22 Jun / 2020
The Cythera security operations team has detected and responded to several security incidents with our clients over the last few weeks and a common theme brought all of them to light : visibility.
So, you’re running firewalls, and IPS, and next-gen anti-virus, and multi-factor authentication. And you’re logging it all. You’re even pumping it all into a SIEM . Fantastic! You’re already doing better than many organisations.
But what are you doing with that data? Is it just a huge log store? Do you just use it to replay the tape if there is an issue? Does it to populate pretty dashboards? Do you have to write custom log queries or correlation rules to try get any meaningful insights out of it?
Let’s look at a breach we detected, responded to and stopped for a client. Like many of these stories, it started with a user getting phished. They received an email from who they thought was a trusted contact, and in the process was prompted for a login to their corporate email, where they entered their credentials.
The organisation had Multi Factor Authentication so the story should wrap up here. But MFA is not a panacea, and for many organisations multi factor is still a complex beast to roll out everywhere; there’s often legacy apps and multiple operating system dependencies to support. In this case, due to one of these dependencies MFA had been disabled for a specific application and the attacker worked that out, and used it to start accessing and downloading data.
Detecting this incident is where visibility goes well beyond logging. User behavioural analytics picked up that the user was accessing services from both unusual and multiple locations. Deception technology meant the attacker hit tripwires we had set in the organisation. What might have been completely missed in many organisations, or just another alert log to others was for us transformed into an investigation our team responded to, and ultimately used to stop the attack mid-flight.
What else did we find?
Many of the organisations we work with focus heavily on prevention capabilities, but are often blind to events and incidents when those prevention mechanisms let something through (and they will all miss something at some point).
If you need help with security monitoring, visibility as well as security detection and response our Managed Detection & Response Platform can provide you with real value. Reach out to us if you would like to discuss.
Protecting a distributed workforce.
COVID-19 has quickly switched many organisations to full work remote / from home policies, and IT teams are dusting off disaster recovery and bu…Read More
Upcoming ISO 27001 Audit? 5 Ways to Nail It.
Undergoing an ISO 27001 audit can be a stressful time, not only do you have your day-to-day role to manage, but you also need to spend months in…Read More
Fortiguard Firewall heap-based buffer overflow Vulnerability
Fortiguard Firewall heap-based buffer overflow Vulnerability CVE: CVE-2022-42475What is Vulnerable: FortiOS version 7.2.0 through 7.2.2 Forti…Read More