Skip to main content

Service Providers Guide

Introduction

This guide is designed for Service Providers (MSPs, MSSPs, MDRs, etc.) who are deploying and managing SecuritySnares on behalf of their customers. This document provides a comprehensive onboarding checklist and best practices for successful customer deployments.

Quick Start

Follow the 6-phase deployment process below to ensure a smooth rollout. Each phase includes action items and success criteria.

Customer Onboarding Checklist

Use this high-level checklist to track overall progress through the customer onboarding process:

Phase         Description
Phase 1Pre-Deployment Planning - Gather inventory, define scope, select pilot group
Phase 2Pilot Deployment - Deploy to pilot group and monitor for issues
Phase 3Exception Review - Review alerts after 3+ days, create allowlist entries
Phase 4Full Deployment - Deploy to all remaining in-scope systems
Phase 5Post-Deployment Configuration - Configure Script Encryption Policy, set uninstall password, configure notifications
Phase 6Final Review and Protect Mode - Verify all systems operational, transition to Protect Mode

Typical Timeline: 2-4 weeks from initial inventory to full production deployment

Customer Onboarding

As part of the onboarding process, work with your customer's team to identify the systems where the SecuritySnares micro-agent will be deployed. This step ensures a smooth rollout, minimizes risk, and confirms compatibility across the customer environment.

1. Endpoint Inventory Collection

Begin by gathering a complete list of endpoints within the customer's environment. This includes:

  • Servers (physical or virtual)
  • Desktops and laptops
  • Other networked systems that may require endpoint visibility or protection

The customer's team may provide this information in the form of an asset inventory, Active Directory export, or endpoint management report (e.g., from SCCM, Intune, or another tool).

Action Items:

  • Request endpoint inventory from customer
  • Document list of Endpoint Detection and Response (EDR) and/or Anti-Virus (AV) agents currently deployed
  • Verify inventory is complete and accurate

2. Scope Definition

Once the full inventory is available, categorize systems as:

In-Scope Systems

Systems that will receive the SecuritySnares micro-agent as part of the deployment plan:

  • Microsoft Windows Server 2016+
  • Microsoft Windows 10+

Out-of-Scope Systems

Systems excluded from deployment (e.g., unsupported operating systems):

  • Microsoft Windows 7 (64-bit) amd earlier
  • Microsoft Windows 2012 and earlier
  • Linux
  • macOS

Action Items:

  • Categorize all endpoints as in-scope or out-of-scope
  • Document the reason for any out-of-scope systems
  • Get customer approval on the scope definition
Best Practice

Documenting the scope early helps ensure there is a plan in place with the customer, expectations are set, and there is a pilot group that is representative of the customer's assets.

3. Pilot Group Selection

To validate performance and compatibility before full rollout, select a pilot group consisting of representative systems.

Pilot Group Criteria:

  • Select five (5) machines from each operating system type (e.g., Windows Server 2019, Windows 10, etc.)
  • Pilot endpoints should reflect typical workloads and use cases across the customer environment
  • The pilot phase will allow confirmation of successful installation, reporting, and performance before scaling to all in-scope systems

Action Items:

  • Identify pilot systems representing each OS type
  • Verify pilot systems reflect typical workloads
  • Document pilot group in the table below
  • Get customer approval on pilot selection

Suggested Pilot Group:

Host NameOperating SystemWorkload TypeContact

2. Pilot Deployment

Deploy the SecuritySnares agent to the pilot group selected in Phase 1.

Action Items:

  • Deploy agent to pilot systems
  • Verify successful installation on all pilot systems
  • Confirm agents are communicating with the portal
  • Monitor pilot systems for any issues

Issue Handling During Pilot Testing

If any issues arise during the pilot deployment, such as system instability, application interference, or unexpected behavior, disable the agent through the web management console.

Disabling the Agent:

Disabling the agent will:

  • Temporarily disable the SecuritySnares driver, ensuring endpoint stability
  • Preserve and collect diagnostic logs for further investigation

Escalation Process:

Once the Agent Disable feature is engaged, notify SecuritySnares Support immediately.

Our engineers will:

  1. Review the collected logs to identify the cause of the issue
  2. Provide recommendations or configuration adjustments to resolve the problem
  3. Verify remediation steps before re-enabling the driver and continuing with the pilot phase

Action Items:

  • Monitor pilot systems for any issues
  • Document any problems encountered
  • Collect and submit logs if issues occur
  • Work with SecuritySnares Support on resolution
  • Verify fixes before proceeding
note

This process ensures safe testing conditions while identifying potential operational or compatibility issues.

3. Exception Review

Three (3) or more days after the initial pilot deployment, SecuritySnares and the customer's technical team will reconvene to review pilot results and evaluate any alerts generated during the test period.

