What We Do
How we do it
Resources
SECURITY ADVISORIES
Jul 26, 2021
PetitPotam NTLM Relay Attack
THE THREAT PetitPotam is a variant of NTLM Relay attacks discovered by security researcher Gilles Lionel. Proof of Concept code released last week [1] relies on the Encrypting File System Remote (EFSRPC) protocol to provoke a Windows host into performing an NTLM authentication request against an attacker-controlled server, exposing NTLM authentication details or authentication certificates.…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Jul 12, 2021
Tecala and eSentire Partner to Protect Enterprises across APAC from Business-Disrupting Cyber Attacks
Sydney, 12 July, 2021 - Tecala, Australia’s award-winning technology services and IT consulting provider, today announced it has chosen eSentire, the global Authority in Managed Detection and Response (MDR) cybersecurity services, as their exclusive MDR solution provider in Australia and New Zealand. This partnership will enable Tecala to augment its cybersecurity practice and offer enterprises…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Resources
Blog — Feb 01, 2019

Using false negatives to illuminate unknowns, presented at BlackHat Europe 2018

3 min read

One of the most frustrating problems every security practitioner faces is a lack of data about false negative rates. What are those things that just get by our defensive technologies? What are the breach risks that we don’t know about? Where are the likely gaps in my defenses? And everyone usually says, “we just don’t know what we don’t know, so there’s not much we can do. My environment is unique and no one else is likely to have data on it.”

To a large extent, that’s true. But for a strategic managed detection and response company like eSentire, it’s different. We have a mountains of data on breaches from hundreds of unique environments ... and anonymized metadata at that scale can shed real light on the unknowns facing defenders because we can talk about trends and probabilities. This puts us in a unique position to provide really interesting insights on the problem.

So, we made it the focus of a study and recently presented our results to the security community at BlackHat Europe 2018. As background, we provide MDR services using a pool of sensors monitoring 2,000+ different locations across 600+ distinct client environments and 28 countries. Each day, 365 days a year, we forensically investigate tens of thousands of potential threats and respond to contain breaches still in the earliest stages just establishing a beachhead inside the environment.

While we focus on monitoring and actively hunting for things in supposedly “clean” environments, we still gather rare data to make sense of within the evolving cybersecurity space. It is a collection of false negative data points that all the deployed defensive tech in real-world configurations have missed, with forensic data and human analysis to back up each incident data point (zero false positives).

Statistically we used eSentire’s data set of detected breaches-in-progress on the “clean” side to reduce uncertainty of “we just don’t know” areas that face many defenders today to measurable bands of risk at particular confidence intervals. That’s especially helpful for blue teamers that do not yet run their own threat hunting or monitoring efforts and have to trust perimeter defenses and want to talk meaningfully about the chances of something getting through.

In our study, we treated eSentire’s deployed sensors as a convenience sample from the general population - about what you’d find if you did a threat hunting/monitoring effort on a random site. With over 2,000 sites from which to draw data, we have a healthy sample size and a narrow margin of error at high confidence intervals for a similar population. Our demographic does have biases (see presentation for details), but we invite defenders and other researchers to apply their own weights to our sample set to help them get a feel for their own chances and relative risk across a group of similar peers.

So, in the case of a typical mid-sized company, what probability is it that an attacker breached existing automated defenses over this past year to the point that manual intervention by a security specialist would have been needed?

With our data set, for a client with four sites the rate of live malware showing up somewhere on the clean side generally floats between 8 and 15 percent each month, with a CI of +/- ~3 percent at 95 percent confidence. Looking cumulatively over all of 2018, the chance of malware showing up somewhere on the clean side of all your normal defensive tech and doing damage was about 52.4 percent likely (48.1-56.6 percent @ 95 percent CI).


In our view, that answer is a hell of a lot better than “we just don’t know what we don’t know.”

Alexander Feick
Alexander Feick Technical Director, Security Services Architecture