Cyber Risk Management Solutions
Cybriant CTO: Analysis of a Phishing Email

Cybriant CTO: Analysis of a Phishing Email

I recently received an interesting phishing email that I shared with the rest of our company as part of our Internal Security Awareness program.  You might guess that as CTO of a security company I often receive phishing emails (and you’d be right), but this one caught my eye.  This phishing email was interesting for a few reasons:

  1. It made it past Microsoft’s ATP (Advanced Threat Protection) anti-phishing service in Office 365.
  2. It had a valid SPF record (no DKIM or DMARC).
  3. The phishing link had a clever URL encode redirect.

So, let’s take a look at the email:

There were several factors that tipped me off that things were amiss: 

  • I have never seen a similar voicemail email.
  • We don’t do business with any company named Alarmtech (looking at the email address).
  • We definitely DON’T do any business with any company named Alarmtech that has a Polish TLD (the “.pl” of “alarmtech.pl” domain in the email address).
  • The “local Wireless User” phone number was also odd.

So, I decided to take a look at the message’s full headers.

I was quite surprised to see that the email had a valid SPF record, and while it was unfortunate to see that a DKIM was not setup it is fairly common for less sophisticated admins to omit this type of email authentication.  This also explains part of why Office365 gave a phishing email a pass instead of convicting the email.

And, a quick check with MXToolbox confirmed that the SPF record was indeed valid.

Ok, at this point I was even more curious.  So, I copied the link for the “Play Record” button and utilized www.o365atp.com to de-obfuscate the link.  Bingo!  We’ve got something interesting!

Now, we have the de-obfuscated link (Office365 ATP uses a technology called Safe Links as an extra layer of protection).

__SNIP__

https://www.google.com.mx/url?q=ht%74p%73%3A%2F%2F6%34%65%35%33r%77%37.%62l%6fb.co%72%65.%77in%64%6f%77s.n%65%74%2F5%65%353%72%77%376%2F%69%6edex.%68t%6d%6c%26%236%33%3B%70z%6fne%26%23%36%31%3BY%575%6b%63mV%33Lmhh%62Wl%73d%479uQHB%79%61W1%31%63%33Nlcn%5a%70%592VzL%6dN%76%62Q%26%2361%3B%26%23%361&sa=D&sntz=1&usg=AFQjCNEZAsy-4nufrSB7lCmGPtn98lLW9Q

__SNIP__

 

If you notice, the URL begins with http://www.google.com.mx/url?q= this is a clever way to have Google (in this case it’s the Mexico link for Google as it has a TLD – top level domain – of “.mx”) to redirect to the actual malicious website address, which is:

__SNIP__

ht%74p%73%3A%2F%2F6%34%65%35%33r%77%37.%62l%6fb.co%72%65.%77in%64%6f%77s.n%65%74%2F5%65%353%72%77%376%2F%69%6edex.%68t%6d%6c%26%236%33%3B%70z%6fne%26%23%36%31%3BY%575%6b%63mV%33Lmhh%62Wl%73d%479uQHB%79%61W1%31%63%33Nlcn%5a%70%592VzL%6dN%76%62Q%26%2361%3B%26%23%361&sa=D&sntz=1&usg=AFQjCNEZAsy-4nufrSB7lCmGPtn98lLW9Q

__SNIP__

Yes, that is a valid FQDN and URL.  And, this is the other part of the reason why I believe that this phishing email made it past Office365’s ATP service.  It’s using a method called URL encoding.  URL encoding allows you to do things such as create spaces in a filename.  For example, the following two bullet point links would point to the exact same URL (Note:  I used a random domain name):

phishing email

The “%20” is the URL encoded value for a space “ “.  There are some genuine uses for URL encoding, and it is especially helpful when creating scripts or working with APIs.  For example, when dealing with APIs in our SOC (Security Operations Center) this is often how we have to get around restrictions such as using an “@” in a username.  Instead of user@cybriant.com it’d be: user%40cybriant.com

So, let’s de-obfuscate the link using https://urldecoder.org:

__SNIP__

https://64e53rw7.blob.core.windows.net/5e53rw76/index.html?pzone=YW5kcmV3LmhhbWlsdG9uQHByaW11c3NlcnZpY2VzLmNvbQ=&#61&sa=D&sntz=1&usg=AFQjCNEZAsy-4nufrSB7lCmGPtn98lLW9Q

