What We Do
How we do it
Nov 22, 2021
Microsoft Exchange Vulnerability - CVE-2021-42321
THE THREAT eSentire has identified publicly available Proof-of-Concept (PoC) exploit code, for the critical Microsoft Exchange vulnerability CVE-2021-42321. CVE-2021-42321 was announced as part of Microsoft’s November Patch Tuesday release. Exploitation would allow a remote threat actor, with previous authentication, to execute code on vulnerable servers. Prior to the patch release, Microsoft…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Oct 28, 2021
Telarus and eSentire Expand Partnership to Safeguard Enterprises Globally Against Business Disrupting Ransomware and Zero-Day Attacks
London, UK and Sydney, Australia– Oct. 28, 2021 - eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), today announces the expansion of its partnership with Telarus, the largest privately-held distributor of business cloud infrastructure and contact centre services. Building on their mutual success across North America, Telarus will bring eSentire’s Managed…
Read More
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Apply today to partner with the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Jan 08, 2019

Adapting security response for cloud workloads

Speak With A Security Expert Now

As originally posted on Security Boulevard on January 7, 2019

Not long ago, enterprise security could be organized neatly around the critical assets needing to be guarded. However, this “moat and fortress” model for cyberdefense is being demolished as the world turns to the cloud. This vanishing perimeter poses a profound problem for CISOs already grappling with other secular trends including mobile computing, shared security paradigms and fast-moving threat actors.

Take, for example, security information and event management (SIEM) system in the cloud. The underlying principle of a SIEM is that relevant data about an enterprise’s security is produced from multiple sources and must be correlated. By collecting and collating all data in a single location, it becomes easier to spot patterns, run searches and hunt for threats. This approach historically worked well in traditional fix-capacity environments. However, as threat actors evolve and IT environments continue to move to pure or hybrid cloud deployments, extracting meaningful and actionable information from SIEMs has proven difficult, requiring continuous creation of manual rules and policy updates to detect evasive threats. Securing and monitoring infrastructures have become more complicated and riskier as security architects struggle to map existing security solutions and techniques to the cloud. According to Verizon’s latest Data Breach Investigations Report, more than two-thirds of breaches worldwide went undetected for several months. Another study from NSS Labs shows SIEMs being deployed in more than 87 percent of enterprises.

Image courtesy of Verizon DBIR 2018

Correlating these two data points, traditional SIEMs are woefully behind the eight ball and seldom deliver on their promise. A new approach is needed so that detection and response can be delivered with agility and scale to tackle this problem head-on.

Getting Your Cloud Architecture ‘Monitoring-ready’

Watching and analyzing activity can be way more challenging in cloud native applications, since servers may be created and destroyed in days, hours or even minutes (in the case of containers). Time is at a premium for getting the activity trace off the “box” onto the aggregation platform. The best way to assure compliance, security and agile response is to co-locate the SIEM besides the rest of the infrastructure in the cloud so that logging can be centralized. Next, the security telemetry from underlying operating systems, network devices, users and applications need to be ingested at the aggregation layer. This sensor telemetry is augmented by external threat intelligence sources that provides a near-real time view of the existing threat climate and any emerging threats. The SIEM platform can then funnel this streaming dataset to a data lake where machine learning techniques are used to detect anomalies, corroborate potential threats and surfacing security incidents.

Delivering Security Response from the Cloud: 3 Essentials

Whether you are running a public, private or hybrid cloud, it is important to optimize the vast array of tools at your disposal so that your monitoring strategy can be effective, comprehensive and most importantly scale with your business. Here are three essentials that can help you be successful:

  1. Eliminate blind spots: As traditional monolithic applications move to the cloud, they are often broken down into microservices that may exist in several containers that exchange information on the wire. This so called ‘east-west traffic’ flow exists within the data center and is invisible to any perimeter security infrastructure, such as a firewall or a web gateway, presenting a security blind spot. Public providers have tools and services designed to provide visibility into this traffic besides providing a mechanism to guard against service misconfiguration. For example, AWS offers Guard Duty, VPC Logs, Trusted Advisor, Inspector, etc., while Azure has Security Center, Monitor, App Insights, etc. These tools offer extensive logging and reporting that can be used to identify potential abuse, compliance fails, configuration weakness and threat activity, and must be leveraged by the security analyst.
  1. Guarding against alert fatigue: A single pane of glass to view all security threats sounds like a no-brainer, but it can overwhelm the analyst making them numb to spurious alerts. Thus, it is important to prioritize and filter false positives so that appropriate high-fidelity incident tickets are created for further investigation.
  1. Automation: Allowing technology to automatically respond to incidents is fraught with danger since no two incidents are alike. Software patches, application blacklists and configurations need to be extensively tested before being rolled out. There is always the lurking risk of impacting a production environment due to a false positive; this is especially true of critical workloads running in the cloud. A security orchestration and automation response (SOAR) solution can optimize the productivity of highly skilled analysts by correlating the output of disjointed processes and technologies, such as compliance assessments and configuration management, and then orchestrating them.

Traditional monitoring architectures are built around fix-capacity environments and ill-equipped to handle the dynamic and elastic nature of cloud workloads. A new adaptive security approach is needed to support the digital transformation while retaining the ability to detect and respond to a new generation of threat actors.

View Most Recent Blogs
Eldon Sprickerhoff
Eldon Sprickerhoff Founder and Chief Innovation Officer

In founding eSentire, Eldon Sprickerhoff responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over twenty years of tactical experience, he is acknowledged as a subject matter expert in information security analysis.