Pratum Blog

Woman on Computer with text overlay Shifting your organization's security model mindset

How do you protect data when it leaves your building?

A few years ago, hardly anyone asked that question because data stayed home. But with the rise of cloud services, mobile computing and a pandemic, the trend of data following users became the norm in a matter of weeks. Suddenly, your data’s security had far less to do with your physical facility’s security. As a result, there is fresh interest in zero-trust architecture, where the mindset switches from a device-centric security model to a data-centric model.

In a zero-trust world, IT leaders assume that devices, networks and individual user accounts have already been breached. So they attach security factors to the data itself. This not only boosts security but expands the organizations’ business opportunities. With a zero-trust approach, you can continue doing business with a valuable partner even if you’re not confident in their security systems. Thanks to a data-centric model, your data protects itself.

Moving to a Data-Centric Mindset

Not long ago, organizations could almost literally keep an eye on their data. Employees mostly worked in offices on company-owned devices plugged into company networks (or at least linked to company wireless networks). Data lived on a centralized server. For the most part, protecting your data meant controlling who entered your building.

Today, data roams the globe without its traditional bodyguards. The boundaries between work and personal life have blurred as employees access data around the clock and on a variety of desktop and mobile devices and networks. “We’re never fully at work and never fully at home,” says Pratum Founder and CEO Dave Nelson. “We’re always just kind of everywhere.”

The pandemic obviously accelerated adoption of remote work by years. And with 90% of HR leaders saying they intend to maintain some form of work-from-home policies after the pandemic, the call for a data-centric model has unprecedented momentum.

Many organizations are still basing their security model on something that doesn’t exist anymore. You no longer control the devices or networks. And that’s scary for data managers and business leaders. Many of the risks that leaders were willing to take were based on a security model that was basically invalidated overnight.”

David Nelson President and CEO, Pratum

Who's Really Accessing Your Data?

From an identity perspective, we now have complete strangers touching organizational data every day. When an employee logs in from a remote location, how much do we know about the security of their network? Are they working on a home computer with outdated antivirus protection? When a vendor logs into your distribution and inventory platform, how do we even know it’s them and not someone who stole their credentials? Are your industry partners protecting the login credentials you give them or handing them out to multiple employees?

Those questions, Nelson says, overturned many long-held best practices. “We saw a lot of IT leaders freaking out when business leaders came to them and said, ‘I know you’ve done all this work over the last 15 years to make our network and data secure, but we’re going to send everybody home, and we need those people to get access to all that data from devices you don’t know.’”

Zero-trust architecture ensures your data is safe, even if, for example, someone intercepts it while your employee is working on a coffee shop network. IT leaders can quit worrying about the specific device or network in use because their security has now become data-centric.

Components of Zero-Trust Architecture

Moving to zero-trust architecture represents a major IT project, but many information security consultants are telling their clients that it should become a top priority. Though widespread adoption is starting only now, the concept has been around for years. All the major information security players support the use of zero-trust architecture, including Microsoft, Fortinet, Cisco and Amazon Web Services.

That’s essential, because in a zero-trust environment, each use of data must be vetted through multiple security layers. For example, you might grant read-only access to a file as long as the user is on a computer with antivirus software installed. Before users can modify the file, their devices must clear a much higher security bar. For example, the system might run a basic “health screen” of the computer for proof that it has run an antivirus check in the last 12 hours, has an acceptable firewall, is part of an approved domain, etc. The system may also grant provisional access by requiring, for example, that the computer run another antivirus scan before it is allowed to modify files.

While the number of zero-trust components varies by the platform you’re using, these are the six core principles:

1. Identities – Strong authentication tools should validate every user’s identity. It starts with strong passwords/PINs and extends into digital signatures and multifactor authentication tools such as tokens, certificates and biometrics. In all situations, organizations should follow a policy of least-privileged access, in which users receive access only to the data they need to do their job.

2. Devices – Any device seeking to access company data must comply with policies such as having a firewall turned on and rules validated; anti-malware software turned on and set to scan daily; and auto-update enabled to ensure software is adequately patched.

3. Applications – The system should inventory all applications and data locations, including client-server (ERP, core platforms, accounting, etc.); desktop (Adobe, Microsoft Access, My Documents/Desktop); and cloud solutions (Salesforce, AWS, etc.). Administrators should determine ownership and management responsibilities and enforce and audit security compliance.