__SNIP__

There we have the REAL link.  Next, we’ll explode this link in Joe Sandbox to see it’s behavior.  Click on the following link to see the full Joe Sandbox analysis, and see what our SOC would discover if they were performing this for a customer.  I’ll give you a hint, it turns out it’s malicious:

https://www.joesandbox.com/index.php/analysis/166555/0/executive

Note:

When I first exploded the URL decoded link Joe Sandbox didn’t find anything interesting.  And so, the second time I utilized the link that was a google.com.mx referrer link.  When using the referring link Joe Sandbox determined that the final destination URL was indeed malicious.  In short, the bad actor built a check into their website to ensure that the full link was being used (confirmed by seeing Google.com.mx referring the user to the phishing website).  Pretty spiffy thinking on their part! 

Andrew Hamilton

Andrew Hamilton

CTO

Andrew Hamilton is a member of the executive management team of Cybriant, a leader in the cybersecurity services industry. As CTO he is responsible for the technical vision and the delivery of services at Cybriant. Since its founding in 2015, Andrew has led the selection, evaluation, and adoption of all security technology and tools utilized by Cybriant in the delivery of its managed security services.

Learn more about Cybriant’s Continuous Threat Detection & Remediation Services: https://cybriant.com/pretect

Capital One Data Breach: Importance of Cybersecurity Basics

Capital One Data Breach: Importance of Cybersecurity Basics

By now you’ve heard of the Capital One Data Breach that happened on July 29, 2019, where a hacker gained access to 100 million Capital One credit card applications and accounts. Read more about the thoughts from Cybriant’s Chief Technology Officer, Andrew Hamilton.

capital one data breach

My first reaction when I saw that Capital One data breach has been the same as many of you: someone misconfigured something and a former employee had knowledge of that misconfiguration. 

What we most commonly see as a security company when organizations move to the cloud is the expectation that the cloud provider (AWS, Azure, Google) will automatically understand and take into account any security threat vector which may be particular to an organization. 

Unfortunately, they can’t work in that manner because requirements and environments will always differ from one organization to the next.  What may be a potential threat vector to Capital One could be required functionality to another organization. 

And so, the cloud providers afford their customers a high degree of flexibility, but they state in their Terms of Service (and recommendations) that the customer is responsible for securing their own tenant. 

Similarly, when we monitor a customer’s environment one of the first things we check for is whether we see customer endpoint devices utilizing external DNS servers instead of the official internal company DNS servers. 

Malware absolutely loves to exfiltrate data via DNS because most of the time UDP/TCP 53 is wide open to the Internet.  And while there are certainly ways to exfiltrate data via valid CNAME and TXT records (which require additional techniques to monitor/block such as RPZ records) those are computationally less efficient than simply blasting data via a commonly trusted port DNS port and bypassing HTTPS SSL inspection. 

There was an excellent article at InfoSecurity Magazine yesterday on the top 5 penetration test discoveries (link:  https://www.infosecurity-magazine.com/news/95-test-problems/). 

All five are boil down to good Systems Administration hygiene. They aren’t as “sexy” as buying a Palo Alto and bragging about it to friends, but instead are things that are often left by the wayside (requiring complex passwords, simple patch management, etc).

What can be even more puzzling is when we see organizations who want a VERY expensive penetration test, and yet they haven’t even begun resolving the issues found from their vulnerability scanner.  Unfortunately, this is the norm that we see across industries and company sizes.

To avoid a Capital Bank data breach at your organization, read to the end to see our recommendations.

Capital One Data Breach Facts

On July 29th, 2019 Capital One Financial Corporation, a US-based bank holding company specializing in banking, credit cards, loans and savings, today released a statement1 regarding the detection of a breach resulting in unauthorized access to personal data pertaining to over 100 million Canadian and US credit card applicants and customers.

  • The breach is believed to be one of the largest in the history of the banking industry;
  • According to the statement, Capital One does not believe the compromised data has been used fraudulently;
  • Capital One became aware of the breach following a responsible disclosure email alerting them to potentially leaked data on a GitHub account associated with the alleged threat actor (TA);
  • The breach reportedly exploited a configuration vulnerability in Capital One’s infrastructure, including at least one known firewall misconfiguration, permitting access to customer data stored on Amazon Web Services’ (AWS) cloud;
  • US Law Enforcement arrested an alleged TA, ‘Paige Adele Thompson’, a former Amazon Inc. employed S3 Systems Engineer2, also known as ‘Erratic’, in Seattle, WA (US) on suspicion of ‘Computer Fraud and Abuse’ as filed3 in a criminal complaint with the US District Court for the Western District of Washington at Seattle;
  • The hack is expected to cost the company up to $150 million in the near term, including paying for credit monitoring for affected customers.

