March 21, 2022

Last Updated on January 4, 2024

“Security infrastructure as a service” provider LimaCharlie describes its business model as “AWS for security.” They’re looking to give security teams more visibility and control over their security infrastructure by offering an à la carte menu of security capabilities consumable in a pay-as-you-go model.

Moreover, as founder Maxime Lamothe-Brassard shared on a recent episode of The Virtual CISO Podcast, LimaCharlie’s approach to provisioning security can save some orgs significant money by enabling them to replace standalone, conventional solutions with LimaCharlie “Lego blocks.”

No more tight labels

LimaCharlie’s modular, plug-and-play model blurs many conventional boundaries around security tools and capabilities. What is EDR or SIEM? With LimaCharlie, that depends on what you need, not what a vendor delivers.

“We really don’t like the tight labels that are out there,” asserts Maxime. “What that means is, for example, we enable people to do things like Windows EventLog forwarding. Instead of deploying your own agent that you’re paying a vendor for, it’s a built-in, free, automatic part of LimaCharlie. Maybe you’re investigating something, and you want to run Velociraptor. You don’t have to go and redeploy again more infrastructure and maintain more things. It’s trivial; we have an integration. You just go, ‘I want to collect these artifacts from these endpoints,’ and go.”

Maxime likens LimaCharlie to a “security bus” that you can plug into to get data from a huge range of sources, e.g., Office 365 audit logs or 1Password audit logs.

Beyond open-source

Conceptually LimaCharlie has an open-source feel. Its modularity opens the door for third parties to extend the platform in at least two ways.

First, as with huge SaaS vendors like Salesforce, the potential exists for other SaaS providers to create and monetize “plugins” or tools that are compatible with the LimaCharlie ecosystem. A similar approach would be for software vendors to develop LimaCharlie interfaces and integrations for their proprietary offerings.

Akin to AWS, a second possibility is less like a marketplace and more like a sandbox for OEM development. As Maxime explains,” If you’re starting a tech company nowadays, you’re going to go to a cloud provider. You’re not going to rack and stack your own things. We want people in security to take that same approach using LimaCharlie. We want people to say, ‘Hey, we have this great idea for a product.’ If so, your value is not in building an agent. You just want the data. You want to get to market quickly. You don’t have to talk to anybody, and we do pure-usage billing, so you’re just paying for the tiny bits that you need.”

The idea is to leverage LimaCharlie as infrastructure, so you can get straight to market and potentially start touching every device connected to the ecosystem from day one.

Analogously, enterprise teams are “assimilating” LimaCharlie as part of their internal platforms. “Many people will use the LimaCharlie API as part of their automation to do their processes,” Maxime clarifies. “We’re not interested in keeping your data locked into something complicated. We’re just designed to work with everything.”

An educational sales process

Maxime recognizes that his company faces an educational sales process because the LimaCharlie model is disruptive.

“This is not an easy product to understand, right?” admits Maxime. “People don’t wake up in the morning and go, ‘I’m looking for a security toolbox that’s out on the internet. They’re looking for a SIEM, they’re looking for MDR, they’re looking for a SOC.”

But once clients get what LimaCharlie is all about, they start running with the ball.

Maxime continues: “We take them through that realization. ‘By the way, you have a vendor for Windows EventLog forwarding.’ ‘Oh yeah, we pay $50,000 a year for that vendor, and it’s deployed as its own agent. It’s kind of a pain.’ ‘Well just by the way, if you click here, you’re going to start to bring all of this in.’ And they kind of light up, and they go, ‘Oh, that’s cool—now I can take that vendor off.’”

Another popular win is for clients to forward targeted event log data to Splunk. By greatly reducing the volume of data going to Splunk, they can cut their Splunk charges significantly.

“We want to solve use cases that you have,” Maxime relates. “We want to solve problems. That’s what we know how to do.”

The more people wrap their minds around the LimaCharlie model, the more they’ll create—and reap—the benefits.

“That’s the direction the industry’s going, to more and more security professionals wanting more than just the boxed product,” adds Maxime.

What’s next?

To hear the full podcast with LimaCharlie founder Maxime Lamothe-Brassard, click here.

Want more guidance on the value of EDR? We recommend this podcast with the CEO of Vigilant: EP#50 – Chris Neyhuis – How EDR & NDR Help You Make Better Security Decisions