Get in Touch
Published: 11th August 2023 | In: Insights
Many organisations invest in security tooling, such as endpoint or network protection and response tooling, take it ‘out of the box’, ‘plug’ it in and sit back thinking that there’s nothing more to do, and that their IT estate is secure from there on. The hard truth is that they’re missing a crucial step that could prove to be the difference between business as usual and their worst day ever.
An urgent call for help
One day, a company phoned Quorum Cyber in a critical emergency. They were desperate. They had received several ransomware alerts and discovered an incident. They weren’t an existing customer and never had been, but they needed urgent Incident Response (IR) support.
Our IR team rapidly deployed Microsoft Sentinel and was granted access to their logs, their Microsoft Defender products and everything else we needed to investigate the incident. Using the Microsoft Security stack, we were able to rapidly contain the incident and start investigating how it had occurred.
It soon became apparent that there had been activity for several weeks, if not longer, before the point of detection. They had even received some alerts from network tooling, but no alerts from Microsoft Defender for Endpoint (MDE), so they dismissed the alerts as false positives. But how can this be? Isn’t MDE one of the – if not THE – best endpoint detection & response (EDR) products in the market? What went wrong?
In one way, everything worked as intended – even without any professional configuration. MDE caught the ransomware and stopped it from ‘detonating’ the payload. This is a true testament to the product – even fresh out of the box it prevented the breach. However, had they taken the steps to properly configure MDE, and correlate the information with other security controls, they would have had the chance to detect the incident much sooner.
Without Microsoft Defender, this incident could have made for their worst day ever. But with MDE configured properly, they could have resolved the incident themselves in minutes not days, and saved themselves many hours of stress
Don’t rely on luck to protect your assets
Thinking that MDE and other Microsoft Defender products were all set up to monitor their systems and protect them around the clock, the company had not realised the true potential of Defender by customising it to their company’s specific set-up.
While in this case we were able to get ahead of the attacker before the ransomware detonated, many organisations are not this lucky, and even without the ransomware being successful, the attacker was still able to gather considerable information on this organisation before they were caught.
Early detection is crucial
Upon investigation, Quorum Cyber were able to discover activity dating back at least a month. If this had been detected much earlier, the threat actor would have been blocked in the first stage of their attack.
The attacker used phishing to get in – using a method that would have been hard to detect, by utilising common file sharing site links which the organisation regularly used. However, there were then many activities on several hosts – including outbound malicious connections and suspicious processes – which Quorum Cyber’s IR team would have expected a significant volume of alerts for. The question therefore was, what was missing?
At first glance, the customer had the right tools deployed, in the right places, and everything looked in order. On further analysis, our experts made several observations which explained the lack of earlier detection:
- A particularly powerful aspect of MDE was not being fully utilised – the Attack Surface Reduction (ASR) Rules; with these in audit mode, no detections were raised
- MDE’s heuristic detection capabilities, especially on estates where user accounts exhibit a range of behaviours, can rely on profiles being set – these were not all in place which impacted MDE’s ability to detect unexpected behaviours
- Not all devices within the estate were compliant with the relevant policies, including devices hit by the attacker early on, further impacting detection of the activity.
A chink in the armour
While managed detection & response (MDR) services and advanced security products such as Microsoft Defender offer strong security across an organisation’s IT estate, there is a reliance on the tools used being configured precisely, tailored to the environment in question, and maintained at all times. This is not a “one-time thing” but a constant requirement to keep the tools optimised. Missing this step is akin to a fortress being built with the gates in the back wall left wide open.
The attackers and threats do not stand still. Nor does technology. That technology, however, does require expert threat and product knowledge to stay ahead of evolving threats and ensure ongoing protection.
Greater than the sum of its parts – why Managed XDR is so powerful
It’s the way that the Microsoft Security products are integrated, including the Defender product family, the Azure security products and Microsoft Entra ID, that makes it the gold standard in cyber security today. Combined, they are much more than the sum of their individual products. They are natively integrated, and not bolted-on which makes Microsoft’s Extended Detection & Response (XDR) solution, and their security ecosystem overall, one of the best in the world.
So, while in this incident MDE may not have triggered alerts on certain aspects due to the configurations in place, combined with other critical Defender products, Microsoft Sentinel, Microsoft Entra ID Protection and more, even with MDE’s limited configurations the attack would still have been caught and stopped sooner.
Combining human intelligence and creativity in the form of certified and experienced XDR engineers and SOC analysts, with the advanced technology capabilities, we can take this technology to the next level.
Quorum Cyber’s Managed XDR service has everything that’s included in the Microsoft Sentinel MDR service, but extends to managing your Microsoft Defender and Azure security products for you – ensuring always-optimised security. Regarding regulatory compliance, Managed XDR’s tooling configurations ensure your ability to meet critical regulatory and compliance standards, further strengthening your data security and fostering trust with all stakeholders.
What Managed XDR delivers:
- Enables organisations to reduce their total cost of ownership (typically >30%) of security products and services by doing more with less – the benefits of a combined, integrated ecosystem such as Microsoft Defender and Sentinel products drastically increase visibility, protection and detection – for less cost
- Increases effectiveness of security teams – your teams can focus on security improvements across the estate rather than having to be product experts or handling incidents and alerts that can be automatically blocked or handled
- Drives organisational success and business resilience – even on your worst day, your organisation can still thrive when the security tooling and services are working optimally and able to contain and lockdown breaches rapidly
- Drastically reduces attacker dwell time and impacts – optimised controls, automated responses, and flexibility to make rapid changes in an emergency to block attackers quickly
- Compliance with regulatory requirements – carefully configured tooling will ensure you can meet critical regulatory and compliance standards.
Results are all that matter
Advanced technology features might give organisations some level of confidence, but outcomes and results are all that matter. At Quorum Cyber, our engineers and analysts deploy, configure and maintain all these solutions, ensuring you are always protected against the latest threats and any looming over the horizon.
Our mission is to boost your business resilience so that you can thrive. If you would like to learn more about our services or discuss anything related to cyber security or data security, please contact us on 0333 444 0041 or via [email protected].