Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Even in the all-too-plentiful world of vulnerabilities and exploits, CVE-2020-1472 (aka Zerologon) is special, receiving a base criticality score of 10/10 under the Common Vulnerability Scoring System (CVSS).
eSentire was by no means the only security vendor pushing out alerts and advisories about Zerologon. Nor were we the only ones to claim to be able to detect an attack. However, to our knowledge, the behavioral Zerologon detection capability we implemented in esLOG was the first detector to recognize the exploit/attack itself, rather than either the aftermath or the tools. This is a subtle—but important—difference.
But before we dive into detections, let’s first quickly review why Zerologon is causing such a ruckus in cybersecurity circles.
Without going too deep into the technical details, Zerologon allows an attacker who has already gained Initial Access to achieve Privilege Escalation, acquiring the ability to execute remote code, disable security features and change computer passwords in Active Directory (AD).
Zerologon was discovered by researchers at Secura and was announced on August 11 as part of the Microsoft August 2020 Security Updates patch. On September 11—after allowing a month for IT administrators to apply patches—Secura released technical details and a test tool. The technical details publication set the clock ticking, as it serves as a how-to guide for security researchers and would-be attackers.
True to expectations, just a few days later, proof of concept (PoC) exploit code was available, prompting eSentire to send, on September 14, a Threat Intelligence Advisory about CVE-2020-1472 in anticipation of seeing attacks in the wild in the very near future. By this point, customers of eSentire’s Managed Vulnerability Service (MVS) already had a local plug-in to quickly and easily determine if they were at risk. Owing to the significant risk associated with this vulnerability, on September 18 the Cybersecurity and Infrastructure Security Agency released a rare emergency directive requiring all US federal agencies to update all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21, 2020.
Needless to say, such directives are reserved for only the most serious of situations.
Finally (so far at least), on September 23 eSentire pushed out an updated advisory, spurred by three new developments:
As noted in the introduction, eSentire’s Zerologon detection capability recognizes the exploit/attack itself, rather than just some associated behavior. To understand why the difference matters, it’s important to recognize that threat actors are constantly evolving their tools, techniques and procedures (TTPs)—and that this constant evolution is adept at finding weak points in cyber defenses.
Let’s say today’s generation of Zerologon attackers use a particular tool (say, mimikatz) to do something like this:
ATTACK à ACTION #1 or ACTION #2 or ACTION #3
The other detectors we have seen identify the use of a particular tool (i.e., mimikatz) and spot the follow-on actions, and use the correlation to imply use of Zerologon. That’s fine for stopping this combination of tool and actions, but what happens when attackers realize they’re being stopped? They’ll simply respond by changing tools and tactics to introduce ACTION #4, ACTION #5 and so on. The correlations will fail, the attacks will go undetected, and there’s a window of opportunity for attackers.
Instead of only identifying the actions (which, to be clear, we also do), eSentire’s detector identifies the actual exploit/attack itself. With our esLOG detector in place, it doesn’t matter if an attacker changes tools or quickly churns out new variations of the follow-on actions, because we still spot the original attack. There’s no game of catch-up—so our customers benefit from much more robust protection.
Analyzing logs isn’t unique to eSentire, so what enabled us to introduce a more powerful detection capability than other security providers?
The moment the technical details dropped, eSentire’s elite Threat Response Unit (TRU) went to work performing their own direct, applied research on CVS-2020-1472, to augment and extend beyond what was available in security forums and other OSINT resources. This deep hands-on exploration and experimentation helps us better understand the threats our customers face and can reveal unique insights and nuances that unlock more effective protection.
In this case, we discovered some aspects of Zerologon exploitation that we haven’t seen published elsewhere, and this insight is what allowed us to develop a uniquely powerful detection capability.
We’ve written elsewhere how important our people are to what we do at eSentire—and that’s because it’s true. Few security companies in the world can bring to bear the same number and caliber of security researchers as we can, and this collection of SOC analysts, threat hunters and security researchers are what allow us to consistently discover and contain even the most sophisticated threats.
It’s a differentiator we’re proud of and—more importantly—it’s one that makes a meaningful difference for our customers.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.