Industry: Managed Security Service Provider (MSSP)

Scaled Triage

Company Overview

Headquartered in Vancouver, CyberClan provides its global customers with first-class Breach Response services. Their portfolio of services broadly covers cyber extortion, ransomware, e-discovery, tailored risk management consultancy services, and unparalleled managed security services.

When customers call CyberClan today, most are in the middle of an active incident and require quick assistance and resolution. As a remote company providing services to small security teams and having an industry-leading response time commitment of 15 minutes, there were a number of operational challenges – notably around quickly collecting data and enabling accurate post breach recovery (PBR).

Since investigations are timebound based on a statement of work (SOW), it became increasingly important to be able to discharge their services whilst providing customers with the best and most valuable information-led insights.

Most investigations utilized several different solutions, and triaging required manual steps and were often limited to a single asset at a time. They needed a flexible solution that could be scheduled to run but also ran ad-hoc so that rapid triage could be performed.

Given time is always critical in a breach, the business acknowledged it needed to work smarter, not harder, by more quickly identifying machines with signs of compromise and IoCs. This model also required high levels of involvement and engagement from their end customers.

Collecting and processing data for a detailed investigation can delay the start, this is exacerbated when you depend on the customer.

CyberClan wanted to lighten the dependency on on their customers, giving them the flexibility to say – we’re here, we’re on it, leave it to us, and we’ll manage all aspects for you. CyberClan needed a solution they could quickly deploy and use to ensure data was collected easily, with support for SFTP, was forensically sound, and not tampered with.

CyberClan wanted to turbocharge the collection of triage data over both offline and remote collection scenarios – alongside looking for ways of speeding up disk imaging efforts – focusing on the evidence that matters first.

They needed to move away from acquisitions taking 8 hours on average and accelerate this to facilitate doing more for their customers, with less involvement.

CyberClan wanted to move beyond the typical time crunch – shifting to increased automation and better prioritization to allow for more investigations per analyst, but their previous patchwork of tools was causing a speed bottleneck, preventing them from taking on more work.

Solution

CyberClan is leveraging Binalyze AIR to help manage its wider Digital Forensics and Incident Response (DFIR) activities, with a specific focus on using AIR in ransomware cases. For the CyberClan team, it’s all about getting as much relevant data as possible whilst preserving that potential evidence.

Andrew Caldwell, DFIR Lead at CyberClan, shared: “It’s been so easy to get up and running with Binalyze AIR, even the agent is quickly deployed onto lots of different endpoints and performs one big slurp (acquisition). I was able to go through this big amount of information and crosscorrelate an entire domain very easily. Then if I identify something of pertinent value, I can go back and perform a full capture. AIR solves a lot of problems but also embraces new approaches to digital forensics. It does require a subtle change of mindset coming from Blackbox forensics. I’m also relatively new to CyberClan, but I’ve been so impressed with Binalyze AIR I’ve actively encouraged former colleagues and peers to go and check it out”.

Monti Sachdeva, DFIR Lead at CyberClan, went on to explain, “I’ve been really impressed with AIR, all the way from our very first tech demo. In practice, it’s helping us with the acquisition, then automatically firing up the Triage component, letting DRONE, AIR’s automated evidence analyzers, give us even more intelligence. The agent is extremely easy to deploy and use for the average user.

By adding AIR to our arsenal, a single analyst can now manage many more investigations individually. It’s very powerful in getting acquisitions from memory, browsers, RAM, logs, and so many more destinations. We’ve just started using the Investigation Hub feature (formerly Consolidated Report), and we already love it. It’s dramatically improving efficiency when you need to investigate hundreds of endpoints at once, and having one unified view for the entire team is really helpful.

The Timeline feature is also proving to be indispensable in our Incident Response activity. This feature, being largely automated, helps save us more time – removing a lot of reliance on slow manual inputting and juggling of old-school Excel spreadsheet documents. AIR is quickly becoming a one-stop shop for us, keeping all activity within one single pane of glass.”

Final Thoughts


Binalyze AIR is such a comprehensive and powerful DFIR platform. It’s supporting both industry veterans and those new analysts coming into the cyber security space.

