At Arctic Wolf, our Concierge Security® Team (CST) of engineers and analysts provide our customers with the security expertise they need to protect and respond to threats, as well as customize and harden their environments and raise their cybersecurity postures. This is the first article in a new blog series that highlights real-world use cases of how our CST keeps Arctic Wolf customers safe amid a landscape of escalating and increasingly sophisticated cyberthreats.
Real World Examples: When More Tools Is Not The Answer, But the Problem
Customer Industry: Legal
CST Engagement: Architecture Review
Acronyms Used: MDR, CST, CSE, and IT
A National Law Firm Turns to Arctic Wolf
One of our newer customers is a national law firm with offices in 14 cities and a small IT team that had formerly handled the entirety of its security operations. To do so, the IT ran numerous security tools from big-name vendors, including Cisco and Microsoft. Given the team size and range of responsibilities, the firm required additional expertise to protect their employee and client information from expected and sophisticated cyberattacks.
As a result, they brought us on to augment their team, operationalize disparate sources of security data, and improve the firm’s security posture. The following event took place within their first month of becoming an Arctic Wolf® Managed Detection and Response customer.
The Mysterious Case of the Malicious File
The Arctic Wolf Concierge Security Team leads architecture reviews, threat hunting activities, and regular strategic discussions to help the law firm implement security best practices. In preparation for an architecture review, the firm’s dedicated Concierge Security Engineer (CSE) identified a notification coming out of Cisco AMP. The alert was unusual because AMP was not able to clean a malicious file that it had just detected. The file could not be found.
The CSE learned this had become an ongoing issue. The law firm’s security manager knew about it; he just didn’t have time to figure it out. His only response was to ask a different team to run a scan on the system, which would always come back clean. The firm began to doubt that Cisco AMP was configured correctly and wondered if they were unaware of other issues as well.
Tricked by Too Many Tools
It turns out the law firm was running Microsoft Defender ATP in addition to Cisco AMP on their Windows endpoints. When the Arctic Wolf CSE saw the alert from AMP, he started an investigation and found Microsoft Defender also detected the malicious file and cleaned it up before Cisco was able to remediate it.
Cisco would then log the error since the file had somehow disappeared, which added noise to the Cisco console forcing various teams to get involved in a time-consuming search in an effort to track down the mysterious file. This wasn’t a good use of anybody’s time and could have caused other problems to go unnoticed.
Stronger Security Moving Forward
Arctic Wolf helped the customer’s IT team clean up its existing tools, eliminate a recurring console alert that couldn’t be explained, and started to become a trusted advisor. The CSE continues to meet regularly with the customer’s security manager, who’s pleased that Arctic Wolf lets him thinking proactively and strategically in order to implement security controls that improve the effectiveness and internal reputation of his team.
Most recently, the security manager updated his VIP employee list to include the billing department in addition to the named partners at the firm based on a recommendation from Arctic Wolf. The billing team can initiate wire transfers, so he asked his CSE to automatically escalate suspicious activity detected on their devices. With Arctic Wolf, his team can focus on more sophisticated attack vectors than they could before. Previously, he didn’t have time to think through this phishing attack vector and is now able to report to the partners that he has it covered.
To learn about how Arctic Wolf helps other customers with their security, check out some of our case studies.