Blog

Managed Breach Detection Service

Written by Etienne Greeff | Jul 5, 2021 6:04:00 PM

Can you detect a breach in action?

In most cases, detecting a breach happens very late in the process, even with millions invested in security infrastructure and more than often, companies will only discover a breach when they have been notified by a third party or the attacker, which is usually weeks or even months after the initial infiltration.

  • Would you know if Bob from accounting spent his free time looking at open windows shares and copying files?
  • Would you know if external attackers had broken in and were dropping malware on your machines?
  • When did you last undertook a penetration test, how long did it take before your team caught the infiltrators?

As we know, the aim of an attacker is to gain a foothold in the target network immediately following initial compromise, regardless of how this is achieved and once this is done the attacker will start to explore the targeted network for vulnerabilities and determine where exactly an organisation stores information of interest.

So, why do organisations discover a breach too late:

  • Resources are stretched and SIEM logs or IPS events are ignored.
  • Security is expensive or complex.
  • They had plans to deploy detection, plans to maximise SIEM usage, plans to… that were never completed or ongoing.

With all this in mind, we need to be thinking differently and take a SMART approach, that provides early detection of any suspicious activities across all environments, followed by only one relevant alert when it matters, significantly reducing the time of unauthorised access on your infrastructure.

Just as you would add alarms to your property, this SMART approach will give you peace of mind, knowing that you have a high fidelity breach detection for various environments including local network, data centre and cloud.

Our solution is a smart, efficacious, practical Managed Breach Service; developed to reveal the presence of malicious insiders with a significantly low dwell time.

How it works:

Our Breach Detection devices are deployed throughout your environment either as a small form factor appliance, virtual or cloud-based detection devices. Once installed, the detectors are tuned and configured to mimic one of dozens of computing devices.

  • Web Servers in a DMZ network segment and referenced from other systems.
  • CEO PC with mapped drive to a Breach Detection Device mimicking a file server.
  • Cisco routers that seem to be connected to the network and production routers which point to it.
  • NAS or sensitive file servers in an AD domain.
  • Windows PC in the same network share as corporate users.

The only network access our Breach Detection device requires, is to a DNS server that is capable of external queries and is much less work than configuring border firewall rules for each device.

Attackers prowling a target network look for juicy content, browse Active Directory for file servers and explore file shares looking for documents, trying default passwords against network devices and web services, and scan for open services across the network.

When the attacker encounters a Breach Detection device, the services on offer are designed to solicit further investigation, at which point they have betrayed themselves, and you are notified of the incident with a detailed alert immediately reducing the dwell time.

Our Managed Breach Detection Service achieves the purpose of identifying intruders and reducing detection time.

The full service:

Together, we will evaluate your business requirements, defining constructively where exactly our devices should be located on your network and what type of services and assets they should mimic. Once completed, we install and configure the devices to filter any unwanted alerts, such as from internal solutions scanning the network. If and when an event occurs, ONE detailed alert is sent.

If you do not receive an alert, great news! However, we will send you regular detailed summaries, highlighting the status of the service, so that you are reassured they are active and watching… smart right?