Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
This blog was originally published on CyFIR.com and has been reposted as-is here following eSentire’s acquisition of CyFIR Inc. in June 2021. As of the date of the acquisition, no changes have been made to the content below.
Do you really know what happened during that data breach? In this post, CyFIR Chief Product Officer John J. Irvine and World Wide Technology (WWT) Global Director of Security Sales Chris Konrad explain what to look for when searching for an Endpoint Detection and Response software solution.
In today’s market for Endpoint Detection and Response (EDR) solutions, vendors are defining “forensics” based upon their own product’s capabilities. The industry is awash with sales pitches from all manner of EDR vendors using similar terminology to refer to underlying technology with vastly different capabilities.
Many of today’s digital forensic practitioners begin their careers in law enforcement. Before “Incident Response” was a buzzword included on every IT professional’s resume, most digital forensics casework supported the investigation and prosecution of crimes. To do so, digital forensic examiners would pore over a hard disk—often with rudimentary, low-level tools—for days, weeks, or even months. Examiners would scour disks looking for hidden partitions, host protected areas, or other spots that craftier suspects would use to hide their data from Johnny Law. When investigators found files of note, they would render them down to hash values (a digital “fingerprint” as it’s often called) to prove their uniqueness or to track their movements between systems or individuals. Investigators could recover fragments of files deleted long ago from the hard disk, often finding a crucial piece of evidence. Forensics was, and continues to be, an often difficult and time-consuming set of processes that can yield unimaginable results—IF you’re willing to put in the time and effort.
Today, the EDR marketing landscape could easily lead purchasers into the belief that “AI will save us all” or that “machine learning keeps your network safe.” Many vendors are selling the myths of the “unbreachable perimeter” or the “find all evidence button,” and telling weary, underfunded CISOs that their tools not only will stop attacks, but also provide a “forensics component” in case something evil should get through their defenses.
If you’re looking at one of the ever-present meatball charts that compare different vendors’ tools against each other, you’ll often find that antivirus, patch management, continuous monitoring, or other capabilities under the EDR heading will have a proud dot in a row called “Forensics” (often from an up-charged component). As a CISO, you can purchase one of these tools and check-off “Allows a user to perform a digital examination on a computer or network” from your readiness list, right? I wish it were that simple.
When evaluating the “forensic capability” of a cybersecurity product, you need to ask the vendor some direct, pointed questions to learn what that specific vendor defines forensics to be. Finding and deleting the offending file is only part of the job; understanding the attack vector, reviewing the data exfiltrated, and quantifying the damage done are equally important in handling a breach and in preventing future attacks. Without knowing what went wrong, how can you be sure that you’ve taken the appropriate measures to stop it from happening again?
When considering an EDR solution, ask the following questions before making your decision:
Question: Can an authorized member of my security team navigate to the hard disk structure on an endpoint to look at the content of individual files?
Why you care: Attacks often leave behind forensic evidence that is critical in the discovery of the type and amount of data that has potentially been exfiltrated from your organization. If you can’t find and view the content of the exfiltration files, you might not have accurate information regarding the size or scope of a breach.
Question: Can I pull running processes individually out of memory for external review, or at a minimum, can I use your tool to extract live RAM remotely for the entire machine?
Why you care: Strategic or advanced attacks may use custom-crafted malware that might be able to defend itself from antivirus engines or even automated sandboxes. Sometimes a manual breakdown of a malicious program’s capabilities is the only way to know the potential extent of any damage it caused, and to do that, you must be able to isolate and extract the process from live memory.
Question: How many endpoints can I search at once now that I know what I’m looking for?
Why You Care: Many tools that search remote endpoints are limited to searching only a few at a time through a round-robin scripting method. If you have a lot of time and money, that’s fine. If you’re short on either, look for tools where searching the endpoints happens simultaneously instead of five or ten at a time.
Question: Can I look through the raw data on the hard disk remotely and recover deleted files?
Why you care: Deleted malware, erased exfiltration files, and other items hidden from normal view of the operating system can provide critical evidence as to the scale and effectiveness of a breach. Without the capability to directly access a disk and recover deleted information, you’re likely to miss the whole picture. If you can’t do it remotely, you’re going to pay your employees (or a contractor) a lot of money to visit your individual locations and make copies of hard disks for later analysis.
Question: Can your solution help me with attackers who are “living off the land” or using fileless attacks?
Why You Care: Many platforms sold under the EDR banner are strongly based in their antivirus or continuous monitoring roots. While they may flag malicious activity in the form of a trojan or virus, they often miss the use of legitimate administrative tools by a bad actor. As a use case, ask how the solution being presented can help identify someone doing evil by using stolen legitimate credentials and standard administration tools, and more importantly, make them show you.
Once you start digging with questions like these (and making the sales engineer pitching the product a little uncomfortable), you’ll find that the term “forensics” is being redefined by each individual software vendor for their own convenience—and a tick-mark on that meatball chart. If you have any doubt, find an old-school cop who has been doing digital forensics for twenty years and ask them if they consider “Tool X” to be forensically sound. Believe me, they’ll know the difference.
Another resource for CISOs to consider is WWT’s Advanced Technology Center (ATC), which provides a platform for technology professionals to stay up-to-date with market innovations and receive assistance when comparing available technology options. The ATC connects industry professionals across technology verticals to collaborate on topics such as infrastructure design, regulatory compliance, and how to integrate virtual and physical environments. It also tests and simulates the performance of hundreds of products, making it easier for CISOs to identify what solution(s) are right for their own environment.
eSentire, Inc., the Authority in Managed Detection and Response (MDR), protects the critical data and applications of 2000+ organizations in 80+ countries, across 35 industries from known and unknown cyber threats by providing Exposure Management, Managed Detection and Response and Incident Response services designed to build an organization’s cyber resilience & prevent business disruption. Founded in 2001, eSentire protects the world’s most targeted organizations with 65% of its global base recognized as critical infrastructure, vital to economic health and stability. By combining open XDR platform technology, 24/7 threat hunting, and proven security operations leadership, eSentire's award-winning MDR services and team of experts help organizations anticipate, withstand and recover from cyberattacks. For more information, visit: www.esentire.com and follow @eSentire.