Subscribe by Email

Your email:

Follow Me

eSentire Blog

Current Articles | RSS Feed RSS Feed

No Half Measures: Employ Active Forensic Analysis to Defend Against ShellShock


by Mark J. McArdle

describe the imageAs the effects of the “ShellShock” exploit (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 & CVE-2014-7187) are realized, eSentire’s Security Operations Center continues to protect our clients’ networks from the barrage of targeted attacks directly stemming from ShellShock.

Active Threat Protection from eSentire provides defenses that go beyond traditional security by combining proprietary technology, tools and human analysts who engage to resolve threats in real-time. In the case of ShellShock, our SOC analysts harness the power of active forensics to look deeper and perform analysis based on archived traffic, employing reputational, behavioral and traditional signature-based techniques.

ShellShock’s threat model is evolving rapidly - since the first public disclosure was identified on September 24, several new CVEs have been announced; a great example of the old adage ‘given enough eyeballs, all bugs are shallow.’  Bash is being scrutinized unlike ever before.

For CSO’s, this past week has been a challenging one.  Many security products require updates to help detect and protect against ShellShock-based attacks. IDS/IPS and Next Generation Firewalls have been updated frequently, but all of these detection updates have one common weakness: they only work going forward in time, not backward.

At eSentire, we’ve long recognized the importance of performing full packet capture as a key asset in assisting our SOC analysts in identifying the significance of an event.  The limitations of security product policy are well documented, and the forensic insight that a single alert or log event can provide is abysmal in most cases. 

We’ve leveraged the full packet archive as a form of “network PVR”, allowing our SOC analysts to fast-forward and rewind to ‘interesting’ moments. We call this Targeted Retrospection. As a threat model evolves, we apply our understanding of a new vulnerability or attack not just to connections happening now and moving forward, but retroactively to traffic that’s been archived to determine if our client networks have been compromised before public disclosure.

When a new vulnerability or threat is disclosed there are two key windows of exposure to consider:

1)    Time to patch

2)    Time to detection/protection

The time to patch is usually a function of the agility of a company’s patch management processes.  But there are exceptions, like ShellShock, where the vulnerability is disclosed before there is a complete patch. And this challenge is further aggravated by additional vulnerabilities being discovered, leading to a patch and re-patch cycle.  Obviously this prolongs the window of exposure, leading us to rely more on the second window: time to detection/protection.

The ability to insulate a network from a new threat typically requires the use of a next generation firewall or IDS/IPS system, or taking the system offline. The window of exposure here is based on the effectiveness of the new ‘signature’ updates and vendor responsiveness.

Since we don’t control our customers’ patch management processes, it is critical for us to provide our internal team and clients with visibility into the potential for compromise while these windows are open. That’s why we invented Targeted Retrospection.

Once a Targeted Retrospection analysis is complete, we can inform a customer on whether or not we saw any attempts to exploit a vulnerability before its public disclosure, or during the windows of exposure. 

eSentire clients know how newly discovered threats may have affected them in the past and we are able to apply new wisdom to actions, and in turn, be more effective than ever at protecting our customers. Other “traditional” vendors focus on monitoring log files, but this approach provides no additional value during a situation like ShellShock.  A log file event is a brief snippet of information, and contains very little forensic information.  And you certainly can’t go back in time and get log events that don’t exist.

Our Targeted Retrospection is like a time machine, allowing us to see yesterday’s network traffic through the wisdom of today’s eyes.  Our customers appreciate this capability, especially during times like this.


The results of our Targeted Retrospection across our customer networks indicate that initial ShellShock-related surveillance efforts began within a few hours of disclosure.  These were attempts to identify vulnerable hosts by using the exploit to solicit a “ping-back”. Active exploits attempting to install botnet payloads were seen in the wild within the first 24 hours of disclosure.  During this time, an effective patch was not available.  However, with this information, our customers were able to take the appropriate measures on only the systems affected.

Mark J. McArdle is Chief Technology Officer at eSentire (

ShellShocked: The Effects and Implications of the New "ShellShock" Exploit


markMcArdleeSentire has visibility into significant activity related to the “ShellShock” exploit (CVE-2014-6271 & CVE-2014-7169).

Our take: ShellShock is a powerful remote execution exploit affecting many systems running Bash on Linux and Mac OS. While this vulnerability was publicly disclosed September 24, it has the potential to be more damaging than Heartbleed. The primary resources at risk are Internet-facing services that utilize Bash, but there are also risks to consumers running Mac OS and Linux on their laptops and desktops. While Heartbleed was a narrow and focused event that was exploited by those with extensive technical knowledge, ShellShock enables attackers with very basic programming knowledge to launch command shells on a remote system and then have that shell execute any command permitted by the permissions configured on that system. 

Take action: A patch for Bash is now available, and everyone should be applying this patch as soon as possible. Unfortunately, there currently isn’t a patch available for Mac OS. eSentire has outlined several proactive actions for enterprises and will continue to release updates on ShellShock as it develops.

eSentire Security Operations Center (SOC) analysts have real-time access to attack traffic through our full packet capture and archiving, and can investigate not just the superficial aspects of the attack reported in event logs, but understand the specifics of the attack script. We can identify the payloads it may have brought down, the commands and file access it attempted etc. eSentire analysts also witnessed attackers attempting to perform reconnaissance and compromise systems by installing malware through simple scripts. 

Our analysts interpret events in real-time and utilize advanced tools that make security event information immediately actionable. In the case of ShellShock we were able to protect our client networks from potential exploits as they evolved. And with a capability we call Targeted Retrospection, we can rewind our analysis DVR-style to check if any attacks were attempted before Shellshock was publicly disclosed; this helps us identify previously compromised systems and significantly reduces the impact of an attack.

While traditional log information can tell you a specific attack signature has been invoked, attack signatures are generalized to be useful against a class of exploit and not just a specific instance.  When they get a hit, they record the event, but not the specifics of the attack payload. There is no forensic capability in a log file when it comes to attacks like this and we don’t think that’s a very effective approach to Continuous Advanced Threat Protection.

In the meantime, you can learn more about ShellShock through these resources:

Mark J. McArdle serves as Chief Technology Officer for eSentire.

When Fiction Becomes Fact: Cyber Espionage on the Rise


While cyber espionage has long been the lure of many thrilling Hollywood stories, it’s fast become headline news, splattered regularly throughout the pages of national publications. Take this recent admission from the National Research Council  (NRC) for example: Canada’s premier research and technology organization announced a major IT systems breach, which allowed perpetrators access to R&D data specific to aerospace, genetically modified foods, medical diagnostics and more. The Canadian government publically singled out China, while China, in return denied the “groundless” allegations.  This comes hot on the heels of the White House’s groundbreaking motion to file criminal charges against five Chinese army officers for alleged cybercrimes and cyber espionage.

As nation-state actors pursue government secrets, a slew of other threat actors lurk, quietly chasing intellectual property that is equally as valuable. The Cyber Security Protection Alliance released a study that noted that last year, 69% of Canadian businesses reported some kind of attack over a 12-month period. If recent news stories are any indication, this trend will unquestionably continue its steep incline.

At eSentire, we continue to partner with a multitude of organizations that recognize the need to evaluate and augment their security posture. Whether financial institutions guarding trading data, law firms protecting client information or extractive industries battling hacktivists, our Active Threat Protection platform protects clients and prevents attacks with real-time detection and mitigation, 24/7. We keep our clients OUT of the headlines, and provide aggregate reports that detail each and every blocked attack.   

If cyber criminals can penetrate government infrastructure, they will easily (and successfully) target organizations with a weak security posture. This Fall, eSentire will appear at a variety of industry conferences providing a platform for cyber security discussion and understanding. Don’t wait to become a headline – get the information you need to improve your security posture today.

The Cyber Security Grand Slam


The long winter is over: today is the official opening day of the 2014 major league baseball season. Here in the Toronto area we are cautiously optimistic over the Blue Jays’ prospects while thinking very fondly of the 1992-93 seasons.

Of course, back in the early 1990s cyber crime wasn’t the big deal it is today. Back then the interconnected world in which we now live was just starting to take shape. Today, everything from bank assets and personal credit card data to intellectual property and trade secrets all reside on corporate networks that clever cyber criminals relentlessly target.

basball diamond resized 600

At eSentire, it occurred to us that the game of baseball provides a good analogy for cyber security preparedness and attack response.

Maximizing your cyber security posture can be likened to rounding the bases:

  • First Base. Many security products and services will get you here. They monitor events and even stop threats with a known signature. This is a basic capability every company needs, but it only gets you to first base.
  • Second Base. Some products can detect threats that got by first base, usually by analyzing aggregated log data.
  • Third Base. There are services such as legacy Managed Security Services Providers (MSSP) that will notify you, via an automated alert, email, or a phone call, that a suspected breach has occurred.

