What We Do
How we do it
May 11, 2022
CVE-2022-26923 - Active Directory Domain Services Elevation of Privilege Vulnerability
THE THREAT Microsoft has disclosed a new vulnerability impacting Active Directory Certificate Services (ADCS) tracked as CVE-2022-26923 (Active Directory Domain Services Elevation of Privilege Vulnerability). If exploited successfully, an authenticated attacker can escalate privileges in environments where ADCS is running on the domain. eSentire is aware of technical details and tooling [2] for…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1200+ organizations in 75+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
May 17, 2022
Cybersecurity Leader eSentire Continues Its Commitment to Rigorous Security Standards Earning PCI DSS Certification
Waterloo, ON, May 17, 2022 — eSentire, the Authority in Managed Detection and Response (MDR), maintains one of the most secure and robust IT environments of any MDR provider in the industry. To that end, eSentire today announced that it has received the Payment Card Industry Data Security Standard (PCI DSS) certification, considered one of the most stringent and comprehensive payment card…
Read More
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Aug 04, 2020

No New News To Tell

Speak With A Security Expert Now

On April 1st, 2014 I found myself with eSentire’s (then) CEO J. Paul Haynes in the Securities and Exchange Commission (SEC) building in Washington, D.C., to meet with Ms. Jane Jarcho, who was soon to be made the Deputy Director of the Office of Compliance Inspections and Examinations (OCIE).

With well over a decade of existing experience with hands-on information security, defending mid-sized financial institutions (including registered investment advisors, hedge funds, alternative asset management firms, and investment banks), she was interested in hearing our experiences.

At the end of our discussion, we asked about a document that came into our possession from one of our customers: an information request that seemed to have come from the OCIE but wasn’t yet public. As I recall, she was surprised it had been made public. This information request, which came to be informally called the “SEC Cybersecurity 28 Questions” was an excellent broad overview of information security stance; it was extremely thorough and topical.

On April 15th, 2014 it was formally released to the public. I believe it was the first time questions to an SEC-OCIE information request had been made public. It was a bombshell to the CTOs in mid-market financial sectors, being the first time that the SEC had directly asked questions regarding cybersecurity.

The Risk Alert itself:

The OCIE Cybersecurity Initiative focused on the following categories:

1) Cybersecurity Governance/Identification of Risk

2) Risks Associated with Remote Customer Access and Funds Transfer Requests

3) Risks Associated with Vendors and Other Third Parties

4) Detection of Unauthorized Activities

5) Incident Response

Based on the responses given, the SEC-OCIE were able to tighten up their audit methodologies and questions. To prepare firms for the new focus on cybersecurity, in September 2015, the SEC-OCIE issued the details for their Cybersecurity Examination Initiative. They focused on the following categories:

1) Governance and Risk Assessment

2) Access Rights and Controls

3) Data Loss Prevention

4) Vendor Management

5) Training

6) Incident Response

These cardinal categories are excellent pillars upon which to build your firm’s cybersecurity foundation. Unfortunately, I felt that it didn’t have the same impact as the risk alert in 2014 because it wasn’t released in the form of audit questions; the details were buried in dense text within the appendix. If you’d taken the time to read through the appendix you could convert the specific bullet points listed, turn them into personal questions and then discover 36 audit questions the SEC auditors would ultimately use. In fact, I did this.

In August 2017, the SEC-OCIE issued a summary of Examination Observations to highlight their best practice suggestions for market participants. They focused on the following categories:

1) Cybersecurity/Risk Assessment

2) Access Rights and Controls

3) Data Loss Prevention

4) Vendor Management

5) Training

6) Incident Response

Do you see a theme developing?

Most recently, in January 2020, the SEC-OCIE released another summary of Examination Observations and focused on the following categories:

1) Cybersecurity Governance/Risk Management

2) Access Rights and Controls

3) Data Loss Prevention

4) Mobile Security

5) Incident Response and Resiliency

6) Vendor Management

7) Training and Awareness

You may notice that there is considerable overlap between the six categories of focus between September 2015 through to August 2017 and to January 2020. In fact the one major difference is the request that mobile devices require further visibility, however if you’re properly working on the six main pillars from August 2017, there’s no need to extend focus to Mobile Security: it’s already covered. A difference can also be seen in the format in which the most recent Examination Observations was released: it is considerably easier to digest.

A recent Ransomware Risk Alert further emphasizes the need to pay attention and adherence to the six infosecurity pillars. They place specific focus on:

1) Incident response and resiliency policies, procedures, and plans

2) Operational resiliency

3) Awareness and training programs

4) Vulnerability scanning and patch management

5) Access management

6) Perimeter security

I’m pleased to see them address somewhat deeper technical aspects that they have not done previously. For example, the common use of RDP for remote access, which in many cases is a dangerous access vector than in the past. However, they neglected to describe specific changes in ransomware attack methodologies (incorporating aspects of advanced persistent threat actors, to quietly embed themselves for weeks within an organization before initiating an en masse encryption event across all systems simultaneously, usually at the beginning of a weekend).

Nevertheless, it’s valuable that the SEC-OCIE continues to emphasize how critical cybersecurity continues to be, even though there’s truly no new news to tell.

View Most Recent Blogs
Eldon Sprickerhoff
Eldon Sprickerhoff Founder and Chief Innovation Officer
In founding eSentire, Eldon Sprickerhoff responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over twenty years of tactical experience, he is acknowledged as a subject matter expert in information security analysis.