The answer is, it depends on how you and your organization wants to use the tool.
It is important to note to product design strategies with Cyber Crucible:
Protection should be hyper-automated, and not require constant care and feeding (alert attention), nor knob-turning (configuration) by the users.
For more resource-rich security teams, the valuable telemetry should be available to them, for advanced threat hunting activities, or to support forensics and incident response activities.
Action #2 above, should in no way degrade the protection in place for action #1.
The most common feedback we receive from IT leadership is that their employees did not know Cyber Crucible had been protecting them for weeks already.
We have many users that leverage the tool in three capacities:
Set and Forget (Like Your Smoke Alarms)
Many organizations lack the resources to have threat hunters diving into Cyber Crucible (or other tool) telemetry, but they want the risk of data extortion “off of their plate”. That is perfectly OK, and Cyber Crucible’s Data Extortion Prevention is designed to do exactly that.
These users lack the resources to spend time looking at the Process Injection, Credential Protection, and Process Creation data feeds.
Hence, we find, unless they are responding to a rare automated response by Cyber Crucible, or are performing inventory management, like when a new machine needs Cyber Crucible deployed to it…
…they simply do not login to the Cyber Crucible web portal, and leave the automation to just do its job.
That is perfectly OK!