“Attackers want to do account takeovers, get administrative privileges and exfiltrate data for as long as they can,” he says. “So, this is something we have to be good at every day. In our data logs, we have about 100 to 150 million events per day. Then, with these tools, we’re getting about five to 10 qualified alerts per day. There are things we’ve caught that we would not have otherwise acted on quickly enough. The automation has paid for itself.”
Howard, an accounting firm based in Dallas, faced a similar set of problems: sensitive client information to protect, a small IT team and an overwhelming number of security alerts coming into the organization.
“I don’t even know how many alerts we had per day, I’ll put it that way,” says Chris Barnes, CTO at Howard. “The next thing you know, you’re not even looking at the alerts anymore, and that’s a problem. All the security software in the world is useless if you’re not paying attention.”
“We reached the point of, ‘What’s a legitimate concern versus noise?’” Barnes adds. “We didn’t have enough resources in-house to answer that question.”
To combat the problem, Howard adopted tools and services from Arctic Wolf, including the vendor’s managed detection and response solution and SOC as a Service offering, which refers to the security operations centers that are usually the province of large enterprises. The MDR solution provides around-the-clock monitoring of network, endpoints and cloud environments, while SOC as a Service gives organizations access to a “concierge” security services team.
“Before, the idea was that you turn on everything so you can catch everything, and then you get everything,” Barnes says. “Now, the services and tools deal with everything and then give us what we need.”
MORE SECURITY: Everything you need to know about the cloud security landscape.
As a result of the tools and services, Barnes says, he and his team receive only a couple of alerts per month. Because they have already been vetted, these alerts tend to be about specific, actionable concerns, such as an employee’s email address showing up on the dark web or someone connecting to the company’s cloud resources from outside of the country.
“The alerts happen so infrequently that we’re able to take them more seriously now,” Barnes says.
Alerts Allow For Rapid Containment of Breaches
Duck Creek Technologies, a Boston-based provider of insurance industry software, turned to Microsoft Azure Sentinel to automate its threat response. “We were growing, and we needed to grow the technology supporting us as well,” says John Germain, the company’s CISO. “The solutions we had weren’t scaling very well, and there weren’t a lot of opportunities for us to optimize and leverage automation around the alerts we were seeing to get rid of a lot of the noise.”
“The other thing is cost,” Germain adds. “It’s tremendously expensive to capture all this data. We needed something that could not only scale up but also help control those costs. Having that relationship with Microsoft helped.”
Because it is a Software as a Service provider, the bulk of the data that Duck Creek manages belongs to its customers. “Of course, we have our own corporate data, but a lot of what we’re focused on is protecting the services and data we’re storing for our customers in Azure,” Germain says. “Any attacks on that environment could create significant challenges for our customers.”
Germain says that it is “humanly impossible” for many organizations to thoroughly sift through their voluminous logs. He notes that Microsoft Azure Sentinel integrates with the company’s threat intelligence tools to suss out potentially harmful events.
“It basically feeds our security information and event management tool with all the really bad stuff that’s happening in the world right now. Then, it looks through your logs and searches for any matches,” Germain says. “If there’s an IP address that we know is bad, we can block that address with our firewall, and that can happen in minutes. You can contain an incident a lot quicker. That’s what we’re trying to get at.”