On-Premises customer onboarding at HarfangLab

HarfangLab is not only EDR website, but also a dedicated customer support team. What happens after a contract is signed? What are the onboarding stages? Who needs to be involved?

Let’s take a look at the steps involved in deploying HarfangLab’s EDR On-Premises, which offers the same functionality as the Cloud version. These steps are followed by a partner for customers who opt for a managed service via a MSSP.

Preparing and deploying the On-Premises environment  

1. Preparation of customer infrastructure and initial workshops to identify architectural constraints 
2. Confirmation of the number of endpoints to be protected and the retention period for non-alert data (which can extend over several months in the case of post-incident investigations) 
3. Servers sizing 
4. Coordination with the customer’s project partners and the MSSP where applicable: Project Manager, Architect, SOC Manager, Infra Team (systems & networks), etc.  
   Depending on the hardware and technical requirements, additional workshops can be organized on specific topics (architecture, interconnections with the existing cyber environment, deployment of the manager and agents, infrastructure supervision, etc.) 
5. Installation of the manager in the client environment and deployment of the agents 
6. Observation of the behavior on protected endpoints, and coordinated adjustments with the MSSP where necessary 

Over the long term, the vendor and / or the MSSP ensures the solution’s maintenance in operational conditions (MOC), support and reporting, as well as the update cycle.
The aim is to create a virtuous circle of protection! 

Agent installation and deployment

There are two possible approaches to installing and deploying agents:

1. First set up protection and detection groups and policies, then deploy agents;
2. Deploy all agents first, then create protection and detection policies and groups.

The agent installation process integrates natively with commonly used deployment tools.

Observation of behavior on protected endpoints

Once the agents have been deployed, the first alerts appear in the console, enabling false positives, suspicious behavior, malicious files, etc. to be sorted to create whitelists. The more extensive the user authorizations, the greater the number of events to be evaluated, requiring human analysis, which remains essential.

In the event of suspicious behavior, cybersecurity experts or security managers can examine and classify events according to their understanding of the context.

The aim is to fine-tune the detection and protection rules to optimize the tool’s effectiveness. This phase can take from a few weeks to two months to cover all possible scenarios over time.

Follow-up, support and reporting

Once agents are up and running and whitelists established, detection and protection rules can be adjusted regularly to constantly adapt to security requirements. These new rules are integrated by HarfangLab (in Sigma / YARA format, visible and modifiable), and customers also have the option of adding rules according to their specific needs.

Finally, regular follow-up meetings are scheduled with the customer to answer any questions he may have throughout the deployment and, ultimately, during the use of the console, whether concerning the platform, or the evolutions and new functionalities they bring.

In short: who does what during HarfangLab’s On-Premises deployment?

• Architect
  • Ensures that the deployment of the solution complies with the organization’s security requirements
  • Represents the technical authority on security architectures
    
    
• Project Manager
  • Manage the entire project (planning, resources, etc.)
  • Coordinates the various profiles required for successful deployment of the solution
    
    
• Infra teams
  • Preparing and deploying the environment Installing and deploying SOC agents
  • Observation of behavior on protected endpoints Adaptation of EDR to your context (whitelists, engine configuration, etc.)

HarfangLab’s day-to-day operations: they can attest

“The HarfangLab teams enabled us to carry out a very fast setup. We were able to move forward so quickly because all the questions we raised were answered in a very short space of time. For example, CTI configuration issues were dealt with in less than 2 hours. This efficiency, as well as the ability of HarfangLab’s teams to anticipate situations we may have encountered, are among the keys to the success of our partnership.”
Emmanuel Pieters, CoE CYBER – Axians

Are you wondering how our EDR protects your information system?
How do our different engines work?