War Stories, Part 1: Cyber Sentinels On-Call 24/7
Look away for just one second, and you risk infection.
This was a key piece of wisdom provided by Sam McLane, head of security engineering at Arctic Wolf Networks, during a recent webinar titled “War stories from the trenches – case studies from a security ops perspective.”
McLane opened up with a timely sentiment: that small and medium-sized businesses are not immune to today’s cyberattacks. This fact was underscored in Verizon’s recently released Data Breach Investigations Report 2017, which found that 61 percent of the breaches and incidents included in the study afflicted SMBs. The challenge, however, is figuring out what exactly small businesses should do with this knowledge.
“If you’re a smaller company, keeping a security engineer on staff so that they can properly manage, maintain and monitor what’s going on can just be too much,” McLane said. “They’re too expensive, they’re hard to find and it’s hard to keep them.”
Hiring full-time security staff may be off the table, but McLane noted that there are other ways to affordably manage, maintain and monitor your security environment. Just take the example of the following war story:
Mitigating a malware intrusion in real time
McLane has seen his fair share of incidents during his time spent in the trenches, and he has no shortage of stories to tell. One of the more memorable ones that came up during the recent webinar involved a malware intrusion that hit an endpoint on a customer’s network. Unfortunately, the computer’s desktop agent was in monitor mode instead of protection mode. As a result, the malware, which was introduced through a phishing email, was able to execute on the network.
As anyone who has been following recent events is probably aware, many strains of malware are highly “contagious” so to speak in that they can move laterally across the network to infect other endpoints. In the particular scenario narrated by McLane, that’s exactly what started to happen.
However, what had the potential to become a disastrous cyberattack would end up being no more than a blip on the radar for McLane’s customer. Because the moment that the desktop agent detected the intrusion – albeit without blocking the execution – an AWN security engineer was alerted to the activity, both through the agent and also through its own IDS.
“We started forensics and triage and noticed two other rapid infections so clearly this was something that was going to spread rapidly,” McLane said. “We contacted the customer to make sure that these destinations were blocked, that the situation was remediated and that the work stations were cleaned up.”
He added: “We were able to, in a matter of minutes, prevent the outbreak from getting any further than three of four workstations.”
And that was that.
The takeaway? Security expertise makes all the difference
Let’s say that the company in this war story didn’t have a relationship with AWN. If that had been the case, there’s little doubt that the malware would have spread to more endpoints and turned into a potentially disastrous incident for the company.
Obviously, that’s not what happened, mainly because AWN had a methodical incident response plan that was designed to quickly address these scenarios.
“We were able to very efficiently get the customer to perform remediation without it becoming sort of a world-on-fire drill where you drop everything,” McLane said. “It’s just part of the normal operating cadence of having a well-planned and well-oiled incident response program, which is what we provide for our customers.”
Specifically, AWN provides a service called a CyberSOC, which supplies managed detection and response (MDR) services from dedicated security engineers. As a subscription model, customers can expect predictable pricing for consistently strong service.
To read part II of the War Stories blog series, Cutting the Phishing Lines, click here.
To read part III of the War Stories blog series, Foul Play or False Alarm, click here.