Total managed cyber security solutions from Longwall.
Common problems we solve
These dashboards are based on acknowledged security uses cases and our extensive incident response and breach investigation experience, including:
- Protocol Anomaly Detection
- Inbound and outbound protocol usage
- Use of insecure or unauthorised protocols (FTP, SMTP, Telnet, backup or remote access protocols)
- Active Directory and User Behaviour
- Failed Logons
- Out of hours user logon
- Privilege escalation – users added to privileged group (Domain Admins, Enterprise Admins)
- Failed Logons and spikes of activity that may indicate a brute force type attack
- VPN login activity – anomalies in user login activity such as multiple logins from different geo locations
- Anti-Malware/Machine Learning/Behaviour Monitoring
- Host Based Intrusion Prevention IPS, high /critical events that have associated Critical Vulnerability Exposure.
- File Integrity Monitoring Events (Such as hosts file being edited)
- Switch Login Activity – TACACS+ logs identifying anomalous administrative login activity
- Web Proxy / Filtering
- User web Activity – focussed on potential threats
- Administrator Internet browsing and potential to download malicious payload
- Download and potential drive by download activity
- Inspection of suspicious/malicious website activity and correlation with Endpoint alerts
- WAF/Web Application Firewall Logs
- Targeted web site attacks considering OWASP top 10
- Threat intelligence correlation
- Email Security
- DMARC – Domain Messaging Authentication Reporting and Conformance (presented using dashboards for monitoring SPF/DKIM performance)
- Monitoring of Business Email Compromise and targeted attack
- Monitoring of anomalous behaviour and correlation with threat intelligence
Our forensic playbooks allow our analysts to escalate a critical incident to the CSIRT and automate the process of image acquisition and timeline creation. This approach not only reduces the time to detection of a breach but can also significantly increase the speed of containment and remediation of the incident.
A dedicated block within our playbooks, references known false positives or environmental factors which may trigger unnecessary alerts or alerts that are being remediated as part of ongoing cyber resilience and improvement strategy. Environmental factors may include insecure protocol usage, unwanted administrative behaviour, high privilege account usage, duplicate password usage, service account lockouts due to misconfiguration or vulnerability scan engines. These alerts create ‘Security Concerns’ tickets for ongoing improvement. This avoids creating tickets which cannot be resolved and allows environmental factors, misconfiguration or unwanted user behaviour to be addressed as part of a roadmap for continuous improvement.
- Full utilisation – optimising configuration of existing technologies to unlock unused or blocked features.
- Interoperability – creating rapid, flexible integration and secure interoperability between virtually any security control or platform. The flexibility to integrate events from any vendor, means our service is not reliant on the deployment of any specific endpoint, network or perimeter technologies, allowing us to integrate with best of breed technologies from multiple vendors as part of a defence in depth strategy.
- Data normalisation – normalising output data using a common schema, unlocking insights from comparable analysis.
UEBA and UBA rules are created using logic conditions within playbooks, based on both established and customer specific use cases. A starting point for use case creation is to understand what constitutes expected behaviour within the environment, and develop use cases that could indicate unwanted, unauthorised, or suspicious activity.
To achieve this, playbooks are designed to trigger based on a combination of factors, including network protocol usage, Windows / Azure / Office 365 security event IDs and alerts, VPN logs and other relevant security controls.
We typically integrate playbooks based on the following use cases and scenarios:
- Out of hours administrative logon (based on expected logon hours)
- Privilege Escalation, including adding of users to generic administrative groups e.g. Enterprise Admins
- Administrator (high privileged accounts) used for Internet browsing
- Unauthorised or unexpected PowerShell usage e.g. PowerShell usage from unexpected sources and accounts
- Unauthorised internal use of remote access protocols e.g. RDP, SSH, Teamviewer etc.
- Unauthorised external remote access (outside of remote access / corporate VPN policy)
- Evidence of impossible travel between logons
- Use of insecure or unauthorised protocols or ciphers, including those associated with data exfiltration and lateral movement
- Protocol negotiation downgrade attacks e.g. client attempts to negotiate weak or insecure SMB dialect
- Network Anomalies (abnormal protocol usage, port scans, reconnaissance)
- Brute force attempts, indicated by account lockouts or repeated logon failures
- Internet browsing or download from malicious sites
Further use cases may be recommended following network forensics and a period of threat hunting performed during onboarding.
Following the triggering of a playbook, we provide a range of automated actions, including ticket creation, alerting the user and security teams directly (by email or Teams), screen capture, threat intelligence correlation and ticket escalation. Automated containment actions may also be considered, including disabling of suspected compromised accounts, enabling of conditional access or MFA, system isolation, and scanning for malware. Any automated action can be made conditional on authorisation provided by an analyst or member of your security team.
Threat intelligence feeds are directly integrated with playbooks allowing automatic correlation and further automated actions to be performed based on the results and severity of the intelligence received.
Examples of threat intelligence feeds, include MISP, VirusTotal, Sophos, IBM XForce, Rapid 7 and Cisco. The integration of preferred or industry specific feeds will be considered during customer onboarding and may take into account our customer’s existing investment in technology or other factors including industry specific and supply chain related threat intelligence.
Threat intelligence sources are also used to correlate existing account credentials with threat intelligence relating to breached credentials. In the event of an historical breach or should we be provided incident management or response services; dark web threat intelligence may be used to help identify and potentially recover exfiltrated data.
We have always felt like Longwall’s no.1 customer and their knowledge is astounding!