Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Flexible MDR packages that enhance your cyber resilience and security operations.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Meet insurability requirements with MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
THE THREAT eSentire is aware of widespread exploitation attempts targeting the recently disclosed ownCloud vulnerability CVE-2023-49103. CVE-2023-49103 (CVSS: 10) is tracked as a disclosure of… READ NOW
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Waterloo, ON and GITEX GLOBAL 2023, Dubai, UAE – October 18, 2023 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), today announced that Inspira Enterprise Inc, (Inspira), a… READ NOW
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
Even in the all-too-plentiful world of vulnerabilities and exploits, CVE-2020-1472 (aka Zerologon) is special, receiving a base criticality score of 10/10 under the Common Vulnerability Scoring System (CVSS).
eSentire was by no means the only security vendor pushing out alerts and advisories about Zerologon. Nor were we the only ones to claim to be able to detect an attack. However, to our knowledge, the behavioral Zerologon detection capability we implemented in esLOG was the first detector to recognize the exploit/attack itself, rather than either the aftermath or the tools. This is a subtle—but important—difference.
But before we dive into detections, let’s first quickly review why Zerologon is causing such a ruckus in cybersecurity circles.
Without going too deep into the technical details, Zerologon allows an attacker who has already gained Initial Access to achieve Privilege Escalation, acquiring the ability to execute remote code, disable security features and change computer passwords in Active Directory (AD).
Zerologon was discovered by researchers at Secura and was announced on August 11 as part of the Microsoft August 2020 Security Updates patch. On September 11—after allowing a month for IT administrators to apply patches—Secura released technical details and a test tool. The technical details publication set the clock ticking, as it serves as a how-to guide for security researchers and would-be attackers.
True to expectations, just a few days later, proof of concept (PoC) exploit code was available, prompting eSentire to send, on September 14, a Threat Intelligence Advisory about CVE-2020-1472 in anticipation of seeing attacks in the wild in the very near future. By this point, customers of eSentire’s Managed Vulnerability Service (MVS) already had a local plug-in to quickly and easily determine if they were at risk. Owing to the significant risk associated with this vulnerability, on September 18 the Cybersecurity and Infrastructure Security Agency released a rare emergency directive requiring all US federal agencies to update all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21, 2020.
Needless to say, such directives are reserved for only the most serious of situations.
Finally (so far at least), on September 23 eSentire pushed out an updated advisory, spurred by three new developments:
As noted in the introduction, eSentire’s Zerologon detection capability recognizes the exploit/attack itself, rather than just some associated behavior. To understand why the difference matters, it’s important to recognize that threat actors are constantly evolving their tools, techniques and procedures (TTPs)—and that this constant evolution is adept at finding weak points in cyber defenses.
Let’s say today’s generation of Zerologon attackers use a particular tool (say, mimikatz) to do something like this:
ATTACK à ACTION #1 or ACTION #2 or ACTION #3
The other detectors we have seen identify the use of a particular tool (i.e., mimikatz) and spot the follow-on actions, and use the correlation to imply use of Zerologon. That’s fine for stopping this combination of tool and actions, but what happens when attackers realize they’re being stopped? They’ll simply respond by changing tools and tactics to introduce ACTION #4, ACTION #5 and so on. The correlations will fail, the attacks will go undetected, and there’s a window of opportunity for attackers.
Instead of only identifying the actions (which, to be clear, we also do), eSentire’s detector identifies the actual exploit/attack itself. With our esLOG detector in place, it doesn’t matter if an attacker changes tools or quickly churns out new variations of the follow-on actions, because we still spot the original attack. There’s no game of catch-up—so our customers benefit from much more robust protection.
Analyzing logs isn’t unique to eSentire, so what enabled us to introduce a more powerful detection capability than other security providers?
The moment the technical details dropped, eSentire’s elite Threat Response Unit (TRU) went to work performing their own direct, applied research on CVS-2020-1472, to augment and extend beyond what was available in security forums and other OSINT resources. This deep hands-on exploration and experimentation helps us better understand the threats our customers face and can reveal unique insights and nuances that unlock more effective protection.
In this case, we discovered some aspects of Zerologon exploitation that we haven’t seen published elsewhere, and this insight is what allowed us to develop a uniquely powerful detection capability.
We’ve written elsewhere how important our people are to what we do at eSentire—and that’s because it’s true. Few security companies in the world can bring to bear the same number and caliber of security researchers as we can, and this collection of SOC analysts, threat hunters and security researchers are what allow us to consistently discover and contain even the most sophisticated threats.
It’s a differentiator we’re proud of and—more importantly—it’s one that makes a meaningful difference for our customers.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.