When two cybersecurity companies with interlocking expertise and overlapping pieces of the security market collaborate, everyone involved benefits—except for malicious actors. Quzara LLC, a managed extended detection and response provider that offers the only FedRAMP High Ready security operations center (SOC) as a service, partnered with SOC Prime, one of the world’s largest and most advanced platforms for collective cyberdefense. SOC Prime provides curated detection and hunting content tailored to customers’ security toolkits. As a Center of Excellence for Microsoft Sentinel, SOC Prime helps extended detection and response organizations like Quzara focus on their customers. Quzara and SOC Prime work together to optimize Microsoft Sentinel–based detections for massive time and cost savings.
"Our partnership with SOC Prime has saved our team more than 600 hours of time…. Freeing up that amount of time is absolutely pivotal for us because it helps us be more strategic in how we allocate resources. "
- Daniel Beaver: Cyber Operations and Security Manager
Facing a shifting threat landscape
In an age where information is a company’s most prized asset, cybersecurity is nonnegotiable. But managing security in the face of growing sophistication and increased threats is a distraction from the mission, so organizations of all sizes often choose to outsource some or all of their cybersecurity to experts like Quzara LLC, a managed extended detection and response (MXDR) provider that provides a managed security operations center (SOC) for its customers. Quzara’s Cybertorch is the only FedRAMP High Ready and StateRAMP Category 3+ Ready SOC as a service product.
Quzara began its partnership with SOC Prime, a Detection as Code platform provider used by more than 8,000 customers, to stay abreast of adversaries, attacks, and emerging threats. That collaboration brings both companies an advantage worth more than the sum of their individual contributions. SOC Prime builds its platform on global collaboration between cybersecurity professionals, curating detection algorithms written in the generic Sigma language, a common cybersecurity language applied to describe adversary tactics, techniques, and procedures and translate them to any detection code. It maps this intelligence to MITRE ATT&CK®, an assessment tool developed by the MITRE Corporation that organizations can use to assess their security posture and potential vulnerabilities. This data is easily convertible to more than 25 security information and event management (SIEM) and extended detection and response (XDR) formats that organizations can use to counter their most anticipated threats.
Quzara and SOC Prime use the coordinated tool set in Microsoft Security solutions to help their customers protect against cyberthreats. Their endorsement of Microsoft Sentinel, a cloud-based SIEM, takes shape in SOC Prime’s Center of Excellence for Microsoft Sentinel SIEM and SOAR (security orchestration, automation, and response) and the Quzara Cybertorch MXDR service, which provides continuous coverage of its customers’ systems and data sources. Both companies use and advocate for their customers’ use of the Microsoft Defender solution family.
The companies share threat intelligence and their considerable cybersecurity expertise while collaborating with Microsoft tools, forming a powerful link in the global cyberdefense community. Both are members of the Microsoft Intelligent Security Association, a collection of service providers that are dedicated to using Microsoft technology to guard against cyberthreats.
Joining forces, boosting protection
“Microsoft Sentinel made the most sense for us because it’s a cloud-native SIEM that relieves us of operational management overhead,” says Daniel Beaver, Cyber Operations and Security Manager at Quzara.
That freedom is important to Quzara, which needs to focus on each customer to understand its particular needs. The company builds connectors into its customers’ data sources, ingesting their logs into Microsoft Sentinel. Increasingly, the Quzara team amplifies productivity by using Microsoft Sentinel agents—out-of-the-box connectors that link to a designated data source—to ingest data from client data sources. “Our team appreciates the timesaving features in Microsoft Sentinel,” says Beaver. “We also make full use of its interoperability for seamless and fast ingestion of logs from our client systems. We continually notice that more log sources connect with Microsoft Sentinel without any friction.” Nicholas Saucier, Sales Engineer and Customer Success Manager at SOC Prime, underscores that usability. “We use Microsoft Sentinel because of its ability to ingest and parse logs,” he says. “The dashboards are very useful.”
