Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Even in a year as eventful as 2020, the SolarWinds supply chain breach is making headlines around the world due to the organizations that were compromised and the number of organizations put at risk, as a result of being customers of SolarWinds and utilizing their popular Orion® IT monitoring and management software. This incident was discovered and revealed by the cybersecurity firm, FireEye, while investigating how their own Red Team tools had been stolen. This saga continues to unfold as additional information comes to light. But even as the story evolved and other companies rushed to comment, eSentire quietly went about what we always do: ensuring that our customers are prepared and protected.
In fact, within just a few hours of FireEye’s initial announcement on December 8th, we had already rolled out new esNETWORK detection rules and we were running esENDPOINT and esLOG queries against the CVEs targeted by FireEye’s stolen Red Team tools.
In this post we want to quickly run through:
Safeguarding our customers means keeping up with an endless stream of threat intelligence and turning that information into tangible assets and meaningful actions.
Sometimes that intel comes from threat feeds, sometimes it comes from advisories and often, it is gathered and processed automatically by our sensors and observed directly by one of our security analysts…you get the idea.
All day, every day, cybersecurity providers must grapple with new attack tools, new proof-of-concept (POC) exploits, new indicators of compromise (IOCs), and so on, and only a tiny fraction of these ever make the news.
Keeping up with this stream of information is a challenge—in fact, it is one of the biggest challenges all organizations and security service providers face —and doing so requires a synthesis of people and technology within a framework of operationalized processes. We have been doing Managed Detection and Response (MDR) for 20 years, and in that time, we have invested heavily in creating the necessary platform.
We were able to take such quick action because responding to events like this is what we do, all day, every day. Our Atlas Extended Detection and Response (XDR) Cloud platform, working in concert with security experts in our 24 x7 Security Operations Centers (SOC) and with members of our elite Threat Response Unit (TRU) security research team, detects and responds to the most mundane threat to the most lethal. And, we have two decades of muscle memory upon which to draw.
Detecting and containing threats requires keeping up with an endless stream of operational threat intelligence and turning it into meaningful action: in this case, FireEye’s initial announcement was reflected in esNETWORK, esENDPOINT, esLOG, and eSentire’s Managed Vulnerability Service (MVS) service—
within only a few hours
By this point, responding quickly and effectively to an event like the FireEye breach or the SolarWinds Orion Trojan is reflexive.
And unfortunately, it is also all-too-common: for instance, it was only a few months ago that the Zerologon vulnerability took center stage. Notably, the behavioral detection capability we implemented in esLOG was the first detector to recognize the exploit/attack itself, rather than either the aftermath or the tools; this is a subtle-but-important difference that speaks to our ability to consume information, augment it with our own research and leverage our understanding to make a real difference in the security posture of our customers.
Why operationalize threat intelligence? Within four hours of FireEye revealing on December 8th that their Red Team tools had been stolen, eSentire’s customers were running new detection rules in esNETWORK.
In parallel:
We also scheduled a webinar for December 17th (which is available on-demand) in which we reviewed the situation with customers and allowed them to pose questions to several of our cybersecurity experts, including members of our elite Threat Response Unit (TRU) team. All this information was communicated in a Threat Intelligence Advisory on December 9th, along with recommended actions and links to additional information.
Behind the scenes, we were coordinating with our own partners, including CrowdStrike, Microsoft, Sumo Logic, Tenable, and VMware Carbon Black.
On December 11th, we issued a second Threat Intelligence Advisory as we continued to monitor the situation. By this point, we had observed numerous routine penetration testing instances using FireEye’s Red Team tools (all of which alerted appropriately), but no malicious activity was detected, and MVS covered all 16 of the FireEye CVEs.
On December 13th, FireEye disclosed a widespread global intrusion campaign that exploited vulnerabilities within the SolarWinds® Orion® Platform. Essentially, the threat actors created a Trojan that masqueraded as an Orion software update and took advanced measures to evade detection.
We added new detection and protection content for this specific threat based on information and countermeasures disclosed by SolarWinds, the Cybersecurity & Infrastructure Security Agency (CISA) and FireEye, and we updated our customers in a third Threat Intelligence Advisory which also included a new list of actions pertaining to managing the SolarWinds risk.
Threat intelligence is also about keeping customers informed. On December 17th, we hosted our webinar, which of course was now about both the FireEye breach and the SolarWinds exploitation. More than 200 customer attendees tuned in to hear a presentation by five of our threat intelligence security experts and ask important questions.
To this point, based both on active scans and retroactive examination of IOCs dating back many months (FireEye suggested that the attack might have begun as early as Spring 2020):
The SolarWinds breach is significant and is deserving of the attention it has received. Part of the reason it has received so much attention is because of the nature and identity of the organizations that were compromised including government agencies and cybersecurity companies.
However, it must be dually noted that:
And herein lies the broader risk of not operationalizing threat intelligence: now that the main damage has been done (i.e., surreptitious access to sensitive information for many months) and the cat is out of the bag (i.e., the exploits and IOCs are known), there is a very real chance that access to many of those 18,000+ organizations—perhaps hundreds or even thousands—will be listed and sold on the dark markets that serve as the hub of the cybercrime economy.
As we explored in our recent Threat Intelligence Spotlight, Defending Against Modern Ransomware: Lessons from the SunWalker Incident, a well-structured and highly specialized cybercrime ecosystem has emerged in which Initial Access Brokers sell computer access to organizations.
In doing so, they have lowered the barrier to entry for others in the value chain, as no exploitation skills are required to gain access even to high-value targets (just think of the organizations named so far in the SolarWinds revelations). The average price to purchase such access runs between $1,000 to $10,000 USD, but access to high-value organizations can sell for upwards of $500,000. The buyer—often a ransomware gang—is then free to do whatever they want, unless and until they are detected.
Faced with such threats, multi-signal detection is an absolute requirement to threat intelligence. Just to drive home this point, here are a few other facts from the FireEye situation:
And, as noted earlier, the specifics of these incidents are unique, but the general nature is familiar. Many security professionals will recall the Citrix Netscaler vulnerability from December 2019, which also required network-based signals for detection.
Detecting the FireEye IOCs and performing retroactive analysis employs signals across endpoints, logs, and network traffic
eSentire is the leader in Managed Detection and Response (MDR). In fact, this type of incident is why we invented MDR.
We have been here before —that’s part of what you get when you become an eSentire customer: a security partner who responds quickly, effectively and communicates often.
We see an evolving story like the FireEye and SolarWinds saga as a powerful validation of MDR.
But in a way, we also see it as a bit of a distraction. This is one of those 1 in 10,000 events that really makes everyone sit up and take notice, but it is important not to overlook the 9,999 that are quietly out there—that is the reality we deal with on behalf of our customers.
We know from experience that there is a good chance that access to compromised networks will turn up for sale in cybercrime markets; we know from experience that adversaries continually tweak their tools, techniques and procedures (TTPs).
That is why we never let down our guard and why we continually— 24x7—operationalize threat intelligence and put it into action.
That is also why it is so important that organizations protect what they can—but some things cannot be sufficiently protected (whether because of zero-day attacks, resource limitations or simply the practical trade-off of security versus convenience). That is where detection and rapid time to containment becomes so critical, and where eSentire’s TRU team shines.
If you are not an eSentire customer, then we invite you to read about the SunWalker incident and ask yourself how you would have detected and responded to that attack—it is a worthwhile exercise that may prevent future disaster.
We encourage everyone to take this developing story as a reminder about:
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.