Scope of breach

  • Personal data of more than 100 million US and 6 million Canadian customers (consumers and small businesses) including approximately: o 140,000 US Social Security numbers
    • 1 million Canadian Social Insurance Numbers (SIN);
    • 80,000 US bank account details;
    • Names, addresses, phone numbers & dates of birth;
    • Self-reported income;
    • Credit scores, limits, balances & payment history.
  • Stolen information pertained to credit card applications from 2005 through to 2019.

Capital One Data Breach Timeline

  • 12 March – 17 July 2019 – Period in which unauthorized access to Capital One’s infrastructure likely occurred;
  • 22 March 2019 – Capital One access logs confirm unauthorized access to AWS from a compromised account;
  • 21 April 2019 – Timestamp associated with leaked data hosted on GitHub in addition to unauthorized activity recorded by Capital One logs;
  • 26 June 2019 – Posts on a Slack channel associated with, and using an alias of, the TA include screenshots and directory listings of files belonging to Capital One and other potential victims;
  • 17 July 2019 – Responsible disclosure email received by Capital One, alerting them to ‘leaked s3 data’ hosted on a GitHub Gist account believed associated with the threat actor;
  • 18 July 2019 – Direct messages posted by the TA suggest that they were prepared to distribute the stolen data;
  • 29 July 2019 – US FBI agents arrested the TA and Capital One release a public statement about the breach (also establishing a dedicated data breach webpage4 with an FAQ for potentially affected customers).

Cybriant Recommendations:

  • Organizations using cloud-based services, such as Amazon S3, should ensure that assets are correctly configured to prevent inadvertent or unauthorized access to sensitive data. Cloud providers will provide documentation detailing identity and access policy configurations that can restrict access, be that by user, file, bucket or organization.
  • Patch Management is a vital service that is often overlooked or taken for granted. Cybriant offers a Responsive Patch Management service that will take the guesswork out of the administrivia of this task and maintain a healthy network.
  • Vulnerability scans may catch the majority of issues, but these need to be done continuously. If you are only scanning once a year or quarter, that leaves a long period of time for hackers to use those vulnerabilities for malicious purposes. The alerts that come from the scans need to be remedied. Our Risk-Based Vulnerability Management service will aid your team to identify vulnerabilities to protect your network.
  • Logging any incidents in your network is the best way to protect against advanced persistent threats, including insider threats. Our Managed SIEM with 24×7 Security Monitoring service is not only a potential compliance requirement but will address and resolve most complex cyber risk issues.

 

Sources:

http://press.capitalone.com/phoenix.zhtml?c=251626&p=irol-newsArticle&ID=2405043
https://www.linkedin.com/in/PaigeAdeleThompson
https://www.justice.gov/usao-wdwa/press-release/file/1188626/download
https://www.capitalone.com/facts2019/

Introducing PREtect: Tiered Cyber Risk Management Service

Your SIEM needs a Hedgehog!

At Cybriant, we are big fans of Jim Collins’s book, Good to Great. This is a classic book for business leaders that describes how Mr. Collins and his team researched 1,435 established companies to find common traits of those businesses that made a leap from average to great results. The principles that are discussed in the book include lessons on eggs, flywheels, hedgehogs, and other essentials of business.

Let’s talk Hedgehogs

In his famous essay “The Hedgehog and the Fox,” Isaiah Berlin divided the world into hedgehogs and foxes, based upon an ancient Greek parable: “The fox knows many things, but the hedgehog knows one big thing.” Mr. Collins asks in his book, ” Are you a hedgehog or a fox?”

Cybriant understands that when it comes to managed SIEM, we are hedgehogs. According to the book Good to Great, a hedgehog concept is a simple, crystalline concept that flows from deep understanding about the intersection of three circles: 1) what you are deeply passionate about, 2) what you can be the best in the world at, and 3) what best drives your resource engine.

We are hedgehogs because we are deeply passionate about understanding SIEMs – how they work, how to get the proper data out of them, and what to do with that data. We are the best in the world at this because we have the top talent on staff, of course! What drives our resource engine is SIEM, SIEM, SIEM. SIEM implementations, training, monitoring, and so much more. We live and breath SIEM.

So, why do you need a Hedgehog for your SIEM?

One of our partners, AlienVault, was included in the recent Gartner Magic Quadrant for SIEM. This is awesome news! If you already use AlienVault, you know that you are working with the best. But, not every company has the resources to make it (or whichever SIEM you chose) work properly for them.

According to Gartner, there are four “cautions” when it comes to AlienVault.  Here’s how a hedgehog, like Cybriant, can help assist with those potential weaknesses when it comes to your SIEM:

Caution #1: USM provides NetFlow capture, basic statistics, and context for assets, but cannot generate alerts from NetFlow.

With the recent 5.4.x AlienVault release the ability to generate alerts from NetFlow has been addressed, but we would always recommend using the right tool for the job.

AlienVault is a phenomenal correlation engine that can take a lot of data from disparate sources and discover threats from seemingly innocuous information.  It does this by taking data from Active Directory, antivirus engines, firewalls, intrusion detection, and/or anything that can produce a log message for analysis.  Each of these sources is simply a single slice of the pie just like NetFlow.  Additionally, there are technologies that specialize in analyzing nothing but NetFlow to discover behavioral events and how they may be a threat.  AlienVault will take those kinds of specialized tools and create a holistic threat analysis so that you get the whole pie and not just a single slice.

Caution #2: Integration of unsupported data sources is cumbersome compared with competing products. Alternatively, users can request AlienVault develop a plug-in to enable the integration.

The fact of the matter is that there is no data analysis engine that can parse and integrate every technology on the market without some sort of expertise, understanding of the data, and ability to create an integration.

Cybriant Engineers regularly write plugins and integrations for the AlienVault platform.  For simple products that are “unsupported” by AlienVault, it may take an hour to write a plugin.  For very complex products with hundreds (or more) of rule variations on messages in logs, it will take longer.  Through literally thousands of implementations, the Cybriant team has yet to find a product that cannot be integrated (or have a plugin created) as long as it outputs data.

Caution #3: Although identity activity can be linked with assets, USM provides only basic enrichment of event data with user context; and identity and access management (IAM) integration is limited to Active Directory and LDAP.

There are many tools that can integrate with AlienVault to provide enriched user data, and out of the box, AlienVault has some built-in IAM capabilities.  Additionally, the USM Anywhere product has advanced user enrichment functionality with lAM and IDM software.  However, when we encounter cases where a user had a problem with their SIEM we typically discover that one of a couple of things has occurred:

  • The necessary data isn’t being fed into the SIEM (either by lack of logging verbosity or other configurations issues).
  • The Security Analyst (or is more often the case:  Overworked Systems Administrator) performing the analysis doesn’t have the experience necessary to do a data deep dive.

Think of it this way, if you have a musical instrument and don’t correctly tune it then it will sound terrible.  Similarly, if the data isn’t correct being sent to the SIEM and the system isn’t tuned to excel at processing the data then a Security Analyst will get poor results.  Additionally, like a musical instrument, you could have the best-made instrument in the world, but if the musician doesn’t know how to play it then it will sound terrible.  With a SIEM, if the Analyst (Administrator/etc.) doesn’t have the experience and dedicated training required to be successful then the results will be poor.

At Cybriant our SIEM Analysts have a deep understanding of both how the SIEM should be configured and how to discover threats using the SIEM.  These are two distinctly different skills.  Additionally, our SIEM Analysts have direct and instant access to the rest of our team members who specialize in different fields (such as Implementations, Malware Analysis, Forensic Analysis, etc.).  This means that instead of a single Security Analyst who is hunting down alarms, Cybriant has an entire Security Task Force who is actively monitoring your infrastructure.

Caution #4: AlienVault’s workflow capabilities do not include integrations with external ticketing systems or role-based workflow assignments. 

The traditional AlienVault USM does not have integrations with external ticketing systems, and so the Cybriant Security Operations Center solves this issue by having rigorous Processes and Procedures in place.  Without Processes and Procedures, workflows and integrations are typically handled in a hodgepodge manner instead of a hedgehog manner.

Additionally, with USM Anywhere USM, AlienVault now has integrations with external ticketing systems.  And so Cybriant can simply utilize our already existing great Processes and Procedures along with the automation to keep costs low for our customers.

