ContraForce adds support for Splunk Enterprise Security, CrowdStrike Falcon XDR and IBM QRadar SIEM

It can be both challenging and rewarding being a security analyst at a managed security service provider (MSSP). A common challenge is having to manage multiple Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) tools. This occurs because different clients use different tools, or commonly, one client uses multiple tools. This situation creates several headaches both for analysts, and for MSSP leadership:

1. Complex Workflow: When analysts work with multiple tools, it usually means dealing with different interfaces, features, and ways of categorizing and responding to threats. Working in this manner requires an ability to quickly adapt and switch between systems. This is tiring for analysts. For MSSP leadership, it can mean having to hire very skilled [read: expensive] analysts as each tool requires a steep learning curve to master it.

2. High Pressure: Security analysts are tasked with detecting, analyzing, and responding to threats in real-time. The use of multiple tools can add pressure, as analysts must refresh their situational awareness each time they switch from one tool to another to interpret alerts and mitigate risks. For MSSP leadership this leads to slower client response times and potentially a drop in detection and response accuracy for their clients.  

3. Unnecessary Learning: As the cybersecurity landscape is constantly evolving, so must SIEM and EDR platforms. To keep up with the latest capabilities of each tool, analysts must stay on top of product releases and documentation updates and set time aside for training. For MSSP leadership that means it is necessary to leave time aside for analyst professional development, or risk that analysts fall behind. Either way, team productivity is affected.

Today, we are excited to announce that many of these headaches can be put to bed as we have expanded the number of SIEM and EDR tools that can be managed in the ContraForce platform. Analysts can now manage Splunk Enterprise Security, CrowdStrike Falcon XDR, and IBM QRadar SIEM along with the Microsoft tools that we have previously supported: Microsoft Sentinel and Microsoft Defender XDR. This development has several exciting benefits for security analysts and MSSP leadership.

1. Simplified Workflow. Analysts using the ContraForce platform follow consistent investigation and response workflows for security events irrespective of the underlying SIEM or EDR tool. Incident data, entity context and associated ContraForce Gamebooks are always displayed using a consistent format making it easy for analysts to quickly jump between incidents no matter which SIEM and EDR produced an event. For MSSP leadership, this means their analysts will be able to immediately support new clients that use any of SIEM and EDR tools supported by ContraForce.

2. Less Pressure.  Analysts can now see security incidents from any of the supported SIEM and EDR tools together in the ContraForce Command console instead of having to jump between applications. As part of the normalization process, each incident is also assigned a unique ID, irrespective of the source tool, making it easy for analysts to track incidents and communicate with each other. MSSP leadership and users at the MSSP’s clients can now also see a unified view of a client’s incidents, even if the client uses multiple SIEM and EDR tools.

3. More Productive Learning. Analysts no longer need to be experts for each SIEM and EDR tool. For MSSP leadership, this means more hiring and staffing flexibility. Junior analysts can take on a broad range of tasks and senior analysts can apply their knowledge to incidents even if they aren’t experts at the underlying SIEM or EDR tool. It also means that MSSP leadership can increase their competitive differentiation by focusing professional development on value-added topics instead of training analysts on systems administration.

In short, while it will always be at least somewhat demanding being a security analyst at a MSSP due to the need to maintain vigilance against threats, analysts’ jobs should not be made worse by having to unnecessarily master multiple tools. We’re excited to being a playing a part in overcoming that challenge in a way that benefits both the analyst and MSSP leadership.  

‍