What We Do
How we do it
Resources
SECURITY ADVISORIES
Jul 29, 2021
UPDATE: PetitPotam NTLM Relay Attack
THE THREAT PetitPotam is a variant of the NTLM Relay attack discovered by security researcher Gilles Lionel. It is tracked as an authentication bypass vulnerability in Active Directory (Certificate Services); currently no CVE identifier has been assigned to this vulnerability. Proof of Concept (PoC) code released last week [1] relies on the Encrypting File System Remote (EFSRPC) protocol to…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Jul 12, 2021
Tecala and eSentire Partner to Protect Enterprises across APAC from Business-Disrupting Cyber Attacks
Sydney, 12 July, 2021 - Tecala, Australia’s award-winning technology services and IT consulting provider, today announced it has chosen eSentire, the global Authority in Managed Detection and Response (MDR) cybersecurity services, as their exclusive MDR solution provider in Australia and New Zealand. This partnership will enable Tecala to augment its cybersecurity practice and offer enterprises…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Resources
Blog — Aug 04, 2020

No New News To Tell

4 min read

On April 1st, 2014 I found myself with eSentire’s (then) CEO J. Paul Haynes in the Securities and Exchange Commission (SEC) building in Washington, D.C., to meet with Ms. Jane Jarcho, who was soon to be made the Deputy Director of the Office of Compliance Inspections and Examinations (OCIE).

With well over a decade of existing experience with hands-on information security, defending mid-sized financial institutions (including registered investment advisors, hedge funds, alternative asset management firms, and investment banks), she was interested in hearing our experiences.

At the end of our discussion, we asked about a document that came into our possession from one of our customers: an information request that seemed to have come from the OCIE but wasn’t yet public. As I recall, she was surprised it had been made public. This information request, which came to be informally called the “SEC Cybersecurity 28 Questions” was an excellent broad overview of information security stance; it was extremely thorough and topical.

On April 15th, 2014 it was formally released to the public. I believe it was the first time questions to an SEC-OCIE information request had been made public. It was a bombshell to the CTOs in mid-market financial sectors, being the first time that the SEC had directly asked questions regarding cybersecurity.

The Risk Alert itself:

The OCIE Cybersecurity Initiative focused on the following categories:

1) Cybersecurity Governance/Identification of Risk

2) Risks Associated with Remote Customer Access and Funds Transfer Requests

3) Risks Associated with Vendors and Other Third Parties

4) Detection of Unauthorized Activities

5) Incident Response

Based on the responses given, the SEC-OCIE were able to tighten up their audit methodologies and questions. To prepare firms for the new focus on cybersecurity, in September 2015, the SEC-OCIE issued the details for their Cybersecurity Examination Initiative. They focused on the following categories:

1) Governance and Risk Assessment

2) Access Rights and Controls

3) Data Loss Prevention

4) Vendor Management

5) Training

6) Incident Response

These cardinal categories are excellent pillars upon which to build your firm’s cybersecurity foundation. Unfortunately, I felt that it didn’t have the same impact as the risk alert in 2014 because it wasn’t released in the form of audit questions; the details were buried in dense text within the appendix. If you’d taken the time to read through the appendix you could convert the specific bullet points listed, turn them into personal questions and then discover 36 audit questions the SEC auditors would ultimately use. In fact, I did this.

In August 2017, the SEC-OCIE issued a summary of Examination Observations to highlight their best practice suggestions for market participants. They focused on the following categories:

1) Cybersecurity/Risk Assessment

2) Access Rights and Controls

3) Data Loss Prevention

4) Vendor Management

5) Training

6) Incident Response

Do you see a theme developing?

Most recently, in January 2020, the SEC-OCIE released another summary of Examination Observations and focused on the following categories:

1) Cybersecurity Governance/Risk Management

2) Access Rights and Controls

3) Data Loss Prevention

4) Mobile Security

5) Incident Response and Resiliency

6) Vendor Management

7) Training and Awareness

You may notice that there is considerable overlap between the six categories of focus between September 2015 through to August 2017 and to January 2020. In fact the one major difference is the request that mobile devices require further visibility, however if you’re properly working on the six main pillars from August 2017, there’s no need to extend focus to Mobile Security: it’s already covered. A difference can also be seen in the format in which the most recent Examination Observations was released: it is considerably easier to digest.

A recent Ransomware Risk Alert further emphasizes the need to pay attention and adherence to the six infosecurity pillars. They place specific focus on:

1) Incident response and resiliency policies, procedures, and plans

2) Operational resiliency

3) Awareness and training programs

4) Vulnerability scanning and patch management

5) Access management

6) Perimeter security

I’m pleased to see them address somewhat deeper technical aspects that they have not done previously. For example, the common use of RDP for remote access, which in many cases is a dangerous access vector than in the past. However, they neglected to describe specific changes in ransomware attack methodologies (incorporating aspects of advanced persistent threat actors, to quietly embed themselves for weeks within an organization before initiating an en masse encryption event across all systems simultaneously, usually at the beginning of a weekend).

Nevertheless, it’s valuable that the SEC-OCIE continues to emphasize how critical cybersecurity continues to be, even though there’s truly no new news to tell.

Eldon Sprickerhoff
Eldon Sprickerhoff Founder and Chief Innovation Officer

In founding eSentire, Eldon Sprickerhoff responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over twenty years of tactical experience, he is acknowledged as a subject matter expert in information security analysis.