Quzara helps customers mitigate threats and other suspicious activity while adhering to multiple compliance requirements, such as FedRAMP, StateRAMP, and the Cybersecurity Maturity Model Certification framework, based on how their SOC as a service is architected. The company uses its partnership with SOC Prime to help its customers be as proactive as possible, streaming the most up-to-date threat hunting queries, which supplement the analytical rules Quzara creates in-house. “We benefit from SOC Prime’s vast threat detection knowledge base,” says Beaver. “Our partnership with SOC Prime has saved our team more than 600 hours of time in creating detection rules and hunting queries. Freeing up that amount of time is absolutely pivotal for us because it helps us be more strategic in how we allocate resources.”
“Defending against threats is all about watching each other’s backs,” adds Saucier about SOC Prime’s side of the equation. “We support partners like Quzara by doing the behind-the-scenes work to keep their systems up and running.” SOC Prime engineers sprint to stay ahead of new threats, writing and delivering defensive code in less than 24 hours after threat discovery. “When Quzara’s customers ask about some new threat they’ve heard of, Quzara can reassure them that it has the necessary code and is on top of the situation.”
The constant proliferation of cyberthreats demands increased vigilance—and teamwork. Beaver speaks to the increasing breadth and frequency of attacks. “There are more ways for malicious actors to attack, not just because we have new systems, but because of old things like operational technology devices that were never designed to be connected to the internet but now are,” he explains. “Those older OT devices lack modern security features. And conflicts between nation states—the Russia and Ukraine war, for example—increase attack vectors and make proactive action crucial.”
That time saving translates into a much-needed advantage against malicious actors. “We think of it in terms of incentives,” says Saucier. “Our adversaries have every incentive to commit cybercrimes, and they establish the timing of their attacks.” But SOC Prime creates incentives, too. It uses a micropayment model to compensate security professionals for the Sigma rules that they contribute to the SOC Prime repository. That growing global knowledge base of the detection algorithms mapped to MITRE ATT&CK reduces the shelf life for each new threat. “We appreciate the ease of connection between MITRE and Microsoft Sentinel, which makes it easy to get an overview of what threats are being covered, the analytics rules we create, and the content types,” says Ruslan Mikhalov, Cofounder and Chief of Threat Research and Professional Services at SOC Prime.
Defending customers with connected Microsoft Security solutions
Saucier lauds the productivity advantage his team achieves with Microsoft solutions, including the PowerShell scripting language. “The standardization in Microsoft solutions reduces the challenges of getting uniform and scalable security data,” he says. “It’s easy for us to manage everything on our platform with Microsoft tools like PowerShell, the Defender suite, and Microsoft Sentinel. And because these tools are backed by universal Sigma rules, even the smallest entities use them, so we can achieve more for more customers.”
The SOC Prime team strives to match the diverse cybersecurity needs of its customers by ensuring a constantly growing collection of detection rules and expanding support for cutting-edge SOC tools—security is very much a numbers game. SOC Prime engineers create search profiles on the SOC Prime Platform. “We can create granular search profiles because Microsoft Sentinel identifies every service and coordinates all the data very well,” says Saucier. “Otherwise, it would just be noise. Our Microsoft tools are robust and well built, and that’s essential in segmenting our searches and creating an effective battle plan.”
The SOC Prime team combines Microsoft Security solutions to create its own tools. It used Microsoft Sentinel to build an automated pipeline for continuous content management. It simply configures the environment, creates a content list for a specific threat, and points it at the Microsoft Sentinel deployment to gather the intelligence that SOC Prime engineers need to address the threat. “Microsoft is one of the few platforms that we can use to streamline threat hunting in that way,” says Saucier. “These things happen very fast. Everyone wears a million hats as we scramble to get on top of an active threat.” Beaver cites a recent example. “SOC Prime caught the Log4j vulnerability,” he recalls. “Its fast response helped us notify our customers immediately, and its insights into Log4j activity in December 2021 saved precious time for everyone. And it supplied us with the code needed to detect the attack.”
Knowledge is power—and hope. “Sunlight is what stops these folks,” says Saucier. “They live in the shadows, but their time to hide in the dark is dwindling because we’re constantly adding new Sigma rules into Microsoft Sentinel. Our ability to detect them will eventually outpace their ability to prey on us.”
Find out more about Quzara LLC on Twitter and LinkedIn.
"We continually notice that more log sources connect with Microsoft Sentinel without any friction."
- Daniel Beaver: Cyber Operations and Security Manager