AIR is spearheading CyberClan’s training of new colleagues on DFIR fundamentals – with its clean and clear user interface and intuitive design harnessing a powerful depth of capabilities.

“Having a categorization factor of artifacts and being able to pivot inwards, beyond your more traditional warnings of something looking suspicious, and giving priority order – it’s just so useful. It helps us work at scale and even feels a bit like an enhanced EDR function”, shared Andrew.

“We’ve recently attracted some new colleagues into CyberClan, and they’ve shared that a big attraction was because we’re already using AIR; that’s a big compliment because there’s an appreciation growing in the industry for the product,” expanded Monti.

Simon Lang, Head of Digital Forensics & Incident Response at CyberClan, concluded “Binalyze AIR’s robust capabilities in IR triage has significantly streamlined our investigative processes.

It’s a super intuitive and powerful analytical platform, enabling us to quickly identify, analyze, and respond to complex cyber threats.”

Reduce Your Incident Response Time

Reduce Your Incident Response Time

Game-Changer

Company Overview



Dark Rhiino is a leading MSSP dedicated to providing comprehensive security services to businesses of all sizes. Its mission is to ensure robust cybersecurity for clients through advanced technology and expert service with a Defense-in-Depth approach.

Founded in 2017, Dark Rhiino has grown to become a trusted partner for businesses seeking reliable and effective security solutions. The company offers a unique insured guarantee of up to $1m for all clients subscribing to its Defense-in-Depth, enabling them to secure a higher deductible on their cyber liability insurance coverage.

Manoj Tandon, Co-Founder and COO at Dark Rhiino, explained: “Plenty of other companies sell security services, but what makes our market claim so strong is that we actually back it up. We’re in the business of selling outcomes.”

Challenges in expanding security operations


As Dark Rhiino pursued an ambitious growth strategy, it faced several challenges as it expanded its operations. When the team took on more customers worldwide, it faced a greater variety of operational needs as well as a greater volume of incidents to address. At the same time, they needed to maintain a high level of security assurance for all customers and meet their $1m security guarantee.

With an increase in scope and demand, the team needed more efficient processes and greater visibility that allowed them to identify and address threats proactively.

Tyler Smith, CTO at Dark Rhiino, explained: “One of our customers operates in literally every country on Earth. So, at that scale, it’s very difficult to monitor user endpoints with traditional SIEM technology or endpoint detection and response tools.”

He elaborated: “There’s also a danger of falling into the ’prevention paradox’ – you focus on what you can easily detect and prevent, and the things outside that scope effectively become invisible. So, we needed to expand both the breadth and depth of our visibility into customer systems.”

Efficiency was another key factor, as existing processes became increasingly resource heavy.

Investigating and clearing security alerts could take as much as a third of the day for Dark Rhiino’s analyst team. Further, with many of those being false positives, all that work could equate to little value.

Tyler explained: “As our client base grew, we needed to find a way to scale our operations without simply adding more manpower. Our existing tool was extremely capable but overly complex and obtuse for our young team to use – it sometimes felt like we were fighting the tool as much as the threats. So, we needed something that was as accessible as it was reliable.”

Maintaining high-quality service while operating efficiently was a critical challenge. Dark Rhiino needed to quickly identify compromises missed by prevention activity and achieve the visibility needed for thorough investigations to mitigate the chances of a full-blown incident.

This required a comprehensive platform that integrated a forensic-level approach, enabled proactive compromise assessments and would be easy and efficient to use. At the same time, the solution would need to provide complete remote system visibility with Dark Rhiino’s broad customer base.

Why Binalyze AIR was the choice for enhanced efficiency

To address these challenges, Dark Rhiino chose Binalyze AIR after evaluating several solutions and finding it to be the most comprehensive and user-friendly. The platform was well- recommended by trusted industry peers, and Dark Rhiino quickly confirmed what it could do through an AIR trial.

Tyler explained: “One important factor was the platform’s ability to integrate seamlessly with our existing workflows. The usability won us over very quickly. With our previous solution, we could solve security alerts in 15 minutes, but it would be a frantic 15 minutes as we battled to get visibility of the situation and make sense of it quickly.”

