What We Do
How we do it
Resources
SECURITY ADVISORIES
Jan 13, 2022
GootLoader Hackers Are Compromising Employees of Law and Accounting Firms, Warns eSentire
GootLoader Gang Launches Wide-Spread Cyberattacks Enticing Legal and Accounting Employees to Download Malware eSentire, the industry’s leading Managed Detection and Response (MDR) cybersecurity provider, is warning law and accounting firms of a wide-spread GootLoader hacker campaign. In the past three weeks and as recently as January 6, eSentire’s threat hunters have intercepted and shut down…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Oct 28, 2021
Telarus and eSentire Expand Partnership to Safeguard Enterprises Globally Against Business Disrupting Ransomware and Zero-Day Attacks
London, UK and Sydney, Australia– Oct. 28, 2021 - eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), today announces the expansion of its partnership with Telarus, the largest privately-held distributor of business cloud infrastructure and contact centre services. Building on their mutual success across North America, Telarus will bring eSentire’s Managed…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
PARTNER RESOURCES
Apply today to partner with the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Jun 17, 2021

Every Side of Cyber - Building a Nation-scale Quick Reaction Force

Speak With A Security Expert Now
This blog was originally published on CyFIR.com and has been reposted as-is here following eSentire’s acquisition of CyFIR Inc. in June 2021. As of the date of the acquisition, no changes have been made to the content below.

CyFIR Founder, Ben Cotton, recently joined a panel discussion moderated by Jason Miller, Executive Editor, Federal News Network, including other industry experts such as Dr. Shue-Jane Thompson, Vice President and Partner, Cyber & Biometrics Practice, IBM.

It’s been almost three years since the White House issued Presidential Policy Directive 41 (PPD-21) and the corresponding cyber incident response plan. PPD-41 outlined some key concepts around defining what a cyber incident and a major cyber incident meant, while also providing guiding principles for incident response. From that PPD, the Homeland Security Department developed a national cyber incident response plan (NCIR), providing even more details about the activities and the lead agencies for each activity.

But PPD-41 and the NCIR are reactive documents and plans that come after being victimized by a cyber attack. What is missing is how agencies can get ahead of the attack through proactive threat hunting and a more strategic response.

The evolution of cyber tools and capabilities over the last few years, most notably the sharing of threat intelligence, has enabled agencies to do more to get ahead of the cyber threats.

In the 2018 national cybersecurity strategy, the White House specifically called out the use of cyber threat hunting capabilities, saying the government “will be able to assess the security of its data by reviewing contractor risk management practices and adequately testing, hunting, censoring and responding to incidents on contractor systems. Contracts with federal departments and agencies will be drafted to authorize such activities for the purpose of improving cybersecurity.”

There are several benefits from this proactive stance agencies are starting to take, including reducing damage to the organization and improving the speed to response.

Agencies need to consider several factors as they move more toward this proactive model. Watch the 3 segment videos on Threat Hunting and Incident Response, The Use of Data, and The Cloud Impact to hear Ben's contribution to the discussion.

Threat Hunting and Incident Response

Think Forensics First™

(Minute 6:05) "To see more is to know more. If you take the threat intelligence data and then you apply it to a forensics process that has visibility on every single aspect of what’s going on an endpoint then you are able to ascertain if those threats do exist inside of your environment. The trick to that is to do that in a timely fashion so that you are looking simultaneously across all of your end points and you are not focused on a narrow lane where you miss those threats that exist on other endpoints or other parts of your network."

The Use of Data

Data Collection Use Cases

(Minute 5:07) "There's the automatic collection of data by necessity requires an automated correlation of the data. From an example standpoint, we had a client that had a very good IDS system in place and they were receiving IDS indicators that they had a compromise but it was taking them 24 hours to correlate that IDS, back to a person, back to a process, back to the endpoint at which it actually occurred. So it's about the right type of data, the correlation of that data in an automated fashion, and it's also about search. As we talk about hunting, at the very root of hunting is your ability to search across your network and to be able to do that very quickly.

It's not just about processes, and it's not just about network connections, but it's also about what is existing on those hard drives, even down into the unallocated space of those hard drives. The more sophisticated actors can actually customize the addressing of their malware into the unpartitioned space on a hard drive.

A good hunting team not only has the automated collection piece, but also has the ability to pivot and simultaneously ask very complex questions across their entire environment, and get that data back extremely quickly."

Automation in Forensics

(Minute 10:15) "Remember we think forensics first on all of this data collection. The analysis of that data, I like to think of it as weeding the wheat from the chaff, so that you can get 100% of your human capital gray matter focused on the problem very quickly. I think there's a consensus here with the panel that that human gray matter, as good as AI (artificial intelligence), as good as ML (machine learning) will get, human gray matter is never going to be eliminated from the equation. From a forensics standpoint, the automation, the AI, the ML, is leveraged to sort that wheat from the chaff and get down to what's important very quickly and focus on that."

The Cloud Impact

Skillset for Threat Hunting Today

(Minute 5:35) "Most of those skillsets have remained consistent. You need to have a firm foundation in technology. You need to understand networks. You need to understand how computers work. How those types of things function. But one of the unique things we look for when we're hiring people is actually called Investigative Mindset. The ability to pick out an anomaly and then have that urge to dive down into it to figure out why it's there, what it's doing, how it got there and what the result is as it influences the investigation."

"It's about is this going to be the person who's going to have the independence, and the curiosity and the knowledge base to answer those tough complex questions that are asymmetric in nature."

View Most Recent Blogs
eSentire
eSentire

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.