4. Telemetry & Monitoring – We’re overwhelmed with system activity reports, so you need a robust system to make sense of all the noise and spot potential threats. (Pratum’s Security Operations Center ingests about 6 billion events each day across all of our managed XDR/SIEM clients. Organizations should track detailed usage statistics such as date/time of access; location of the access; sizes of files accessed; bandwidth utilization and more.

User & Entity Behavior Analytics (UEBA) solutions model typical user behavior and flag anomalous activity. This system might, for example, note that a user who typically works 9-5 is logging in at midnight from a new device. That might indicate an attempted breach in progress.

In a similar vein, Extended Detection and Response (XDR) solutions with Security Information and Event Management (SIEM) track activity in all corners of your technology stack and proactively stop potential threats before they can do any damage.

5. Networks – Networks still play a key role as security boundaries since they can be explicitly trusted and can encrypt all communications.

6. Information Rights Management (IRM) – In a platform using IRM, data carries its own rules for use. For example, e-mail may be set to restrict forwarding of messages marked as confidential. In Word or Excel, users may be prohibited from opening or printing files unless they are using a company-owned device. Note that these rules often can be circumvented if they aren’t used in conjunction with file encryption.

The Power of Conditional Access

A key step in the zero-trust system is assigning conditional access to different types of files, recognizing that there isn’t a one-size-fits-all solution here. Locking every file down in the same way will surely make daily work harder than it needs to be for many users. Setting file access levels should not fall solely on the IT team. IT needs input from other leaders to explain the sensitivity of data in any given file type and who should be able to use it.

This chart provides examples of how an organization may set access for various types of files.

Chart with Example of Conditional Access Policy

As you consider how your environment needs to adapt to new working styles and whether zero-trust architecture may be right for your organization, Pratum can help. Contact us today for a free consultation on the best way to protect your critical data.

Laptop with Microsoft Exchange on Screen with text overlay Microsoft Exchange Breach: What We Know So Far

In early March, the zero-day breach of the Microsoft Exchange Server instantly became the cybersecurity story of 2021 so far. Along with the SolarWinds breach of late 2020, this represents the second suspected state-sponsored cyberattack in quick succession, continuing to provide a wakeup call to many organizations.

When news broke about the four Exchange vulnerabilities on March 2, Pratum consultants immediately began contacting clients and instructing them to update their servers with Microsoft’s available patches as soon as possible. However, it’s crucial to understand that hackers exploited the vulnerability before the patches were released. So even if your servers have been patched, this remains a live situation as Pratum’s cybersecurity experts continue to determine exactly what the attackers accomplished with the zero-day attack. The following summary covers what we know so far about the situation. We will continue to update this blog as more information becomes available.

Impacted Systems

The new Exchange Server vulnerabilities primarily affect on-premises e-mail servers frequently used by small- and medium-size businesses. This was a widespread attack that sought to compromise any Exchange server it could find through online scans. When the attackers located a vulnerable Exchange Server, they typically inserted malware that would allow them to develop full attacks on compromised organizations at a later date.

The breach impacts on-premises Exchange Server 2013, 2016 and 2019 and can give attackers access to e-mail accounts, as well as a foothold to act within the targeted environments over the long term. Microsoft stated that the attack was initially traced to HAFNIUM, a state-sponsored group operating out of China. The United States has seen the highest number of attacks.

The vulnerability was initially identified in January and became widely known when Microsoft announced its patches on March 2. As news of the vulnerability spread, attackers worldwide quickly began to exploit the vulnerability by implanting ransomware and other malware. In the second week of March, reports indicated that the number of attacks was doubling every few hours. Experts estimate that as many as 60,000 organizations have been hacked so far.

When the vulnerability was publicized, Pratum’s incident response team began working around the clock to help clients investigate their systems to identify when their system was compromised and what type of activity took place during the compromise.

What You Can Do Now

Here are Pratum’s key recommendations as of this writing:

  • Install the Updates – By March 2, Microsoft had released updates covering approximately 95% of all exposed versions of Microsoft Exchange Server. Ideally, you’ve already updated your server with the available patches. If not, install the updates immediately. (Even two weeks after news of the vulnerability broke, experts estimated more than 80,000 servers worldwide remained unpatched.)
  • Check Your Vulnerability – This Microsoft script on GitHub can check whether your system is still vulnerable. Remember: If you can scan your own system that easily for vulnerabilities, so can hackers. You also can check whether your domain is on the list of those potentially compromised. Note that this list isn’t updated, so if you’ve installed the patches, your domain will still appear on the list.
  • Search for Threats – Installing the update and closing the vulnerability does not solve the problem. Nearly every case that Pratum has investigated has revealed web shells planted in February, which could open your system to backdoor attacks and malware. (A web shell is a malicious script that hackers embed so that they can exploit your system via a web server.) You will need to pursue a threat-hunting strategy to fully determine what compromises your system may have suffered. Pratum can assist with this threat-hunting effort. You also can read Microsoft’s latest mitigation guidance here. You’ll find additional info through Microsoft’s list of observed indicators of compromise (IOCs). This site from the federal Cybersecurity and Infrastructure Security Agency includes a chart of observed malicious activities.
  • Block Known Malicious IPs at the Firewall – We haven’t located a single, comprehensive list of these known IPs online, but Pratum is building its own reference list. Please contact us to learn more.
  • Reset All Administrator and User Passwords – Don’t overlook this basic precaution.
  • Back Up Your Exchange Server – This backup should be in a different location, outside of your network, even if you have installed the patches. We expect new malware and ransomware attacks to emerge, and you should be prepared by backing up your server.
  • Engage a Digital Forensics Team to Examine Your Network – It will almost certainly take weeks or months to determine how threat actors infiltrated systems before the patches were applied. Most organizations will need a digital forensics expert to root out any malware that may be on your network. Note that with thousands of organizations compromised, availability of incident response teams is likely to be limited.
  • Follow Developing Events – Pratum will update this blog as new information becomes available. We also recommend following the well-known cybersecurity news source Krebs on Security for updates.

If you need assistance in understanding exactly what vulnerabilities still exist in your system because of this breach, please contact Pratum to talk with one of our advisors.

One red figure in a crowd of white figures with text overlaying

Because the bad guys never sit still, your threat-hunting system can’t afford to either. Managed XDR (Extended Detection and Response) service delivers the latest advances in endpoint protection and threat-hunting to keep up with new attack vectors. Managed XDR provides multiple advantages over traditional security stacks made up of several loosely connected systems. In this blog, we’ll focus specifically on managed XDR’s ability to track suspicious activity and decide when it’s time to intervene and stop a potential threat. Using a combination of machine learning and XDR rules programmed by analysts, these systems correlate actions across all corners of your technology stack to recognize threats that may have slipped by unnoticed before.

To help you understand the threat-hunting capabilities, let’s look at a day in the life of a managed XDR system as if it were the world’s most secure airport.

In our scenario, John Doe drives to the airport to catch the same 10:07am flight he’s taken every Monday for the last month. At the airport, he checks into the flight via a kiosk, makes his way through the TSA security checkpoint and heads to his assigned gate.

That seems routine enough. But if John Doe were living within an XDR-supervised system, the situation would look more like the following. (Keep in mind that while our airport example involving humans plays out over a couple of hours, this sequence may happen almost instantly in a managed XDR setting.)

An Unusual Access Point

Because our airport features highly enhanced security, anyone entering the property must pass through a manned checkpoint. At the guard shack, Agent Chuck Norris greets John Doe and asks to see his ID. Chuck recognizes John from his visits every Monday and notes that he’s arriving at his usual time. But Chuck notices some changes. John is entering via the west gate instead of the north gate that he typically uses, and he has a passenger with him. (Because our agent is Chuck Norris, he personally mans every gate every day.)

XDR parallel: XDR monitors every aspect of your technology stack and recognizes John as a known system user. But it notes that his pattern has changed. He’s trying to log in from a different web browser and IP address. Is John working somewhere else today, or is this a hacker who stole John’s credentials trying to log in from their location? Since the login info is correct and the login time matches John’s typical pattern of starting work each day, XDR lets him proceed.

Chuck finds something else sketchy. He knows that John took a different route from his house to the airport today. (Chuck gets a lot of intel.) But with a quick check of traffic reports, Chuck sees that there is road construction on the interstate. That would explain John’s atypical route to the airport.

XDR parallel: The system’s job is to stop threats while avoiding false positives. If a quick check can explain why a user may be entering through an unusual server, the system will allow them to proceed. But John’s activities have triggered enough rules for anomalous behavior that his session has moved to a higher alert level. XDR is now watching him more closely.

What About that Failed Login?

John makes his way through the main airport terminal to a kiosk, where he checks into his flight. His ID and flight reservation check out. A camera in the kiosk snaps a picture of his face, and his name and photo are instantly compared to every known no-fly list in the world. He comes back clear. He receives a boarding pass and heads to the security screening line.

XDR parallel: XDR systems are constantly improving their rules based on global threat analysis information. For example, Microsoft (Pratum’s XDR platform of choice) analyzed 31,700 indicators per second in 2020 and uses all of that information to constantly screen for emerging threats. If an attack happened on the other side of the globe last week, Microsoft’s XDR platform has probably taken note and learned to watch out for that technique.

At the entrance to the TSA screening area, John runs into—who else?—Chuck Norris. Chuck reviews John’s boarding pass and notices that John is entering the regular screening line, even though he has TSA Precheck. Anybody can mistakenly get into the wrong line. But Chuck knows that A) John flies every single week and B) Anybody with PreCheck takes advantage of it every time. Chuck points John to the proper line but makes another mental note. John hasn’t tried anything dangerous, but he’s not quite acting normal.

XDR parallel: Getting into the wrong line equates to a failed login attempt. XDR knows we all mistype passwords, but it looks at how many failed attempts were made—and how quickly. In John’s case, enough low-level indicators of anomalous events are adding up to the fact that he increasingly looks like a real potential threat. Without XDR, your security stack may not be coordinating all those seemingly disconnected events into an overall image of a suspicious actor. In many security stacks built on solutions from multiple vendors, the TSA agent, for example, wouldn’t know what the guard shack saw. But just like Chuck is everywhere in this airport, XDR sees everything happening in your system.

This Looks Like A High Risk

John successfully passes through the check of his ID and boarding pass. At the podium, Chuck confirms that John has Precheck on his boarding pass and allows him to proceed to that screening area.

XDR parallel: Precheck is the equivalent of a known user coming from a known IP address or trusted device. Because the system recognizes John’s identity and device, they get less scrutiny than other logins. In TSA terms, he can leave his shoes on during screening.

As John exits the screening area, Chuck remembers something from earlier today. A local cop—OK, that was actually Chuck, too—pulled John over for speeding on the way to the airport. Chuck had given John only a warning, but Chuck noticed at the time that John seemed very nervous during the conversation. Chuck decides he won’t let John out of his sight until John is on his plane and headed away from Chuck’s airport.

XDR parallel: It’s all adding up to the fact that John is acting strangely—and may not even really be the John Doe he’s claiming to be. His activities are now considered high-risk.

Time to Stop the Threat

At the TSA checkpoint, Chuck is running the X-ray (Does this guy ever take a coffee break?). He spots a suspicious object in a bag ahead of John’s. Chuck inspects the bag and finds a pocketknife. If Chuck were a rookie, he might tackle the guy, handcuff him and haul him away for this. But Chuck’s no rookie, and he knows that people forget pocketknives in bags all the time. That doesn’t make them terrorists. So Chuck confiscates the knife and sends the man on his way.

XDR parallel: Good XDR rules don’t overreact. Locking out a user or shutting down a system over such a small infraction causes significant inconvenience and business interruption for no good reason

John makes it through the X-ray screening with no red flags, but Chuck notices him walking toward a restricted area. John types a code into the door’s keypad, and it opens. Why would a passenger have the code to a door leading to the runway? Chuck decides that John is launching some kind of attack. Chuck runs toward John, wrestles him to the floor and slaps on the cuffs. John is neutralized as a threat. But Chuck recalls that when John went through the guard shack earlier today, he had a passenger in the car. Where is that person now? Chuck knows the other man has already checked in for a different flight leaving from Terminal A, so Chuck orders Terminal A locked down until he can find John’s accomplice.

XDR parallel: When enough anomalous activities add up, XDR shuts down the perceived threat. In this case, John had a valid access code, but nothing in his normal profile indicates that he SHOULD have that code. So XDR would declare him a threat and shut down his access before he can do any damage.

Just as Chuck knew about our suspect’s associate, XDR can scan for other entities, such as users and IPs, that are associated with the threat.

Chuck made the key decision to lock down only one terminal, not the entire airport. If XDR makes a habit of shutting down entire systems, productivity comes to a standstill. So managed XDR rules are designed to make good decisions and to confine quarantines to the minimum elements necessary.

As you can see, XDR provides powerful abilities to build awareness of an emerging threat and take action to stop it. Most of this happens only after Security Operations Center (SOC) analysts have customized the XDR tool to recognize the kinds of patterns shown here and prevent false negatives. For more information on how managed XDR could make your environment more secure and efficient, contact us today.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.