Now what? Getting from third base back to home is the great conundrum of the cyber security industry.

The vast majority of cyber security products and services concentrate on prevention. Very few offer practical remediation assistance.

Once they’ve notified you, the MSSP considers their job done, but you’re stuck on third base while your systems are being ransacked.

Cyber security has become an incredibly complex field. The only way to fully address a serious security incident such as an advanced threat or a zero day attack is with the help of trained experts.

In baseball, a pinch hitter is such an expert, who acts as a substitute batter. The team manager can use any player who has not yet entered the game as a substitute, and the tactic is often used to place specialized skills (base hitting ability) at the plate when they are most needed.

When a cyber attack commences, companies are facing a crisis situation. They need cyber security pinch hitters on their team – and they need them now. At eSentire, we call this Active Intervention.

Our Network Interceptor solution includes the concept of Embedded Cyber Security Incident Response. That is, our experts are already on your team, monitoring network events in the background. When a real threat unfolds, they are like a pinch hitter – ready to enter the game and get you back to home plate 

Any company that relies on a cyber security program without Active Intervention is operating without a safety net. They are doomed to be stranded on, at best, third base when a difficult security incident happens.

It’s tough (and expensive) to bring in experts when they aren’t already on your team. This year, you can take steps to maximize your cyber security posture by incorporating Active Intervention into your security program.

Go Jays.

Notes from RSA: It's Not Your Security Budget, It's How You're Spending It


One resounding theme to emerge from this year’s RSA Conference is that IT security budgets are skewed too much towards automated prevention technology and not enough towards incident response.

In a keynote, Art Gilliland discussed this over-investment on the prevention side, noting that it consumes the overwhelming majority (86%) of annual cyber security spend.

An intriguing session on Security Shelfware detailed how a surprising number of SIEM (and other) security products end up gathering dust instead of being actively used.

In a panel discussion on cyber security incident response, Ponemon Institute founder Larry Ponemon explained what’s behind the scarcity of CSIRT resources, recommending greater investment in incident response.

Then, on the RSA’s final day, Jay Leek – CISO at Blackstone – weighed in from the user’s viewpoint: A CISO’s Perspective: Protecting with Enhanced Visibility and Response.

This valuable session argued for reallocating IT security investment, moving some money from Prevention (where a lot of shelfware exists) to Visibility, Intelligence – and the underfunded Reactive area, upgrading it to a Planned Response footing.

Leek noted that the cost of response has sharply increased, up 75% from $200k to $341k per incident in 2011 – and we can be certain that the cost in 2014 is even higher. Unfortunately, the cost to attackers is much lower. In one slide Meek showed that attackers could breach a company over 2,000 times before spending as much as the company spends on a single incident.

These trends are not sustainable, according to Leek. To mitigate such high costs, investment in incident response, not just prevention, is needed.

This investment can take a variety of forms.

  • For better Visibility, organizations should acquire technology that provides real time awareness of network events, thus collapsing the time delay inherent to SIEM products that rely on system and device logs.
  • For greater Intelligence, defenses can be tuned based on behaviors and attack profiles.
  • For Planned Response, you need trained security analysts who have ready, real time access to actionable forensics.

The market for Prevention-focused products is saturated – but for vendors it’s a lot easier to program a product to identify and stop known threats than it is to provide a solution to an incident that has unknown attributes.

Response is difficult to automate. For serious threats, effective response always requires human expertise. You need security analysts who know how to examine the forensics and what actions to take.

Having ready access to this kind of expertise is a challenge – as Jon Oltsik noted in his session on the Security Skills Shortage.

Small to midsize companies with stretched IT resources are particularly exposed in the skills area – how can they make the investments all of these speakers have recommended?

There’s good news. The new field of Active Threat Protection is designed for just this sort of balanced approach to cyber security.

Key attributes of Active Threat Protection include the acquisition of network data in real time, the ability to detect suspicious behaviors, and Active Forensics that help to eliminate false positives while highlighting the real potential threats.

These capabilities are topped off by Embedded Cyber Security Incident Response, which is the integration of trained security analysts into the mix as network events are being assessed – instead of after a crisis has erupted when it’s too late to minimize the damage.

Active Threat Protection is surprisingly affordable, giving companies a practical way to rebalance their IT security budgets for greater impact and better ROI as numerous RSA sessions have recommended.

It enables organizations to increase their Visibility, develop greater threat Intelligence, and include active expertise into their Planned Response processes – all of which dramatically reduces the cost of handling an incident while maximizing cyber security protection.

