CI Security’s new Microsoft Defender ATP integration helps round out the company’s 24/7 detection and response offering, Critical Insight MDR. The combination enables complete visibility into customers’ environments, whether a physical network, cloud environment, zero-trust workforce, or any combination of the above.
“With remote working now the normal for many organizations, information security teams are scrambling to secure this rapidly expanding remote workforce. Employees are accessing sensitive data from all over the globe, causing an increased focus on zero trust architecture and, ultimately, the endpoint,” said Mike Hamilton, co-founder and CISO of CI Security.
“As we continue outfitting our offering with best-of-breed technology and services, CI Security is laying a foundation for enabling the mid-market to plug and play a cybersecurity team to up-level their existing resources.”
CI Security’s new Microsoft Defender ATP integration will allow the company to monitor events and alerts from Microsoft Defender ATP using analyst-driven hunting and investigation activities, as well as proactively push tickets to analysts for investigation using CI Security’s specifically designed detections.
Through this integration, CI Security analysts can now actively isolate machines based on playbooks developed with each customer. This feature is part of the Critical Insight Rapid Quarantine (CIRQ) offering.
“Increasingly, customers are asking for more services as they advance along their security journeys,” said Garrett Silver, CEO of CI Security.
“They are asking for MDR and EDR to handle their daily monitoring, and at the same time, asking for security assessments and penetration tests to improve their programs. We are here to provide the range of services our customers need, which is why we created the integration with Microsoft Defender ATP.”
CI Security chose Microsoft Defender ATP because it has quickly attained significant market share while demonstrating exceptional execution. CI Security’s own offensive security team reports it’s one of the most difficult endpoint protection solutions to evade.
This has been a very challenging year. Despite the COVID-19 outbreak starting in the first half of 2020, data analyzed from the Health and Human Services (HHS) Office for Civil Rights (OCR) Breach Portal shows that the number of patient data records breached dramatically declined during the early stages of the pandemic. Healthcare orgs too busy to report CI Security analysts assessment indicates that the number of breach reports in the first half of 2020 … More
The post Healthcare breaches declined sharply during the first half of 2020 appeared first on Help Net Security.
Network detection and response (NDR) solutions enable organizations to improve their threat response, they help protect against a variety of threats, and also provide visibility into what is actually on the network.
To select an appropriate network detection and response solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.
Mike Hamilton, CISO, CI Security
Network detection and response uses a spectrum of technology and humans, and the right mix for your organization is highly individual. Here are 3 different mixes to consider:
Managed – Managed detection and response combines technology to collect information from your network, detection analytics to identify aberrational activity, and analysts to investigate, confirm, and conduct response operations along a pre-defined playbooks – as a service.
Operated – In the middle, you’ll own the technology, the people to operate the technology, and the processes for response, recovery, and recordkeeping. This is how many organizations have evolved but are discovering that this is harder to sustain.
Automated – At the technology end of the spectrum is automation: SOAR and other methodologies leverage your preventive and detective controls and integrates them to take an action decided by technology.
To decide whether you will be best served by Managed, Operated, or Automated, ask:
- How fast/easy is deployment?
- Does the solution ingest and analyze all your data sources?
- For Operated – What are the resource costs, including how using resources for security may affect current projects as opportunity cost?
- For Managed – How does the provider source and retain threat hunters and Analysts?
- For Automated – What is the worst-case scenario for a false positive?
Rahul Kashyap, CEO, Awake Security
NDR solutions can protect against non-malware threats, including insider attacks, credential abuse, lateral movement, and data exfiltration. They give organizations greater visibility into what is actually on the network as well as the activity occurring. But not all NDR solutions are equal. To maximize value, it’s recommended buyers consider three key parameters:
- Data: Look for solutions that parse the whole packet rather than just NetFlow or IDS alerts. This provides far more depth of visibility, allowing the solution to identify more relevant threats.
- Machine Learning and AI: Avoid solutions that rely primarily on unsupervised machine learning and act as black boxes. These types of offerings generate significant operational overhead via false positives and negatives, and provide no explanation to the analyst on why something was flagged as an issue.
- Use cases: Reduce tool sprawl by replacing existing solutions for network forensics, threat hunting etc. This helps consolidate and modernize your security operations, making the team more efficient.
Like any other security solution, simply acquiring a new NDR tool does not improve security. In my experience, it is critical for buyers to think through operational impacts when deciding on a technology stack.
Igor Mezic, CTO, MixMode
There are some key questions on the underlying methodologies that should be asked when selecting an NDR solution:
Is the AI NDR system partially or entirely dependent on rules? If so, what is the overhead related to tuning and maintaining the rule set? Attack vectors are changing rapidly in a modern security environment, outpacing rule development efforts by a large margin. Rule-based information can be useful as a context, but not as a primary source of information. The core of the machine learning system should be adaptable to new network conditions and thus independent of static rules.
What is the false positive rate for the detections? What is the false negative rate? The reponse part of NDR is highly dependent on quality of detection. Shutting down a subnet over a false positive can disrupt normal network operation. False positives and negatives abound in rule-based systems and systems that use supervised learning methodology based on labeling. Unsupervised systems based on clustering and Bayesian methods also typically feature high rates of false positives.
