Managed XDR Services

Security is hard, no one running a business or maintaining an IT service decides to become a victim of a security incident or intends to lose precious data.  

Managed Extended Detection & Response (XDR) services using an open approach combines your existing best of breed toolsets into a centrally orchestrated formidable wall of defence. 

Prevention, detection and response go together like peanut butter, jam and…. will work out the last one soon!  Combine your toolsets to work together in harmony.

Current challenges

Security is a broad and detailed topic, with so many attack opportunities waiting to be exploited in the forms of out of date software, configuration weaknesses, and day zero exploits its hard to know where to start.

0%
Of organisations can find qualified personnel to fill critical cloud security roles.
0%
Of organisations struggle to achieve critical visibility into their underlying security infrastructure.
0 %
Of organisations find the complexity of their cloud environment challenging to identify and fix misconfigurations.

Solution

Assess
Using our catalogue of pre-understood risks; we will assess each risk and will advise on controls in place and any gaps.

For example:

We will assess your Azure AD environment risk exposure to brute force attacks, findings are documented in a risk register format potentially highlighting a weak conditional access policy opening an opportunity for a MFA bypass attempt.

We'd recommend a MFA policy review and the implementation of MFA bypass SIEM alerts.

To remediate automatically we'd recommended SOAR orchestrations, XDR architecture, also a service we will offer.
1
Extended
Ingest data from, and orchestrate responses across your estate of security assets, leverage your investments now rather than waiting to consolidate into a single vendor ecosystem.
2
Prevention
Using our professional services team; we will implement and/or maintain the agreed 'prevent & avoid' configurations and automations best assessed to align to the need.
3
Detection
Using our managed service offering we will continuously monitor and alert against events as assessed to meet the need.
4
Response
Back to the peanut butter and jam comment; as assessed to be appropriate we will trigger automatic remediations to the detected security events.
5

Benefits

  1. Comprehensive risk assessment to confirm threat and need.
  2. Ready to go solutions to bring immediate protection. 
  3. Open architecture, utilise almost any security tooling.
  4. Get toolsets such as Sentinel (SIEM), Defender, Update Services, and more up and running quickly using tried and testing methods.
  5. Reduce your risk and workload on your IT teams by using our ‘ready to move’ catalog of security orchestrations (SOAR).
  6. Visualise anything from any platform.
Cloud adoption services

Scenario example

Imagine a typical scenario of an inbound email containing malicious payload aimed at normal users potentially with the offer of a free coffee due to their hard work on a recent product launch, when clicked; the email attempts to install code, send more malicious emails approximately 30% of users will click the link to a website where they may unwittingly submit their details anticipating the rewards of a medium latte, now imagine….. it was a medium latte with syrup and we’re now talking 50% click rate!

Below is an example of how an Open Extended Detection & Response approach could reduce the chances of this scary scenario! 

XDR (extended detection and response) ingests and automatically correlates data across multiple security layers such as email, endpoint, server, cloud workload, and network. This allows for faster detection of threats, improved investigation and response times through security analysis.

The term ‘extended’ refers to the act of centrally orchestration protection (collection, analysis, response etc) across many platforms.

XDR can also be an open architecture, solutions such as Microsoft Sentinel are perfectly adapted to integrate with a non-Microsoft anti-virus product, web filter solution, or network router to centrally orchestrate investigations and responses as we show below.

Microsoft XDR overview

Open XDR examples:

Always start with prevention, it’s better to prevent such a scenario rather than having to recover from the impact, there are different types of prevention, we’ve classified them into dynamic and static.

Dynamic Prevention:

  • An external threat feed (STIX or TAXI) of your choice is being ingested into an A4S managed Microsoft Sentinel service which in turn orchestrates the incoming mail filter service of your choice as to the latest malicious email based attack sources and payloads thus ensures your security configuration is coordinated to be aligned to the latest threats.
  • Using dynamic threat feeds means your security posture is always configured to the current threats, some days your mail filter may be more restrictive, on others less so, you can also utulise multiple reliable threat feeds.
  • We can also use this information to update your host anti-virus configuration i.e. to apply a stricter anti-virus, anti-malware posture for time there is an elevated threat level.
  • Ingesting mail flow logs into Sentinel allows us to look for mail trends related to the threat feed i.e. if sudden elevation in mail flow from email address X then apply inbound and/or outbound restrictions.

Static Prevention:

  • Ensuring your architecture contains an effective perimeter defence against mail hosted threats, ensuring it is risk assessed and aligns to the latest security best practices.
  • Ensuring configurations related to spam and junk mail configuration are in place.
  • Routine training of end users using A4S automated monthly simulated phishing attacks which attempt social engineering.

Within this scenario we’re ingesting security telemetry across several different sources such as:

  • Threat feeds have already told our SIEM instance of the latest threats, we’ve used this information to update MIMESCAST configuration.
  • Incoming mail filter logs such as MIMECAST which is telling our SIEM solution of new inbound mail threats.
    Mail flow logs which our SIEM solution has noticed an increase in specific email address usage by certain mailboxes.
  • Host based anti-virus/anti-malware have detected the attempted install of mail sender application.
  • Host based firewall has seen outbound mail send attempts, this information is captured in event logs and recognised by SIEM.
  • The phishing attempt partly relies on user clicking link to register for the Latte with syrup, we’ve already captured that web address using the third party web filter.

All of the above information is held within our SIEM so it’s easy to visualise using Azure Workbooks.

Scheduled analytics rules running in SIEM have also correlated the information from the different sources and has recognised an multi-surface attack hence is now alerting.

Now we have detected incidents signposted within the various sources threat telemetry using our scheduled analytics rules we can action the following to reduce or prevent the impact of the attack by:

  • XDR orchestration can update the incoming mail filter rules to restrict further payloads by adding the source to a banned list or performing deeper email payload inspection.
  • XDR orchestration can update the mail system mail flow rules to reduce or block email containing that payload or from specific source addresses.
  • XDR orchestration can move infected hosts into a sandbox environment, or apply connectivity restrictions, or will begin aggressively scanning for threats.
  • XDR orchestration can update impacted user accounts by blocking mail sending and recieving.
  • XDR orchestration can block the phishing related URL at the web filter
  • XDR orchestration can automatically send training to end users related to this event, it can also warn the line manager of the impact to their team member.
  • XDR orchestration won’t buy that free coffee (sorry).

Identity & data protection

Our expertise will help you understand threats, apply configuration to reduce impact, alert on any events and through the use of automation quickly respond to security incidents.

Virus & malware protection

Whether you’re using Defender or another service we will help you extend and deepen your defence capability, why wait for your anti-virus product to detect a virus, how about actively responding to events by isolating an affected asset or preventing further spread by closing down routes of propagation using firewall and email automations.

Network threat mitigation & control

Countless network threats both internal and external are taking place, with the right decision making, toolsets and configurations we have a better chance to defend our businesses, below is a list of services in this area:

Governance controls enforcement

Governance controls are essential to ensure security is maintained.  Governance controls can be implemented but then circumvented without being noticed, we can help implement and maintain effective controls to ensure you stay in control: