This training by Corey Doster, Lumu’s Customer Success Manager, looks at Lumu Portal deployment and incident management for Managed Service Providers (MSPs). The Lumu portal is a multi-tenant platform specifically designed for MSPs to facilitate efficient network security monitoring and automated response.
The deployment process involves creating customer tenants, assigning endpoint-based licenses, and deploying agents via RMM tools to collect DNS and IP metadata across Windows, Mac, and Linux systems. For environments requiring broader visibility, Lumu offers server collectors for Active Directory and virtual appliances capable of gathering Syslog and Netflow data from firewalls and other network infrastructure devices that cannot host individual agents.
Takeaways
- MSP-Centric Architecture: The Lumu portal (manage.lumu.io) is built for multi-tenancy, offering self-service tenant creation, MFA support, and SSO integrations for service providers.
- Endpoint-Based Licensing: Subscription costs are determined by the number of endpoints with installed agents; IoT devices, cameras, and tablets do not consume licenses even though their metadata is collected.
- Strategic Deployment Workflow: Best practices recommend deploying endpoint agents first using RMM tools to gain instant network visibility, followed by server collectors for AD/DNS or Virtual Appliances (VA) for Syslog/Netflow.
- Automated Response Orchestration: Lumu can identify malicious file hashes and URLs (such as Black Matter ransomware) and push automated blocks to firewalls (e.g., Juniper, Fortigate) and EDRs in less than one minute.
- Bidirectional SecOps Integration: Integration with PSA tools like ConnectWise allows engineers to manage, comment on, and close incidents from either the Lumu portal or the ticketing system.
- Detailed Incident Attribution: The portal identifies not just the affected IP, but the logged-in user and the specific process (e.g., edge.exe) responsible for contacting a malicious domain.
FAQs
Which operating systems support the Lumu endpoint agent?
The Lumu agent can be installed on Windows, Mac, and Linux devices to collect DNS and IP metadata.
How are IoT and tablet devices monitored if they cannot host an agent?
Lumu uses Server Collectors on Active Directory servers or Virtual Appliances to capture metadata from devices that do not support direct agent installation.
What is the benefit of the SecOps integration with PSAs like ConnectWise?
It provides a bidirectional integration where tickets can be opened, updated, and closed between the Lumu portal and the PSA ticketing system.
How fast does Lumu orchestrate response blocks once a threat is detected?
Lumu typically orchestrates response blocks across integrated security tools in near real-time, often in less than one minute.
What details are provided in the detections tab during an incident investigation?
The detections tab identifies the affected endpoint, the source of detection, the specific user logged in, and the process that interacted with the indicator of compromise.