What happens when we add a new subnet or a router to the network? Does the NDR system have to re-learn everything again? Learning in an off-the-shelf machine learning systems can take 6-24 months. If that cycle repeats every time a new element is added to the network, the methodology is of limited use. The AI system must adapt seemlessly to new conditions on the network, with no additional extensive learning period.
How easy is it to spoof the detection system? It is well known non-generative machine learning methodologies can be easily spoofed by injection of corrupted data, rendering the system incapable of recognizing a specific attack.
Steve Miller, Principal Applied Security Researcher, FireEye
A NDR solution must enable action in a variety of forms.
Detection events must be distinguished into varying buckets of things to care about. The goal of event priority or criticality is to ensure that important, qualified network detection events are at the top of the to-do list. Your security team can take detection events at the top and respond with more care and urgency with respect to the affected assets.
There must be historical recording for network activity. This may be full packet capture stored for a time period, or merely packet capture in a “time wrinkle,” 5 minutes before and after each network detection event. Solutions should include abstracted network logging, such as Netflow and HTTP event logging. The more logging, the easier an investigation becomes.
Solutions must enable alert-to-action automations. When examining alerts, analysts make routine movements to gather information that aids in validation and response options. Solutions must enable automated data collection associated with alerts in preparation for analyst review, thus reducing manual actions.
Functionally, this means solutions must easily integrate and gather contextual data from other technologies such as: DHCP leases; passive DNS resolutions; threat actor or malware associations; and network/asset “handling” systems that may inoculate or reduce the impact of a malicious event through quarantining, blocking, or manipulation of packets. Automatic provision of contextual data and “handling” options is foundational to taking action, which is often the most laborious part of the human workflow.
Jyothish Varma, Director of Product Management, Nuspire
As organizations look to invest in an MDR, they should consider investing in a solution that has the capability to detect attacks geared to bypass existing security controls. For those solutions with static detection mechanisms, if the exploits used by a hacker don’t trigger a pre-existing rule, no one will know an attack is happening.
For this reason, companies must rely on a solution that augments existing security controls with advanced threat detection and response solutions and dedicated security analysts who are trained to proactively uncover evidence of threats.
Organizations should also consider a solution that detects attacks in real time with experts working around the clock to investigate and respond to alerts technology might have missed. A service that can provide a 24/7/365 security operations center staffed with security analysts ensures you will have full access to experts that can detect attacks as they happen and coordinate incident response plans as necessary. By working with providers that have 24/7 security operations centers, existing security teams will be much more productive and reduce time wasted responding to false positives.
The right MDR solution will not only help you remain secure from cyber threats, but will include these key features and outcomes that will benefit your organization.
CI Security, a Managed Detection and Response (MDR) services provider specializing in defending the networks of organizations and critical infrastructure, announced the addition of a Work From Home Security Policy Assessment to the company’s managed services offering.
The Work From Home Security Policy Assessment provides a comprehensive view of the risks faced by an organization and its remote workforce, the capabilities of the organization to implement appropriate and effective security controls, including how to monitor an expanded, and in many cases unmanaged, set of endpoints.
In response to state and local governments, hospitals, banks and other critical infrastructure entities moving to remote work, CI Security scales the Work From Home Security Policy Assessment to meet an organization’s immediate need to ensure the recent move to a remote workforce is as secure as possible. CI Security can additionally construct a permanent zero-trust remote workforce security program.
The result of the assessment is a Work From Home Security Policy Assessment report that documents the remote work methods in use across the remote organization, the current organizational capabilities to secure the remote workforce, and a set of recommended controls deemed appropriate to meet customer risk management objectives and resource constraints.
“Organizations globally are responsible for a multitude of considerations when keeping their employees healthy and safe during this global pandemic, including a remote workforce that is secure,” said Fred Langston CISSP CCSK, EVP Professional Services of CI Security.
“The Remote Workforce Security Assessment aligns with CI Security’s mission to deliver solutions for organizations that enable them to provide a seamless transition from office to remote work locations like spare bedrooms while maintaining an appropriate level of security throughout the transition and beyond.”
Mike Hamilton, the company’s co-founder and CISO, said, “Quickly deployed solutions for remote access are already being used as an attack vector. Some organizations are using Remote Desktop Protocol (RDP) over the Internet, from employee home computers that are not managed or monitored. We need to right this ship right now, because no one wants a ransomware event on top of a pandemic lockdown. Zero-trust will be the new normal.”
The Work From Home Security Policy Assessment includes the following services:
- Assess an organization’s policies, processes, training, and capabilities to secure the remote workforce
- Assess controls in place or controls that can be imposed on the remote workforce to minimize risk while continuing productivity
- Assess the capability of an organization’s remote workforce to comply with remote workforce security controls
- Assess the ability of an organization to secure remote work environments for extended periods
- Document all methods of remote work connectivity to office networks, computing requirements, cloud-based infrastructure, web applications, laptops, smartphones, and tablets