Commonly asked questions
We’ve done our best to answer the questions we hear most often below. If you don’t see what you’re looking for, feel free to get in touch. We’ll get you an answer and add it to this list so others can benefit as well.
Products we support
I have a product (or am planning to buy one) that you don’t support. Will you support it in the future?
If the product is (or will be) a core part of how you detect, investigate and resolve security incidents, chances are it’s already on our radar. It’s pretty straightforward for us to add mainstream SIEM, network detection or endpoint detection and response (EDR) products. If it’s something else, let us know and we’ll tell you how we’d approach it.
Can you integrate with my ticketing system?
Maybe. We don’t currently integrate with ticketing systems, but we plan to add that capability in the future. If you’re interested in that, let’s talk, so we can understand your specific use case.
Do you manage my SIEM?
No. We don’t manage SIEMs (or IDS or firewalls). You have to keep your security tech running and up to date, because that’s an IT operation that depends on your environment. What we will do, however, is look at all of the data in your SIEM, so you don’t have to (unless you want to).
How we work
Can you perform remediation actions?
Not right now. We don’t currently do things like containing machines or resetting passwords. We fully expect to add that capability over time. But, we want to work closely with our customers to understand and clearly define what you’re comfortable with Expel doing, and under what circumstances. If that’s something you’re interested in, we’d like to have a conversation to understand your desires.
What type of intel do you use?
We create our own threat intel and also apply third-party intel feeds to add context to alerts. Expel’s detection capabilities also rely heavily on methodology-based indicators that detect adversary activity, not just hashes and addresses. Because we’re transparent, we’re always happy to share any indicator we’re using with you, so you understand how we detect the things we do.
I subscribe to my own threat intel feeds. How does Expel use those?
Any intel you use in your security products to detect threats will create alerts that flow to Expel. From there, our analysts will triage and investigate them.
Who determines the level of alerts that you’re going to respond to for each of my products?
We do. Expel has analysts that are experts in each network, endpoint and SIEM product that we support. When we onboard a new technology, we spin the product up, test it with red teams and identify the alerts we’ll see under various attack scenarios. We use this experience to identify the types of alerts that are most meaningful and determine what level of severity we should attribute to each of them. Severity is based on impact. For example, a webshell is going to have a bigger impact than commodity malware.
If I don’t understand how to implement an action you recommend how do I get assistance?
You’ve got three options. First, you can always call our security operations center (SOC) 24-hours a day, and a human will always answer. In addition, each customer has a dedicated engagement manager. So, during the day, you can also call him or her. However, if you’d prefer to interact using technology instead of telephones, you can use the Expel Workbench or a chat channel that gives you direct access to our analysts.
Do you perform incident response?
Expel doesn’t provide incident response services. However, when a potential incident arises we don’t want you to worry about how you’re going to respond. Plus, during the early stages of an investigation, it’s not always clear if you’re dealing with a relatively minor issue or a full-blown incident. Generally, if we identify 10 or more compromised machines during an investigation we consider it an incident.
When you need help that goes beyond our basic service we offer surge hours, which we bill at an hourly rate, to help you further scope the size of an incident, get more clarity on the severity of an incident and validate suspicions you might be compromised. When incident response services are required, we’re happy to refer you to one of our incident response partners. If you’d like to chat more about how we draw the line between our basic service and incident response let us know.
What are resilience recommendations?
Resilience recommendations are our way of making you better even when there aren’t any security incidents.
We think a managed security service should make your security better, not busier. In our view, getting better means we should help you prevent bad things from happening again (and again) or impacting you in the first place.
Resilience recommendations do one of two things – disrupt attackers or enable defenders. Recommendations that disrupt attackers prevent threats from successfully performing their intended goal, while recommendations that enable defenders allow your team (including us) to respond more effectively when they do.
To get a better idea of what we are talking about, here are a couple resilience recommendations (Example 1, Example 2) our customers have implemented. You can also read our blog post about them and watch our demo (select 4) to see what resilience looks like in action.
What do you mean by "hunting"?
Good question. People use the term “hunting” in lots of different ways, and one of the things we’re trying to do is to demystify it so it’s more accessible and understandable to our customers.
First, we use your existing SIEM, network, and endpoint devices. Then we collect data from these devices and apply advanced investigative techniques to find evidence of malicious activity. We’re constantly adding new techniques (so check back!). One thing we look for is unusual parent and child relationships. For instance, if winword.exe is spawning powershell.exe it could be indicative of a malicious Microsoft Word file attempting to compromise a machine. Another example is lateral movement in the environment, such as a source that rarely connects via RDP or a burst of RDP activity from non-administrative users.
The biggest variable that impacts what we can hunt for in your environment is the security products you own. If you’re interested in our hunting service you can expect us to walk you through the specifics of what we’ll be able to do with your tools in your environment.
“Read our “What is cyber threat hunting” blog to learn more about how we define hunting.”
How does your Night Shift service work?
Night Shift includes all the features of our 24x7 service but (as the name hints at), but only on nights, weekends and holidays. You get unlimited security device monitoring, resilience recommendations, performance metrics and a dedicated engagement manager. During Expel’s shift, our analysts will monitor your environment, triage alerts, investigate incidents and provide remediation recommendations.
You may be wondering what time zone we use to define “night time.” Here’s how we deal with that. You’ll pick your “home time zone” (usually this’ll be where your security people are located). Then, our Night Shift service covers:
- Weeknights: Monday – Thursday from 6pm-9am
- Weekends: Friday from 6pm to Monday 9am
- Holidays: 24X7 service on all ten U.S. Federal holidays
How we manage our analysts
Where’s your security operations center (SOC) located?
Our SOC is located in Herndon, Virginia. Let us know if you’d like to come by and visit. We have snacks.
Do you use a follow-the-sun approach?
No. We provide 24x7 monitoring from our SOC in Herndon, Virginia. We think this approach offers customers a higher level of service. There are also a bunch of other reasons we chose this approach — mostly battle scars and lessons learned from building SOCs around the world in past lives. Let us know if you’d like to hear more. We’re always happy to share more about our past experiences and mistakes, as well as our current approach to addressing challenges.
How do you prevent your analysts from burning out?
We try to make sure that our analysts have interesting things to work on. A big part of this is eliminating as much manual “crank turning” as we can. Analysts want to spend their time being analysts, not trying to get technology to do the thing they need it to do. We also keep an intense focus on indicator management, enabling analysts to focus on alerts that matter rather than clicking through a bunch of noise to get to a bit of signal.
We don’t do “runbook analysis,” prescribing actions that our analysts must take under certain conditions. If we know enough about a particular alert to get that prescriptive, we automate the handling of that alert so that our humans don’t have to spend their time on it.
Finally, we ensure our analysts get to exercise different muscles. Whether it’s proposing new ways to detect attacks or developing new correlation rules, we make sure they get to change things up while improving their skills.
You can read more about our point of view on creating a good work environment for analysts in a blog post titled Five ways to keep your security nerds happy. In fact, we’ve got a whole category on the blog devoted to talent management.
Dollars and cents
What does it cost?
You can see our pricing here.
What our customers have taught us
Relativity Customer Story
The transparent managed security handbook
Ready to talk?
We know you don’t answer the phone unless you know who it’s from. That’s why we won’t waste your time.
When you tell us you’re ready, we’ll have someone get in touch and they’ll be able to talk tech.