What We Do
How we do it
May 11, 2022
CVE-2022-26923 - Active Directory Domain Services Elevation of Privilege Vulnerability
THE THREAT Microsoft has disclosed a new vulnerability impacting Active Directory Certificate Services (ADCS) tracked as CVE-2022-26923 (Active Directory Domain Services Elevation of Privilege Vulnerability). If exploited successfully, an authenticated attacker can escalate privileges in environments where ADCS is running on the domain. eSentire is aware of technical details and tooling [2] for…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1200+ organizations in 75+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
May 17, 2022
Cybersecurity Leader eSentire Continues Its Commitment to Rigorous Security Standards Earning PCI DSS Certification
Waterloo, ON, May 17, 2022 — eSentire, the Authority in Managed Detection and Response (MDR), maintains one of the most secure and robust IT environments of any MDR provider in the industry. To that end, eSentire today announced that it has received the Payment Card Industry Data Security Standard (PCI DSS) certification, considered one of the most stringent and comprehensive payment card…
Read More
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Jan 08, 2019

Adapting security response for cloud workloads

Speak With A Security Expert Now

As originally posted on Security Boulevard on January 7, 2019

Not long ago, enterprise security could be organized neatly around the critical assets needing to be guarded. However, this “moat and fortress” model for cyberdefense is being demolished as the world turns to the cloud. This vanishing perimeter poses a profound problem for CISOs already grappling with other secular trends including mobile computing, shared security paradigms and fast-moving threat actors.

Take, for example, security information and event management (SIEM) system in the cloud. The underlying principle of a SIEM is that relevant data about an enterprise’s security is produced from multiple sources and must be correlated. By collecting and collating all data in a single location, it becomes easier to spot patterns, run searches and hunt for threats. This approach historically worked well in traditional fix-capacity environments. However, as threat actors evolve and IT environments continue to move to pure or hybrid cloud deployments, extracting meaningful and actionable information from SIEMs has proven difficult, requiring continuous creation of manual rules and policy updates to detect evasive threats. Securing and monitoring infrastructures have become more complicated and riskier as security architects struggle to map existing security solutions and techniques to the cloud. According to Verizon’s latest Data Breach Investigations Report, more than two-thirds of breaches worldwide went undetected for several months. Another study from NSS Labs shows SIEMs being deployed in more than 87 percent of enterprises.

Image courtesy of Verizon DBIR 2018

Correlating these two data points, traditional SIEMs are woefully behind the eight ball and seldom deliver on their promise. A new approach is needed so that detection and response can be delivered with agility and scale to tackle this problem head-on.

Getting Your Cloud Architecture ‘Monitoring-ready’

Watching and analyzing activity can be way more challenging in cloud native applications, since servers may be created and destroyed in days, hours or even minutes (in the case of containers). Time is at a premium for getting the activity trace off the “box” onto the aggregation platform. The best way to assure compliance, security and agile response is to co-locate the SIEM besides the rest of the infrastructure in the cloud so that logging can be centralized. Next, the security telemetry from underlying operating systems, network devices, users and applications need to be ingested at the aggregation layer. This sensor telemetry is augmented by external threat intelligence sources that provides a near-real time view of the existing threat climate and any emerging threats. The SIEM platform can then funnel this streaming dataset to a data lake where machine learning techniques are used to detect anomalies, corroborate potential threats and surfacing security incidents.

Delivering Security Response from the Cloud: 3 Essentials

Whether you are running a public, private or hybrid cloud, it is important to optimize the vast array of tools at your disposal so that your monitoring strategy can be effective, comprehensive and most importantly scale with your business. Here are three essentials that can help you be successful:

  1. Eliminate blind spots: As traditional monolithic applications move to the cloud, they are often broken down into microservices that may exist in several containers that exchange information on the wire. This so called ‘east-west traffic’ flow exists within the data center and is invisible to any perimeter security infrastructure, such as a firewall or a web gateway, presenting a security blind spot. Public providers have tools and services designed to provide visibility into this traffic besides providing a mechanism to guard against service misconfiguration. For example, AWS offers Guard Duty, VPC Logs, Trusted Advisor, Inspector, etc., while Azure has Security Center, Monitor, App Insights, etc. These tools offer extensive logging and reporting that can be used to identify potential abuse, compliance fails, configuration weakness and threat activity, and must be leveraged by the security analyst.
  1. Guarding against alert fatigue: A single pane of glass to view all security threats sounds like a no-brainer, but it can overwhelm the analyst making them numb to spurious alerts. Thus, it is important to prioritize and filter false positives so that appropriate high-fidelity incident tickets are created for further investigation.
  1. Automation: Allowing technology to automatically respond to incidents is fraught with danger since no two incidents are alike. Software patches, application blacklists and configurations need to be extensively tested before being rolled out. There is always the lurking risk of impacting a production environment due to a false positive; this is especially true of critical workloads running in the cloud. A security orchestration and automation response (SOAR) solution can optimize the productivity of highly skilled analysts by correlating the output of disjointed processes and technologies, such as compliance assessments and configuration management, and then orchestrating them.

Traditional monitoring architectures are built around fix-capacity environments and ill-equipped to handle the dynamic and elastic nature of cloud workloads. A new adaptive security approach is needed to support the digital transformation while retaining the ability to detect and respond to a new generation of threat actors.

View Most Recent Blogs
Eldon Sprickerhoff
Eldon Sprickerhoff Founder and Chief Innovation Officer
In founding eSentire, Eldon Sprickerhoff responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over twenty years of tactical experience, he is acknowledged as a subject matter expert in information security analysis.