Notes from RSA: Investing in Silver Bullets


One of the most interesting keynotes at this year’s RSA conference was given by Art Gilliland, SVP of HP Enterprise Security Products, on Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy.

You can view a recording of his presentation here.

Gilliland noted the impossible odds that are stacked against cyber security teams, where to be considered successful the good guys have to win every time, but the bad guys only need to win once.

Despite increased investment in cyber security, the number of breaches continues to rise.

In looking at where this investment is going, HP and Ponemon Institute found that a whopping 86% of the cyber security budget goes toward prevention.

Further research revealed that companies could improve the ROI of their security budgets by shifting investment into the security intelligence system – the people and processes as well as the technology that must combine to protect the enterprise.

“We are over-invested in products,” said Gilliland, in the best sound bite of the session. At eSentire, we couldn’t agree more.

We’ve said for some time that security automation, by itself, doesn’t solve the problem. Automated products are notoriously difficult to tune and keep updated, and even so the cyber criminals have a habit of devising new ways to evade automated defenses.

Too often, organizations desperately want to believe they can buy a technology silver bullet for cyber security – and there are plenty of vendors who are happy to take their money. Yet the number of breaches continues to rise – what’s wrong with this picture?

Companies that rely solely on automated security products are nursing a false hope, not realizing how exposed they really are.

Of course, security automation is needed – and it is very useful in blocking known threats. But it isn’t a panacea. We agree that investments need to include good technology but also be more balanced towards the Security Intelligence System.

A new security concept reflects this reality. We call it Active Threat Protection. It is an approach that combines detection, analytics, and human experts to deliver a higher level of protection than is otherwise possible.

Active Threat Protection acknowledges that you cannot detect every threat, and that advanced threats only reveal themselves by behaviors. It is a more practical approach that recognizes the bad guys will at times succeed in penetrating your network – but you can still stop attacks and minimize exposure if you have invested properly in people and processes as well as analytics.

Companies need to stop chasing security technology silver bullets, because they cannot possibly prevent every attack – succeeding every time while the bad guys only need to succeed once – eventually there will be a breach.

With Active Threat Protection, they have a workable solution that acknowledges the realities of today’s cyber wars.

Notes from RSA: Incident Response Inequality


It’s Day 3 of RSA, and one of the highlights was a panel discussion on Why Cyber Incident Response Teams Get No Respect.

The session had great insights on how CSIRT can be improved, but we couldn’t help thinking that it also pointed out the inequality in CSIRT capabilities between large enterprises and midsize companies.

Supported by a fresh research report from the Ponemon Institute, a major finding was that more investment is needed in CSIRT if organizations are going to materially improve their response preparedness.

It goes without saying that some organizations may have more to invest than others.

When we look at the survey demographics, we see that 82% of the respondents were from companies with over 500 employees – and nearly two thirds were from 1000+ employee companies.

Even so, nearly half of those surveyed (45%) reported that their company has no one dedicated full time to incident response. A further 28% have one resource dedicated to CSIRT. So, the reality is that most companies get by with part time resources in this crucial area.

The study’s recommendation that organizations should invest more in CSIRT is spot on. In very large enterprises, this may be an exercise in raising awareness of the need at the C-level in order to garner support. But in many companies, it’s an exercise in finding budget that simply doesn’t exist.

A trenchant observation in the study is that it’s easier to dedicate budget to prevention, on the theory that if that money is well invested then response won’t be as necessary – because threats won’t morph into attacks.

However, this is a false hope. Every company needs a plan for and resources designated to incident response – because sooner or later they will have an incident to deal with.

It takes specialized expertise to respond quickly to a security incident – fully understanding what happened and confirming that the response was successful and “it’s safe to go back into the water.” For most companies, that means bringing in outside experts.

While affirming that using outside consultants to augment in-house staff is a best practice, the study pointed up two valid problems with retaining third party consultants for incident response help.

First, outside parties are unlikely to “have an understanding of the IT infrastructure they are investigating as well as the business running on top of it.” They need read-in time, right when a crisis is unfolding.


“A third-party contractor can lose precious time navigating to the resources they need. In addition, many of the tools and audit trails that are needed in order to respond effectively to an incident must be in place before the incident begins, and cannot be established on the fly during an incident.”

All this brings us back to the question – what is a midsize company with an already-stretched IT budget to do? It sounds like world-class CSIRT is only possible if you have lots of money.

Fortunately, there is a solution: Embedded Cyber Security Incident Response.

