HarfangLab is not only EDR website, but also a dedicated customer support team. What happens after a contract is signed? What are the onboarding stages? Who needs to be involved?
Let’s take a look at the steps involved in deploying HarfangLab’s EDR On Premise, which offers the same functionality as the Cloud version. These steps are followed by a partner for customers who opt for a managed service via an MSSP.
Preparing and deploying the on-premise environment
First of all, sales teams confirm the number of endpoints to be protected and the retention period for data other than those linked to alerts (which can extend over several months in the case of post-incident investigations).
Depending on the number of endpoints to be protected, the length of data retention and the level of resilience required, the servers needed to run the application are sized accordingly.
The HarfangLab teams then contact the people involved in the customer’s project:
- Project Manager
- Architect
- SOC Manager
- Infra team (systems & networks).
After an initial workshop to identify architectural constraints, and depending on the hardware and technical prerequisites, workshops can be organized to support the various phases of deployment in whole or in part:
- Architecture
- Interconnections with the existing cyber environment
- Manager deployment
- Agent deployment
- Infra supervision
- Follow-up of MCO cycle (updates, etc.).
Agent installation and deployment
There are two possible approaches to installing and deploying agents:
- First set up protection and detection groups and policies, then deploy agents;
- Deploy all agents first, then create protection and detection policies and groups.
The agent installation process integrates natively with commonly used deployment tools.
Observation of behavior on protected endpoints
Once the agents have been deployed, the first alerts appear in the console, enabling false positives, suspicious behavior, malicious files, etc. to be sorted to create whitelists. The more extensive the user authorizations, the greater the number of events to be evaluated, requiring human analysis, which remains essential.
In the event of suspicious behavior, cybersecurity experts or security managers can examine and classify events according to their understanding of the context.
The aim is to fine-tune the detection and protection rules to optimize the tool’s effectiveness. This phase can take from a few weeks to two months to cover all possible scenarios over time.
Follow-up, support and reporting
Once agents are up and running and whitelists established, detection and protection rules can be adjusted regularly to constantly adapt to security requirements. These new rules are integrated by HarfangLab (in SIGMA / Yara format, visible and modifiable), and customers also have the option of adding rules according to their specific needs.
Finally, regular follow-up meetings are scheduled with the customer to answer any questions he may have throughout the deployment and, ultimately, during the use of the console, whether concerning the platform, or the evolutions and new functionalities they bring.
In short: who does what during HarfangLab’s on-premise deployment?
- Architect
- Ensures that the deployment of the solution complies with the organization’s security requirements
- Represents the technical authority on security architectures
- Project Manager
- Manage the entire project (planning, resources, etc.)
- Coordinates the various profiles required for successful deployment of the solution
- Infra teams
- Preparing and deploying the environment Installing and deploying SOC agents
- Observation of behavior on protected endpoints Adaptation of EDR to your context (whitelists, engine configuration, etc.)
HarfangLab’s day-to-day operations: their testimonies
“The HarfangLab teams enabled us to carry out a very fast setup. We were able to move forward so quickly because all the questions we raised were answered in a very short space of time. For example, CTI configuration issues were dealt with in less than 2 hours. This efficiency, as well as the ability of HarfangLab’s teams to anticipate situations we may have encountered, are among the keys to the success of our partnership.”
Emmanuel Pieters, CoE CYBER – Axians
Are you wondering how our EDR protects your information system?
How do our different engines work?