting, I’m looking for a feasible threat h; This is where I see the search dialog at the top right. I’m typing the login and I noticed that the stats change dynamically. Scrolling down the screen, I also see a list of alerts filtered according to my search term. Here I see the familiar “more info” option, so I know where that will take me.
I also noticed something called “Link Search” within the search dialog. When I click on that, my screen changes to this.
I can load a saved query or add a new query. When I click on add query, I see this query generator. This enables me to search basically any Stellar Cyber stores data to theoretically find threats that have gone unnoticed. I can also access the Threat stalking library to access previously saved queries.
You can also create response actions that run automatically if the query you created returns any matches.
So, in short, Stellar Cyber offers a simple platform for sniping threats that doesn’t require you to build your own ELK group or be a strong writer. For MSSPs, I can see that this is a nice added value that they can offer to clients when detecting threats emerging in the wild.
Stellar Cyber is a powerful security operations platform with many features for MSSP user. If you are in the market for a new SecOps platform, it is worth taking a look at what Stellar Cyber has to offer.