Cyber security today is filled with marketed promises of turn-key technologies that claim to detect attacks and protect data against breaches, but a best-practices approach to building a high-performing security posture requires the combination of a proven, reliable, integrated technology stack managed by professional threat hunters.
The risk of buying into the promise of machine learning and artificial intelligence (and thereby relying too heavily on technology) could prove costly and can result in an ineffective solution. For example, we recently responded to an incident where a retailer with over 200 locations nationwide did not have a robust cyber security program in place.
We started our forensic assessment and response by immediately deploying an industry-leading endpoint detection response (EDR) product. This enabled visibility into hundreds of endpoints and allowed us to identify possible points of intrusion, shutdown additional attacks and start resolving the breach. When we augmented the EDR with Network we quickly realized that our fears were true, the EDR product was not able to eradicate everything.
That is not a knock on EDR products. When integrated into a wholistic Managed Detection & Response (MDR) security solution that monitors endpoints, logs, and networks, an EDR solution significantly reduces the risk of a breach occurring at the host.
This particular company was not protecting their endpoints, and was not adequately monitoring their network and logs. By failing to create adequate visibility into their entire infrastructure, they were highly exposed to a malicious attack or unintended employee-enabled breach.
Imagine their surprise when law enforcement alerted them that they were the target of a major ransomware attack that was rapidly spreading through their system.
By the time Pondurance was brought in to respond to the incident, we discovered it was a Phase 5 ransomware attack on the verge of Phase 6. Upon deploying a sensor and running counter intelligence diagnostics we identified almost 100 end points that were not protected by their security posture. It was through one of those unprotected endpoints that a bad actor breached their system. We immediately shut down the attack, secured the network and all of their endpoints, and started reviewing logs.
Unfortunately we frequently respond to incidents of this nature where a company does not have an EDR deployed, is overly reliant on an inadequate EDR, or is fatigued by false-positive alerts where EDR products flag business critical systems as being under attack when in fact they are functioning properly.
The reality of cyber security is that companies often lack the resources or training to effectively secure their endpoints, networks and logs, yet that is the best defense and the surest path to building a strong security posture. Trusting EDR, SIEMs or other sole technology products to serve as a magic bullet is a misguided tactic. A strong security posture requires a strategically deployed Managed Detection & Response solution to protect all your digital assets and technology systems.
Max Henderson is a Sr. Security Analyst II and the Incident Response Lead here at Pondurance.