This new concept is part of the Active Threat Protection approach to cyber security. It includes technology that can aggregate network events and detect telltales of suspicious activity, coupled with trained security analysts who actively review these events as they happen – and take action if needed.

Embedded CSIR solves the problem of getting outside consultants up to speed on your IT infrastructure and business processes – because they are already there. It solves the problem needing analytical tools and audit trails – because those are already there too.

At eSentire, we think Embedded CSIR also solves the inequality problem, because even midsize companies can access Active Threat Protection without breaking the bank.

Get this white paper to learn more about Embedded CSIR.

Notes from RSA: Security Shelfware


An insightful and entertaining session at RSA today was Security Shelfware: Which Products Are Gathering Dust in the Shed and Why?

This topic really interests us at eSentire, because we conduct hundreds of Enterprise Vulnerability Assessments every year and more often than not we find security products turned off or otherwise on the shelf. We always wonder why a company would pay good money for a security product only to let it fall into disuse (or never really use it in the first place).

Presented by Javvad Malik of 451 Research, the session highlighted some very interesting findings from an original research study.

Many perfectly good security products become shelfware. They work as advertised, and companies buy them with every intention of getting useful value out of them – but somewhere along the line, something happens.

Not surprisingly (at least to us), SIEM products lead the field as those most likely to wind up on the shelf. We suspect that a big reason for this is the notorious difficulty in tuning these systems. Too tight, and you get flooded with so many alerts that you can’t possibly handle them all. Too loose, and you miss that one alert you really needed.

This is collaborated by the fact that, in the research, one of the main reasons given for security shelfware is a lack of staff to use the product properly, and a lack of time or expertise to implement the product properly. Keeping these systems updated and tuned is a highly complex, involved and never-ending task.

As we noted yesterday, cyber security analysis is an increasingly specialized skill, which was validated by Jon Oltsik’s presentation on The Security Staff and Skills Shortage is Worse than You Think! One of the points in that session was that too many false positives are hampering detection and response.

When you combine the two sessions, it’s easy to see why certain security products become shelfware. They may be doing exactly what they’re programmed to do, but if the user companies are stretched for time and resources, they simply won’t be able to analyze everything these products throw their way.

It’s no wonder that the 451 Research study found users’ number one attribute of a good security product to be “centralized (and actionable) reporting.” Beleaguered IT security staff do not need more alerts – they need fewer ones that they can action.

This was a huge disconnect in the study, where vendors rated “out of the box functionality” as the number one sign of a good product while users rated that attribute near the bottom.

Of course, the study pointed out many other interesting things – such as the fact that often companies buy a security product merely to satisfy a compliance requirement but then they end up not using it.

We do appreciate the insights and believe that there is a thread at RSA pointing up the skills shortage in cyber security. This trend will not change any time soon, and smaller to midsize companies will be most impacted because they simply do not have the resources to staff a 24x7 security operations center in the same way that very large enterprises can.

At eSentire, we’ve developed a new approach to cyber security that we call Active Threat Protection. It is a combination of technology and expertise that fills the skills gap while eliminating all those false positives – and it’s surprisingly cost effective, so small to midsize companies can access it.

Embedded Cyber Security Incident Response is a core principle in Active Threat Protection, and it is certainly worth learning about if you have confidential data to protect yet limited resources to devote to security.

Notes from RSA: The Security Skills Shortage


Today the RSA Conference kicked off with a bang at the Moscone Center in San Francisco.

We thought Jon Oltsik, Senior Principal at Enterprise Security Group, gave an outstanding presentation titled “The Security Staff and Skills Shortage is Worse than You Think!”

Jon highlighted key results from ESG’s 2013 Cyber Security Survey. Several of his points resonated with us at eSentire, and validate the need for companies to move to an Active Threat Protection cyber security strategy.

First and perhaps no surprise, is the fact that fully 83% of those surveyed say recruiting information security professionals is “difficult to extremely difficult.”

Cyber security knowledge – particularly analytical and remediation skills – is an increasingly specialized discipline. While very large enterprises can afford to staff 24x7 security operations centers with in-house experts, smaller companies are at a distinct disadvantage. They struggle to compete for this highly trained and expensive talent pool, and the challenge of supporting round-the-clock operations, a requirement for many, is simply a bridge too far.

In detailed findings of the impacts on incident detection and response, the top impact listed was “lack of adequate staff.” Of course, this follows from the above point about hiring – if good security analysts are hard to find then many organizations will lack the staff they need.