Learn more about Cybriant and let us know if you need a hedgehog for your SIEM!

 

Have you heard about PREtect?

Why You Must Perform A Security Assessment

Why You Must Perform A Security Assessment

Recently, we discussed why it is important to have a SIEM (Security Information and Event Management) system, and why it is crucial for skilled Administrators to actively use and monitor it. For a quick refresher, here is the article in Wired that sums up the presentation by Rob Joyce, Chief of NSA’s Tailored Access Operations, that inspired this series.This week’s post will cover why it’s important for your organization to perform a Security Assessment to analyze your organization’s operational risks.

One of the biggest issues facing organizations today is that security is an invisible attribute.  IT administrators will setup devices or services, configure the security parameters and rarely if ever, consider security settings again.  Organizations routinely write policies for user access and infrastructure and never update them.  Systems are tested and vulnerabilities discovered but left unresolved. This is the “Set it and Forget it” Syndrome and almost every organization suffers from it.  As Rob Joyce points out, Nation State Hackers and Advanced Persistent Threats (APT’s) are relying on these issues, and unfortunately, we are making their jobs easy by not assessing our systems and processes regularly.

Everyone has blind spots which cause them to overlook important issues.  Infrastructures constantly change which introduces new vulnerabilities while new methods of attack are discovered or invented daily.  And, often what was secure yesterday is likely not secure today. Periodic assessments can help your organization identify these blind spots so your teams can design an effective security program.  Assessments can help determine the best methods to prevent a breach, as well as protect assets and corporate reputations.

>>>>Why You Must Have a SIEM<<<<<

Why perform a periodic Security Assessment?

Organizations are increasingly bound by governmental regulations which dictate what security measures must be in place and how they are to be audited.  PCI, FISMA, Sarbanes-Oxley, HIPAA, NERC and GSA among others all dictate how to secure different types of data and the systems that manage them.  These regulations also require regular security posture assessments.

Read more: Is a SIEM required for PCI Compliance? 

While regulations are often the driving factor, they aren’t the only reason why an organization should perform (or better yet, have a third party perform) periodic assessments of their infrastructure.  A Security Assessment is the equivalent of an organization’s State of the Union.  It is a report that looks at every aspect of security and details the severity and potential impact of risks to the company.  Furthermore, it produces the fundamental information required to create a roadmap to a successfully secure business.  To navigate to any destination you must first know where you are.

What should be assessed?

To begin, most organizations only focus on IT data systems or penetration tests during Security Assessments, and this is where things go wrong very quickly.  Yes, it is important that the firewall blocks bad guys and workstations are kept secure, but what about phone systems or printers?  Will your users recognize and report a phishing email attempt?  What is the process for when an employee exits your organization? Did anyone remember to disable their key card to the building?  A thorough Security Assessment will go beyond the typical IT systems assessment.  Here is a list of security domains that should be considered during a Security Assessment:

  • Access control
  • Information Governance and Risk Management
  • Infrastructure Architecture and Design
  • Cryptography
  • Operations Security
  • Network and Telecommunications Security
  • Disaster Recovery and Business Continuity plans
  • Governmental Regulations
  • Incident Management Policies and Procedures
  • Physical Security
  • IT Security Training Programs
  • Network Boundaries

What about after the Security Assessment?

It is shocking to think that most companies will pay for a third party to audit their systems, processes, facilities, and personnel; then, do nothing to resolve the discovered issues.  This is exactly what Rob Joyce points out in his video.  A high percentage of companies will fail to close gaps discovered during security audits.  A vulnerability of any size is important no matter where it exists.  All an APT really needs is a toehold.  Once one is presented no matter how small, attackers will use it to gain access to your company’s data.

Once you have received your assessment results, it is imperative to either fix discovered issues or create compensating controls to avoid these issues from being leveraged.  As Rob Joyce points out in his video, most companies and organizations fail to act even after issues have been discovered, documented, and reported.  Joyce also says not to assume any crack in your defenses is too small or insignificant to be exploited.  These toe-holds are exactly what Advanced Persistent Threats are looking for in your environment.

