Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Join us for a live security brefing with (ISC)2 members.
Join Tim Segato, Director, Product Management and Ryan Westman, Manager,…
Ask questions and hear from Cybersecurity experts from eSentire,…
This blog was originally published on CyFIR.com and has been reposted as-is here following eSentire’s acquisition of CyFIR Inc. in June 2021. As of the date of the acquisition, no changes have been made to the content below.
CyFIR Founder, Ben Cotton, recently joined a panel discussion moderated by Jason Miller, Executive Editor, Federal News Network, including other industry experts such as Dr. Shue-Jane Thompson, Vice President and Partner, Cyber & Biometrics Practice, IBM.
It’s been almost three years since the White House issued Presidential Policy Directive 41 (PPD-21) and the corresponding cyber incident response plan. PPD-41 outlined some key concepts around defining what a cyber incident and a major cyber incident meant, while also providing guiding principles for incident response. From that PPD, the Homeland Security Department developed a national cyber incident response plan (NCIR), providing even more details about the activities and the lead agencies for each activity.
But PPD-41 and the NCIR are reactive documents and plans that come after being victimized by a cyber attack. What is missing is how agencies can get ahead of the attack through proactive threat hunting and a more strategic response.
The evolution of cyber tools and capabilities over the last few years, most notably the sharing of threat intelligence, has enabled agencies to do more to get ahead of the cyber threats.
In the 2018 national cybersecurity strategy, the White House specifically called out the use of cyber threat hunting capabilities, saying the government “will be able to assess the security of its data by reviewing contractor risk management practices and adequately testing, hunting, censoring and responding to incidents on contractor systems. Contracts with federal departments and agencies will be drafted to authorize such activities for the purpose of improving cybersecurity.”
There are several benefits from this proactive stance agencies are starting to take, including reducing damage to the organization and improving the speed to response.
Agencies need to consider several factors as they move more toward this proactive model. Watch the 3 segment videos on Threat Hunting and Incident Response, The Use of Data, and The Cloud Impact to hear Ben's contribution to the discussion.
(Minute 6:05) "To see more is to know more. If you take the threat intelligence data and then you apply it to a forensics process that has visibility on every single aspect of what’s going on an endpoint then you are able to ascertain if those threats do exist inside of your environment. The trick to that is to do that in a timely fashion so that you are looking simultaneously across all of your end points and you are not focused on a narrow lane where you miss those threats that exist on other endpoints or other parts of your network."
(Minute 5:07) "There's the automatic collection of data by necessity requires an automated correlation of the data. From an example standpoint, we had a client that had a very good IDS system in place and they were receiving IDS indicators that they had a compromise but it was taking them 24 hours to correlate that IDS, back to a person, back to a process, back to the endpoint at which it actually occurred. So it's about the right type of data, the correlation of that data in an automated fashion, and it's also about search. As we talk about hunting, at the very root of hunting is your ability to search across your network and to be able to do that very quickly.
It's not just about processes, and it's not just about network connections, but it's also about what is existing on those hard drives, even down into the unallocated space of those hard drives. The more sophisticated actors can actually customize the addressing of their malware into the unpartitioned space on a hard drive.
A good hunting team not only has the automated collection piece, but also has the ability to pivot and simultaneously ask very complex questions across their entire environment, and get that data back extremely quickly."
(Minute 10:15) "Remember we think forensics first on all of this data collection. The analysis of that data, I like to think of it as weeding the wheat from the chaff, so that you can get 100% of your human capital gray matter focused on the problem very quickly. I think there's a consensus here with the panel that that human gray matter, as good as AI (artificial intelligence), as good as ML (machine learning) will get, human gray matter is never going to be eliminated from the equation. From a forensics standpoint, the automation, the AI, the ML, is leveraged to sort that wheat from the chaff and get down to what's important very quickly and focus on that."
(Minute 5:35) "Most of those skillsets have remained consistent. You need to have a firm foundation in technology. You need to understand networks. You need to understand how computers work. How those types of things function. But one of the unique things we look for when we're hiring people is actually called Investigative Mindset. The ability to pick out an anomaly and then have that urge to dive down into it to figure out why it's there, what it's doing, how it got there and what the result is as it influences the investigation."
"It's about is this going to be the person who's going to have the independence, and the curiosity and the knowledge base to answer those tough complex questions that are asymmetric in nature."
eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.