The other impacts on detection and response were instructive. In order, they are:

• Too many false positives
• Too many manual processes
• Too many independent tools
• Events are too hard to detect
• Lack of security analytics skills

These findings point out the gaps in traditional cyber security automation and managed services. Automated tools deliver a flood of alerts that the beleaguered IT security staff cannot possibly analyze. Information is coming from too many sources and cannot be correlated. True threats are too hard to find in this sea of information – and the ability to analyze all this data is lacking.

Legacy MSSP vendors don’t really solve the expertise problem. They detect potential threats but simply notify the customer when one exists – their involvement stops when it comes to the remediation side of the problem.

These findings make a great case for Active Threat Protection, and in particular for the principle of Embedded Cyber Security Incident Response. It’s a way to leverage both advanced detection technology and bring in experts not just to resolve a crisis but to be involved every day in assessing potential threats.

If Active Threat Protection is a new concept to you – it would be worth learning about. This is particularly true if your company is not one of those big enterprise behemoths that can throw millions of dollars into security programs.

Active Threat Protection, which we cover in detail on this website, is a cost effective way for companies to minimize risk and close the gaps in traditional cyber security approaches.

PS: You can download Jon Oltsik’s presentation slides here.

The Elephant in the Cyber Security Room


We all know what it means to have an elephant in the room. It’s an obvious situation that people don’t want to acknowledge – so they collectively tiptoe around the issue rather than face it.

What’s the elephant in the cyber security room? While over 90% of the industry focuses on prevention, that fact is you will be hacked, and once that happens most cyber security solutions are useless.

It’s the elephant in the room: in just one week, we’ll be joining thousands at the huge RSA Conference in San Francisco, where you can wander through a cavernous exhibit hall (actually, two of them), only to find that most booths have little to say about what to do after prevention measures have failed.

Cyber security is big business – worldwide spending topped $67 billion in 2013 according to a recent report from Gartner Group. Most of that spending goes towards prevention. Comparatively little is budgeted for remediation – and that’s perhaps understandable (how to you budget for something you hope will not happen, and if it does, how can you measure the financial impact in advance?).

But let’s get back to that elephant: it’s a virtual certainty that your company has suffered a breach, or will suffer a breach. You could be breached at this very moment without knowing it.

While we are the first to agree that prevention measures are essential, we find it curious that few security products or services openly discuss how they come into play after an attack has succeeded.

There are many Managed Security Services Providers (MSSP), but most of them simply notify you of a suspected breach – you have to fix it yourself (at eSentire we call this the ‘It’s not My Problem Syndrome’). There are literally hundreds of security automation products, and the overwhelming majority are built for prevention against known threats.

Once a zero day cyber attack starts to unfold, outward-looking prevention systems are of no value. Where can you go to get practical help when the proverbial paraphernalia hits the fan?

A good start would be to visit the eSentire booth at RSA--520 in the South Hall. We’re the guys with the big elephant in the booth.

We believe that incident response needs to integrate with detection and analytics. We agree with virtually all cyber security authorities that expert assistance from certified security analysts is essential to resolving any serious cyber security incident. And for most companies, that means getting specialized help.

And therein lies the rub. Virtually all of the security industry is structured either to prevent an attack or to wade in and help remediate one after it has begun to do damage.

At eSentire, we think that’s too late. When experts are called during a crisis, they first establish their analytical infrastructure (which could involve shipping and installing specialized hardware). After that, it takes time – even for really smart people – to gather log data and analyze it, as well as learn enough to be knowledgeable about your network and application infrastructure.

The best time to call in the experts is before you need them, but that can be extremely expensive with today’s business model for cyber security incident response services – most companies can’t afford to pay security experts to “hang around” waiting for something to happen.

For the past few years, we’ve been pioneering the Active Threat Protection approach to cyber security. It includes a capability called Active Intervention based on the concept of Embedded Cyber Security Incident Response. This isn’t having experts on call – it’s having them actively monitoring your network every day and already being on the job if an attack happens.

You should check it out. The approach is so effective that we’ve become the go-to supplier of cyber security protection to the alternative asset management industry, with over 150 funds and $1.3 trillion in assets under our Active Threat Protection umbrella.

Once we admit there’s an elephant in the room, we can do something about it. If you’re coming to RSA, stop by to see us. If not, give us a call or get this white paper on Embedded Cyber Security Incident Response.

It’s a new way of thinking about cyber security that puts the word “active” in threat protection.

All Posts