Companies put a lot of effort into securing revenue streams, banking information, and payroll information by default. These areas, they feel, are important to protect.  Most companies have a provision in the employee handbooks that instruct employees not to discuss salary information with fellow employees.  We don’t often find this level of care and communication when it comes to IT security.  Accountants frequently audit the bank and company for fraudulent activities.  It’s time that companies added IT security to this list of very important, very well understood activities.  Yearly assessments should be the norm and the findings should be well communicated within the company.  IT security cannot be the sole responsibility of a few guys in the back of the building.  Every employee has to be involved because every employee is a target.

The journey to a secure organization begins with the first step.  Your first step should be a Security Assessment to know where to place your foot, and how to find the path ahead. Start here >>>>https://www.cybriant.com/security-analysis/

by Byron DeLoach

Learn More

Watch Your Back: Why You Must Have A SIEM

Watch Your Back: Why You Must Have A SIEM

Recently, an article was published on Wired about Rob Joyce, Chief of the NSA’s Tailored Access Operations and his discussion on Disrupting Nation State Hackers. Here’s the link to the original video: Disrupting Nation State Hackers.

There are quite a few areas that Joyce discusses that make life miserable to the NSA. The things that make them the most miserable are the following: Security Information and Event Management (SIEM) tools analyzing logs, Indicators of Compromise (IOCs), out-of-band (OOB) devices to analyze traffic, and worst of all are competent System Administrators that use these technologies.

Today, we are going to dive into logging, OOB devices, SIEM, IOCs, and monitoring your network with SIEM.

Technology creates a lot of information, and it typically leaves a record of what it has performed in log files. Whether it’s your router, switch, server, virtualization platform, cloud provider, smart phone, or printer a trail of events and information is created like a receipt you would get from grocery shopping.

Unfortunately, the logs are often forgotten, or commonly never analyzed unless there is a major problem. Even then, System Administrators grudgingly perform log analysis simply due to the sheer volume of data created. It’s like a scene out of The Matrix where the rebel crew members watch green characters scroll down the monitor, but slightly less exciting. However, there is a wealth of information contained in these logs, and like in The Matrix, System Administrators can use this information to observe what is happening in their infrastructure.

Now, there are specialized OOB devices that can analyze your network traffic. These are typically your Intrusion Detection Systems (IDS) that passively monitor your network from a tap or mirroring port. They are out-of-band because they are not directly in the path of the data and instead have data mirrored to them. This gives them a couple of advantages: if they break they don’t break your network, and more importantly when it comes to security, hackers cannot see the OOB device. You can think of it like having a concealed bodyguard in the dark with night vision when a mugger is trying to sneak up on you. Naturally, these OOB monitoring devices create a lot of logs which are then sent to your SIEM.

SIEM stands for Security Information and Event Management. The SIEM is a highly intelligent technology that views all of the logs coming from every device and correlates each piece of information. It sniffs out irregularities in data patterns and makes sense out of the mountains of information. The SIEM watching your logs and OOB systems is the scariest piece of technology in your arsenal to the bad guys because it can actually find the needle in the haystack. Fifty million events just happened on your network and it can find the handful of malicious actions stealing your data (or credit card numbers if you’re Target or Home Depot).

SIEMs need to be constantly updated in order for them to be effective. The information that updates the SIEM is called Indicators of Compromise (IOC). An IOC might be a system sending SPAM to the internet, a malicious website infecting anyone who lands on their homepage, malware traversing your network, the intern down the hall accessing HR data to which he shouldn’t have access, or data going to an inappropriate or unauthorized destination such as a country like Russia or China. IOCs enable System Administrators and Engineers to remain vigilant and stay abreast of new threats on the horizon.

As Joyce says, “If you’re looking at the Nation State hackers, we’re going to be persistent. We’re going to keep coming and coming and coming, so you’ve gotta be defending and improving and defending and improving and evaluating and improving. The static person is going to float to the back of the pack.”

And, when a bear is chasing you, you don’t have to be the fastest in the pack, just don’t be the slowest.

Finally, we get to the most important part of defending your company or organization’s jewels: the System Administrator. You can have the best network security, the best SIEM, the best IDS, and the best awesome security gadget in the world, but all of it is worthless if your System Administrator isn’t qualified and constantly monitoring, analyzing, and improving.

The responsibility doesn’t stop at them watching the bad guys do bad things. Like Joyce says, the System Administrators must have clear policies and procedures on how to act once a threat has been detected. If at any point the Detect → Analyze → Remediate → Repeat approach fails, then your data will definitely be compromised and the hacker wins.

Managed SIEM Demo

Don’t let the hackers win.

Read Next: It’s War