What We Do
How we do it
Nov 22, 2021
Microsoft Exchange Vulnerability - CVE-2021-42321
THE THREAT eSentire has identified publicly available Proof-of-Concept (PoC) exploit code, for the critical Microsoft Exchange vulnerability CVE-2021-42321. CVE-2021-42321 was announced as part of Microsoft’s November Patch Tuesday release. Exploitation would allow a remote threat actor, with previous authentication, to execute code on vulnerable servers. Prior to the patch release, Microsoft…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Oct 28, 2021
Telarus and eSentire Expand Partnership to Safeguard Enterprises Globally Against Business Disrupting Ransomware and Zero-Day Attacks
London, UK and Sydney, Australia– Oct. 28, 2021 - eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), today announces the expansion of its partnership with Telarus, the largest privately-held distributor of business cloud infrastructure and contact centre services. Building on their mutual success across North America, Telarus will bring eSentire’s Managed…
Read More
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Apply today to partner with the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Aug 04, 2020

No New News To Tell

Speak With A Security Expert Now

On April 1st, 2014 I found myself with eSentire’s (then) CEO J. Paul Haynes in the Securities and Exchange Commission (SEC) building in Washington, D.C., to meet with Ms. Jane Jarcho, who was soon to be made the Deputy Director of the Office of Compliance Inspections and Examinations (OCIE).

With well over a decade of existing experience with hands-on information security, defending mid-sized financial institutions (including registered investment advisors, hedge funds, alternative asset management firms, and investment banks), she was interested in hearing our experiences.

At the end of our discussion, we asked about a document that came into our possession from one of our customers: an information request that seemed to have come from the OCIE but wasn’t yet public. As I recall, she was surprised it had been made public. This information request, which came to be informally called the “SEC Cybersecurity 28 Questions” was an excellent broad overview of information security stance; it was extremely thorough and topical.

On April 15th, 2014 it was formally released to the public. I believe it was the first time questions to an SEC-OCIE information request had been made public. It was a bombshell to the CTOs in mid-market financial sectors, being the first time that the SEC had directly asked questions regarding cybersecurity.

The Risk Alert itself:

The OCIE Cybersecurity Initiative focused on the following categories:

1) Cybersecurity Governance/Identification of Risk

2) Risks Associated with Remote Customer Access and Funds Transfer Requests

3) Risks Associated with Vendors and Other Third Parties

4) Detection of Unauthorized Activities

5) Incident Response

Based on the responses given, the SEC-OCIE were able to tighten up their audit methodologies and questions. To prepare firms for the new focus on cybersecurity, in September 2015, the SEC-OCIE issued the details for their Cybersecurity Examination Initiative. They focused on the following categories:

1) Governance and Risk Assessment

2) Access Rights and Controls

3) Data Loss Prevention

4) Vendor Management

5) Training

6) Incident Response

These cardinal categories are excellent pillars upon which to build your firm’s cybersecurity foundation. Unfortunately, I felt that it didn’t have the same impact as the risk alert in 2014 because it wasn’t released in the form of audit questions; the details were buried in dense text within the appendix. If you’d taken the time to read through the appendix you could convert the specific bullet points listed, turn them into personal questions and then discover 36 audit questions the SEC auditors would ultimately use. In fact, I did this.

In August 2017, the SEC-OCIE issued a summary of Examination Observations to highlight their best practice suggestions for market participants. They focused on the following categories:

1) Cybersecurity/Risk Assessment

2) Access Rights and Controls

3) Data Loss Prevention

4) Vendor Management

5) Training

6) Incident Response

Do you see a theme developing?

Most recently, in January 2020, the SEC-OCIE released another summary of Examination Observations and focused on the following categories:

1) Cybersecurity Governance/Risk Management

2) Access Rights and Controls

3) Data Loss Prevention

4) Mobile Security

5) Incident Response and Resiliency

6) Vendor Management

7) Training and Awareness

You may notice that there is considerable overlap between the six categories of focus between September 2015 through to August 2017 and to January 2020. In fact the one major difference is the request that mobile devices require further visibility, however if you’re properly working on the six main pillars from August 2017, there’s no need to extend focus to Mobile Security: it’s already covered. A difference can also be seen in the format in which the most recent Examination Observations was released: it is considerably easier to digest.

A recent Ransomware Risk Alert further emphasizes the need to pay attention and adherence to the six infosecurity pillars. They place specific focus on:

1) Incident response and resiliency policies, procedures, and plans

2) Operational resiliency

3) Awareness and training programs

4) Vulnerability scanning and patch management

5) Access management

6) Perimeter security

I’m pleased to see them address somewhat deeper technical aspects that they have not done previously. For example, the common use of RDP for remote access, which in many cases is a dangerous access vector than in the past. However, they neglected to describe specific changes in ransomware attack methodologies (incorporating aspects of advanced persistent threat actors, to quietly embed themselves for weeks within an organization before initiating an en masse encryption event across all systems simultaneously, usually at the beginning of a weekend).

Nevertheless, it’s valuable that the SEC-OCIE continues to emphasize how critical cybersecurity continues to be, even though there’s truly no new news to tell.

View Most Recent Blogs
Eldon Sprickerhoff
Eldon Sprickerhoff Founder and Chief Innovation Officer

In founding eSentire, Eldon Sprickerhoff responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over twenty years of tactical experience, he is acknowledged as a subject matter expert in information security analysis.