He continued: “With Binalyze, we could gain situational awareness and skip all the digging and coding. The information we need is quickly available without needing to be a query wiz. This is so valuable for us – the team can act with greater speed and confidence, and achieve more with less supervision, fewer needs to escalate or interruptions to the workflow.”

Binalyze AIR also improved the accuracy of evidence gathering and analysis to add context to alerts. The platform’s advanced capabilities ensured the team had ready access to everything they needed to make informed decisions and respond to threats decisively.

The platform provided a single point for all evidence-related tasks helping to streamline workflows. The in-built analysis capability, DRONE, automatically highlights IoCs and ranks findings by severity to aid in prioritization. Meanwhile, AIR’s remote shell feature, interACT, provides remote, cross-platform access to Windows, Mac, and Linux devices, allowing for a standardized process regardless of operating system.

This end-to-end investigation workflow capability also means that Dark Rhiino’s team could manage a higher volume of incidents without needing to proportionally increase their workforce. The platform’s scalability meant that the company could expand its operations and manage more clients efficiently.

Tyler added: “The accessibility of AIR was a huge benefit from a resource perspective. Anyone who has had to manage cybersecurity salaries knows that the more expertise a tool requires, the more expensive it is to run because of the skills required. Binalyze is so easy to use that I could get an intern, and they would be an absolute rockstar with it in three hours. It means we can uplevel our team and provide a complete security solution to our customers.”

Legitimate access use-case

During a routine monitoring session, Dark Rhiino identified a client’s employee who had inadvertently connected to a malicious wireless network in Asia, believing it to be a legitimate hotel Wi-Fi. This led to a DNS corruption that redirected all network traffic to a malicious server, which blocked the employee’s ability to use their VPN.

The endpoint was unable to recognize any malicious behaviour, leading to a frustrated employee requesting exceptions to access work tools. Dark Rhiino utilized the Binalyze platform to swiftly investigate the issue. Within 30 minutes, they traced the DNS responses and confirmed the malicious DNS was altering IP addresses, preventing legitimate connections.

Thanks to Binalyze AIR’s forensic-level visibility, Dark Rhiino quickly identified that the employee had connected to a fake network mimicking the hotel’s Wi-Fi. By instructing the employee to connect to a trusted port or a different network, the team mitigated the threat before any significant damage occurred.

Delivering more value and security to clients

The adoption of Binalyze AIR provided several key benefits that enhanced its managed security operations and enabled the team to better meet the security challenges of Dark Rhiino’s clients, and provide more ROI.

As an MSSP heavily involved in cyber liability insurance, capabilities around compliance are critical for Dark Rhiino. The Binalyze platform’s comprehensive data collection, tagging and management, and analysis features helped Dark Rhiino meet compliance standards efficiently and accurately. Binalyze plays a crucial role in a ‘defense-in-depth’ approach, catching threat indicators that may be missed by a traditional prevention- detection approach.

Tyler added: “While we address incidents when they happen, our play revolves very much around prevention. We help enterprises avoid having to go down the costly road of incident response with a very deep level of monitoring beyond what traditional endpoint tools can manage.

“On the occasions where we have an active bad actor, we know AIR will let us see literally everything they’ve done. We can freeze those files, pull them off the machine, delete them, anything we need to do. Binalyze lets us see all the pieces, put them together into a timeline, and deal with it. This is a hugely valuable capability for us.”

Conclusion

”Binalyze AIR has been a huge boost to our ability to proactively identify and stop threats before they do damage,” said Manoj.

“We can easily sort out false positives, quickly initiate a deep dive on genuine threats, and if necessary, contain an incident with a very rapid host isolation.

“Having so many comprehensive features in one place have been instrumental in enhancing our service delivery, enabling our business model and meeting our clients’ needs.”

Dark Rhiino’s experience with Binalyze AIR demonstrates how the platform can empower MSSPs to overcome operational challenges, improve efficiency, and deliver high-quality security services. This partnership highlights the potential for technology to transform security operations and ensure robust protection for clients.

Reduce Your Incident Response Time

Reduce Your Incident Response Time