Review Process:

During this review:

  • All exceptions (alerts or detections that may represent false positives) will be analyzed and classified
  • Adjustments to policies, exclusions, or detection thresholds will be made as needed to reduce noise and ensure accurate detections
  • Once both teams agree that detections are performing as expected, the pilot systems will be transitioned from Monitor Mode to Protect Mode, enabling full protection and response capabilities

Action Items:

  • Schedule review meeting 3+ days after pilot deployment
  • Collect and analyze all alerts from pilot period
  • Classify exceptions and false positives
  • Create allowlist entries for legitimate processes
  • Adjust policies and detection thresholds as needed
  • Get customer approval to transition to Protect Mode
  • Enable Protect Mode on pilot systems
Critical Step

This step ensures that agent configurations are validated in the customer environment before expanding deployment to all in-scope endpoints.

4. Full Deployment and Resource Monitoring

Following successful validation of the pilot group, proceed with the full deployment of the Endpoint Agent to all remaining in-scope systems.

Deployment activities should be coordinated between the service provider and the customer's IT team.

During Deployment:

  • Monitor system performance using the customer's resource monitoring tool to confirm that CPU, memory, and disk utilization remain within acceptable limits
  • Investigate any deviations or anomalies immediately to ensure stability and consistent endpoint performance
  • Verify successful installation and communication for all agents
  • Provide a summary deployment report upon completion

Action Items:

  • Plan deployment schedule with customer
  • Deploy to all remaining in-scope systems
  • Monitor system resources during deployment
  • Verify agent installation and communication
  • Document any issues encountered
  • Provide deployment summary report to customer
  • Schedule 3-day post-deployment review
  • Transition all systems to Protect Mode after review

5. Post-Deployment Configuration

After deployment, configure the following security settings to complete the customer onboarding.

Configure Script Encryption Policy

Configure the Script Encryption Policy to control how scripting interpreters handle file encryption within the customer environment.

Policy Location: Settings & Policies → Script Encryption Policy

Common Scripting Languages

Work with the customer to identify what scripting languages are used in their environment:

  • PowerShell - Nearly all IT administrators use PowerShell for automation and system management
  • Python, Ruby, Node.js - Automation and web applications
  • Batch Scripts, VBScript - Legacy systems

Action Items:

  • Ask customer IT team to identify scripting languages in use
  • Create Script Encryption Policy for each identified interpreter
  • Set all policies to "Alert" mode initially (first 2-4 weeks)
  • Apply policies at Organization or Host Group level as appropriate
  • Review alerts and create allowlist entries for legitimate scripts
  • Document which policies were created and their scope

See the User Guide for detailed information on Script Encryption Policy configuration.

Configure Uninstall Password

The uninstall password prevents unauthorized removal of the SecuritySnares agent.

Critical Security Measure

Once changed, SecuritySnares Support cannot recover or reset this password. The customer must store it securely in multiple locations.

Action Items:

  • Navigate to Agents page → "Update uninstall password"
  • Set a strong, unique password
  • Store password in customer's password vault/management system with MFA protection
  • Confirm password is backed up in multiple secure locations
  • Add password to customer's security runbook

See the User Guide for more information on service protection.

Configure Webhook Notifications

Configure webhook notifications to integrate SecuritySnares alerts with the customer's existing security tools and workflows.

Policy Location: Settings & Policies → Notifications

Action Items:

  • Identify customer's preferred notification destinations (SIEM, ticketing system, etc.)
  • Configure webhook endpoint URL
  • Set up webhook secret for signature verification
  • Test webhook delivery
  • Monitor delivery status in Audit Trail

See the User Guide for detailed information on webhook configuration and verification.

6. Final Review and Protect Mode

Complete the final verification and transition all systems to Protect Mode for full ransomware protection.

Action Items:

  • Verify all agents are installed and communicating properly
  • Review all configuration settings (Script Policies, Uninstall Password, Webhooks)
  • Confirm all allowlist entries are documented
  • Schedule final review meeting with customer
  • Get customer approval to enable Protect Mode on all systems
  • Transition all systems from Alert-Only to Protect Mode
  • Verify Protect Mode is active on all agents
  • Provide final deployment documentation to customer
Deployment Complete

Once all systems are in Protect Mode, the deployment is complete. Continue with ongoing monitoring and regular reviews with the customer.

Post-Deployment Best Practices

Ongoing Monitoring

Customer Communication

  • Provide regular status reports to the customer
  • Schedule quarterly reviews to discuss alerts and system performance
  • Maintain documentation of all allowlist entries and policy changes

Support and Escalation

If you need assistance at any point during the onboarding or deployment process:

By phone:

  • US: +1 800-914-1877
  • Europe: +44 20 3996 3283
  • Asia Pacific: +61 2 5104 3394

By email:

By Slack:

  • Ask your SecuritySnares representative for an invite!

Additional Resources

For more detailed information, refer to: