Welcome to the Sentinel Blog!
We are proud to feature a carefully curated collection of articles and other content related to the most important technology topics of today and beyond. Our posts are composed and edited by Sentinel’s ALWAYS ENGAGED team of solutions architects, engineers, project managers and other subject matter experts.
Sentinel SecuritySelect: Breaking the SamSam Attack (Part 1 of 4)
By Robert Keblusek, Sentinel Chief Technology Officer
In recent months I have presented an example of the cyber kill chain using the SamSam ransomware attack, which was first identified in 2015. It has seen a resurgence as of late, and if you follow the news, the recent cyber-attack crippling the City of Atlanta was yet another form of SamSam. SamSam can be quite difficult to stop without proper process, patching, and tools. Protecting your organization from SamSam is no different than being prepared for other known and unknown attacks.
In this multi-part blog series I will profile some strong detection and protection solutions for SamSam and similar attacks. You will learn more about Sentinel’s Security as a Service (SECaaS) offerings and how they can help defend against these attacks. I will also break down the attack across the cyber kill chain and recommend areas where detection or protection might intervene to protect your organization and ensure it doesn’t wind up like Atlanta.
A majority of enterprises invest in excellent protection technologies and develop a fairly regular patching cadence. Some use vulnerability scanning software to report on and prioritize their patching needs, but fail to do so frequently enough. Others hire Sentinel’s Advisory Services team to perform timely security assessments instead. Sentinel’s world-class Managed Services team is also available to handle patching for you. The most advanced organizations engage us to go beyond security assessments and perform penetration (PEN) testing on critical internal and publically exposed assets. Often however, organizations lack detailed visibility into their security environment. They may invest in many protection tools, but nobody is constantly watching what those tools are doing and how well they’re performing. There is no single perfect security solution, and even if one existed, most organizations don’t have enough qualified staff to properly develop, manage, and monitor it.
Environmental Awareness - Who's Watching Your Network?
Being fully aware of your environment is the first step toward keeping it protected. With this information you can cultivate best practices such as regular patching while identifying unauthorized services on your network that introduce additional risk. Security teams can focus on improving system hardening as well as understanding what is happening on your network. Vulnerabilities in items like Adobe or Java software become easier to identify and patch. Threat feeds identify known risky IPs that are “knocking on your door” and alert you to activity.
Sentinel’s Security as a Service (SECaaS)-managed SIEM includes constant vulnerability scanning of your assets and rates each one using the common vulnerability scoring system (CVSS). By putting a full-time vulnerability scanning system with real-time detection service on your network, you gain unprecedented visibility into your environment.
Patching is critical, no matter if you handle it on your own or use Sentinel’s Managed Services to take care of it for you. With constant vulnerability scanning you can have your assets scanned and reports delivered to your team on a regular basis (our service defaults to monthly). Cyber threats are taking advantage of known vulnerabilities faster than ever. Attack windows are shrinking and patching on an annual or even quarterly basis simply isn’t often enough. Sentinel has even created a custom reporting dashboard allowing your team to sift through vulnerabilities within the SIEM to find specific items that might be within their domain of support or to simply identify the most at risk items quickly and easily to continue to harden your defenses.
Vulnerability management, security assessments, and even periodic PEN tests are just a start. Organizations also need constant security monitoring. When combined with vulnerability visibility, constant monitoring will let you bring together log information from your current security investments and add Intrusion Detection Sensors (IDS) at strategic locations within your network.
The graphic below is a real-world example of the constant visibility offered by Sentinel’s SECaaS. In this sample, I have it filtered to show only the first “intent” level within the managed SIEM “environmental awareness.”
IDS sensors review activity on the network as well as log source information to identify risks such as suspicious behavior and service scanning of the network. Risks are rated as low, medium, or high so that IT teams can easily identify and prioritize risk items before taking action.
How it relates to SamSam
Thus far, SamSam attacks seem to be targeted at specific organizations rather than drive-by attacks looking for “low hanging fruit.” Data gets stolen, and traditional recovery methods such as snapshots or backups are crippled or eliminated so organizations are forced to pay a significant amount of money to get it back. This is why a strong backup strategy with air gapping plays an essential role in recovery. It is one of the many benefits our customers receive as part of Sentinel’s Backup as a Service (BaaS) offering. Contact Sentinel today to learn more on how you can air gap your existing backup or add an air gapped service within our CloudSelect® BaaS offering.
While many attacks depend on unsuspecting users opening a deviously crafted email asking for credentials or loaded with a malicious file, SamSam tends to hunt for vulnerabilities in your network and move laterally. Knowing your vulnerabilities and addressing them in a timely manner is one of the best practices to avoid becoming the next victim. In past years SamSam took advantage of known web server vulnerabilities. In the case of the City of Atlanta, although not officially disclosed at the time of this blog, it has been mentioned that publicly accessible RDP servers were affected as well as servers with known vulnerabilities. Patching might prevent these attacks, but if a bad actor wants to get in they won’t stop there.
Reconnaissance and Probing - Who's Knocking on Your Door?
Most customers that I meet have invested in great protection technologies, including next-generation firewalls and strong endpoint protection. However, many take the approach of set it and forget it, which isn’t an effective security strategy.
Sentinel’s IDS sensors, when deployed at strategic locations within your network, can help to identify activities and signs of a potential attack or risk from outside or even inside your network. According to the Verizon’s 10th Annual Breach Report, 75% of attacks came from outside sources, which means that insider attacks pose a significant risk to your organization as well. These activities might be a sign of a malicious insider manipulating your security controls, or possibly even an attacker that has gained access to your inside network.
When you have Sentinel’s managed SIEM with IDS, it is easy to identify what is happening within your network. The enhanced visibility helps identify activities that would otherwise put you at risk or provide hackers with the information required to weaponize an attack on your systems.
In the above example, higher risk Reconnaissance and Probing activities are shown within an active system. By hovering over a point in time we can see 3 unique activities occurring from multiple countries of origin. The system has also identified the common vulnerability known as “bash”, which as described by the CVE description on NIST, “allows remote attackers to execute arbitrary code via a crafted environment.” Hackers often look for exposed or vulnerable systems as well as scan for open ports identifying exploitable vectors in which they can enter the network and execute code. During Sentinel’s Advisory Services PEN testing, one approach we use is to scan from the outside or the inside of a network and identify weaknesses prior to using exploitation techniques to determine how vulnerable those weaknesses really are. Sentinel’s service has identified this as a medium risk item and highly recommends remediation prior to an actual exploit occurring. The rating is based on a number of factors which can include the reliability of the detection, the actual system sensitivity, and more.
At the same time, scanning of the perimeter was looking for vulnerabilities and what also might be worrisome is scans occurring from the internal network. All of this activity indicates opportunities to harden the system and add geographic filtering of activities from countries where no business is occurring.
Sentinel has recently added behavior-based Adaptive Threat Response™ (ATR™) services to our Managed SECaaS offering. With this service protecting your network, ATR™ is able to determine suspicious behavior patterns and push rules into supported firewalls and IPS systems to eliminate any bad activity and thwart would-be hackers in their tracks. This service offers tremendous value as IT teams are usually limited in resources in order to respond quickly enough to bad actors trying to penetrate your perimeters.
How it relates to SamSam
To help protect yourself from any attack, you
need to start with constant vulnerability scanning and remediation along with
hardening your perimeter and internal networks. Detecting suspicious activity
and “locking your doors” is a critical and basic approach. If attackers are
unable to get into your network and execute code, their ability to move
laterally to get to your assets and monetize their attack is minimal. SamSam
has proven to attack on known vulnerabilities in web servers, exposed RDP
servers, or any system in which it can penetrate, escalate privilege, and
execute code. Once inside your network, will you be able to detect them before
it’s too late?
In the next part of this four-part series we will review how threats escalate to Delivery & Attack and highlight some protection mechanisms that can help stop them from going further. If you are interested in learning more about Sentinel’s SecuritySelect® portfolio and Advisory Services, please contact us. You can follow Robert Keblusek on Twitter, @RKeblusek.
Sentinel Spring 2018 Event Calendar
Spring is a season for growth and rebirth, which also makes it the perfect time to review your organization’s technology investments and determine if changes or upgrades need to be made. Sentinel wants to help you better understand the advanced IT options available on the market today and make decisions best suited to your specific environment. Our offices around the country are hosting, sponsoring, or participating in a handful of fun events throughout April and May aimed at educating customers about some of the hottest technology solutions and services. Please join us if you’ll be in the area! Space is very limited for some of these, so make sure to RSVP well in advance via the links provided.
On Thursday, April 19 our Downers Grove, IL office is hosting a security lunch and learn at Gibsons Steakhouse in Oak Brook. Sink your teeth into some delicious steak while hearing about the latest advancements in cloud security. Experts from Cisco will lead a detailed discussion focused on how solutions such as Cloudlock, Umbrella, and Stealthwatch can extend the visibility and control over your network and endpoints to ensure your critical assets and data remain protected from outside threats. This one is filling up fast, so register today.
For those in the Denver area, please join Sentinel on Tuesday, April 24 for a day-long Cyber Threat Response Clinic at the Cisco offices in Centennial, CO. This immersive and interactive workshop is designed to help evolve your cybersecurity strategy to ensure your environment remains protected across the full attack continuum. Attendees will have the opportunity to participate in simulations, defend against different types of attacks in a virtual lab environment, and learn how to effectively respond with security and other integrated solutions. If you are interested in attending, please sign up here.
Every April, Ottawa County in Michigan (near Grand Rapids) hosts an Innovation and Technology Forum, focused on advancements and education in the world of IT and beyond. This year’s forum takes place on Thursday, April 26. The theme is “The Adaptive Workplace: Developing a Culture and a Workforce That Thrives”. Speakers will highlight the challenges organizations face managing a multi-generational staff and integrating new technologies into the workplace. An expert from Sentinel will be giving a short speech at the event, talking about recent solutions that have made communication and collaboration between employees easier than ever. Learn more about the forum and register here.
It will be an afternoon of security and superheroes on Friday, April 27 as our Downers Grove office hosts the premiere of Avengers: Infinity War at AMC Yorktown in Lombard, IL. Prior to the movie, a Sentinel expert will discuss how our Security as a Service and Security Operations Center offerings provide advanced monitoring and protection for your network and environment. Once you’ve seen how Sentinel can keep your business safe, you’ll see how the Avengers keep our planet safe. We have limited space in the theater, so RSVP here if you want to guarantee a seat!
Sentinel is also one of the sponsors of the 2018
Grand Rapids IT Symposium. This year’s event takes place at DeVos Place Convention Center in Grand
Rapids, MI on Tuesday, May 15. While Sentinel will not be speaking as part
of the symposium, we will have a table with our cloud data management partners
Rubrik. If you are an IT professional planning to attend, please be sure to
stop by and say hello between discussion panels, breakout sessions, and
networking mixers. More information on the Grand Rapids IT Symposium can be found here.
The Human Factor in Cybersecurity
By Dr. Mike Strnad, Sentinel Strategic Advisor
The more I read about Ransomware and the devastating effects it has on organizations, the more I shake my head in frustration. It seems like many organizations are investing in strong security products, but are neglecting to properly address the human factors that leave them most vulnerable to attack. Let me explain my logic.
There are plenty of security solutions that can be used to protect both internal and external server traffic throughout your environment. This includes intrusion detection systems (IDS), intrusion prevention systems (IPS), firewalls, access control lists (ACL), and more. Most of these create multiple layers of protection, which is important. Sentinel has highly skilled teams that implement rock-solid security designs like these all the time.
Many of our home security strategies operate in the same way. We install motion sensors inside and outside of our homes. We have locks on all doors with alarms that will sound if the doors or windows are opened when our system is armed. This all works well as long as we remember to alarm the systems. For many of us, it becomes a habit because we do it every day of the week. For an overworked IT department however, security often competes with dozens of other projects and priorities, and that’s not even taking into account the ever-evolving threat landscape.
Attackers are always looking for new ways to gain access to your organization’s network and systems. While a variety of defense technologies are working hard 24x7x365 to keep critical data and applications safe, many organizations forget or simply fail to understand that devoting some time and attention to the human factor can reduce risks even further.
Users are often the weakest and therefore most exploited source of access for attackers, which is why it’s essential to consistently train your staff to be on the lookout for and identify cyber threats. If cybersecurity training is out of sight, then it is out of mind. Educators often teach students by employing repetition. For example, when we learned our multiplication tables in grammar school, the teacher made us do it over and over again until it was drilled into our brains. Approaching cybersecurity education in the same way will keep your employees sharp and significantly reduce the risk to your business.
Sentinel’s Advisory Services offer cybersecurity
training to ensure your employees don’t fall victim to many of the tactics
commonly used by attackers to breach your organization. Please contact us if you would like to learn more.
My Sentinel Story: Nadia Rios
It’s no secret that at Sentinel we place a high value on our employees. Their unparalleled expertise, strong work ethic, and dynamic personalities help us maintain our status as an Always Leading IT solutions and services provider. We are proud of the work they do on a daily basis, and hope our customers recognize the Sentinel difference.
Our “My Sentinel Story” series continues with Solutions Analyst Nadia Rios. Nadia has been working at Sentinel for more than six years, starting out with data entry and digitizing documents before her curiosity and desire to learn new things expanded her role into the education field and other exciting areas. She now uses her well-rounded skill set to excel in her current position as a Solutions Analyst, creating communications and security plans for a variety of different building types and industries. Learn more about Nadia and her career trajectory at Sentinel via the video below!
If you are passionate, motivated, and interested in joining the Sentinel team, you can learn more about our corporate culture and browse our current job openings by visiting our Careers page.
Sentinel's Commitment to Wellness
Trying to stay healthy while working in an office environment five days a week can be a real challenge. Many people spend a majority of their days sitting at desks or in conference rooms, which doesn’t exactly make it easy to stay active. Medical studies proclaiming that “sitting is the new smoking” by putting people at increased risk for cancer, heart disease, diabetes, and high blood pressure don’t seem to offer much in the way of advice on how to combat it beyond getting up for stretch breaks every couple of hours. The temptation of baked goods and other sweets that seem to frequently and mysteriously appear in the office break room can’t be great for your eating habits either.
While every person ultimately makes their own decisions when it comes to healthy living, Sentinel does our best to promote and maintain a strong wellness culture at all of our offices. We are recognized by the American Heart Association as a Gold-Level Fit-Friendly Company for the variety of health conscious options available to employees. They include the following:
Concerned that sitting at your desk all day is doing more harm than good? Sentinel offers special standing desks to employees that request them. Thankfully they can be raised and lowered as needed so nobody is left standing all day if they don’t want to!
Sometimes you just need to move around for a bit, especially if you’re the sort of person that suddenly falls into a post-lunch food coma at 2:30 every day. The Sentinel walking club gets together a couple of times each week to take a few laps around the office and get the blood flowing again so you can have plenty of energy to get more done.
Fitness/Gym membership discounts
Sentinel employees that prefer to get their exercise outside of the office are welcome to join a local health club. We work with area gyms and fitness centers to provide discounted memberships.
Healthy meal and snack options in our lunch
Don’t worry, there are still plenty of chips, cookies, candy, and sodas available in our lunch rooms. But in addition to those unhealthy food choices, we also have low calorie snacks and beverages for the more discerning eater. That includes organic and protein-rich items that hopefully stimulate brain power.
Weight loss contests
Those in search of motivation to drop some pounds are welcome to participate in any of the weight loss contests we have throughout the year. While competition against your peers is its own reward, Sentinel also offers prizes to top finishers as a little extra bonus.
Work is stressful sometimes, which can tighten your muscles and raise your blood pressure. Twice a month, Sentinel offers chair massages conducted by a licensed massage therapist. They’re a great way to provide some peace of mind and perspective during a particularly challenging day or week.
Sentinel provides many other benefits and
amenities to employees that go beyond wellness. If you would like to learn more
about those, please visit our Benefits page. If you are
interested in joining the Sentinel team, feel free to browse our list of job openings.
Sentinel and HIMSS
By Rick Spatafore, Sentinel Advisory Services Manager and GIC-HIMSS Sponsorship Co-Chair
The Healthcare Information and Management Systems Society (HIMSS) is a cause-based non-profit that provides thought leadership, community building, professional development, public policy, and events in an effort to optimize health engagements and care outcomes using information and technology. The Greater Illinois Chapter of HIMSS represents a local group of experienced healthcare professionals working in and around the Chicagoland area. Members work in hospitals, corporate health systems, consulting firms, vendor organizations, universities, and wide variety of other organizations. The majority of GIC’s members have well over ten years of experience in the healthcare field.
The purpose of GIC-HIMSS:
+To arrange meetings which provide an opportunity to share ideas and exchange experiences in the field of healthcare information and management systems.
+To assist members of this Chapter and others in developing their healthcare knowledge, increasing their effectiveness, and maintaining high-quality standards of performance through continuing education.
+To plan and conduct educational programs that promote an understanding of information and management systems work in healthcare.
Sentinel has chosen to support the mission of HIMSS and help the local community realize the vision to provide better healthcare through information and technology. We are a current HIMSS sponsor and will be participating in every GIC-HIMSS events this year – including hosting a webinar focused on healthcare technology this spring.
During the year GIC-HIMSS offers 3-4 short educational programs, an all-day educational program, a hospital tour/social program, and a social event at the national HIMSS Conference in Las Vegas. This year’s GIC-HIMSS social event takes place on Tuesday March 6th from 6:00pm-8:30pm at the Lavo Lounge inside the Palazzo Resort Hotel and Casino.
Sentinel will be hosting our own HIMSS Customer Appreciation event on March 6th prior to the GIC-HIMSS event at Tom’s Urban inside the New York New York Hotel and Casino form 4:00pm-6:00pm. Come relax with drinks and appetizers after a long day at the conference. If you’re able to attend, please RSVP here.
HIMSS Conference should continue the progress made over the past few years with
an increased focus on engaging with the patient and providing convenient care
across the continuum. High priority topics such as interoperability and artificial
intelligence will be in the spotlight. Telehealth, population health, and
cybersecurity will also be areas of focus at the conference. It promises to be
a highly informative and fun time, so if you work in the healthcare industry,
we hope to see you there!
Sentinel SecuritySelect For Microsoft Cloud Services
By Robert Keblusek, Sentinel Chief Technology Officer
Our Security as a Service (SECaaS) developers have come up with another Sentinel SecuritySelect™ breakthrough. I am proud to announce our complete security visibility for Microsoft Azure and Office 365. Many enterprises move to O365 and Azure but lack a solid plan on how to backup, secure, and monitor the critical business systems moving into these and other cloud services. According to Microsoft’s Q1-2018 results, O365 subscribers alone swelled to over 120 million, which represented 42% growth, and there are no signs of it slowing. Many enterprises consider the move to O365 is a top corporate priority, but they fail to adopt cloud security beyond anti-spam filtering and lack any strategy to gain visibility into what is happening within their cloud infrastructure in real time. Brute force attacks, DLP events, and more can go without notice unless proper security monitoring and response is in place. Those that have considered both, often driven by compliance needs, simply lack the staff to take action on the thousands of events happening every second to determine which events are meaningful and actionable security risks.
What is SecuritySelect™ for Office 365?
Sentinel has developed a complete toolset that provides constant monitoring of your Microsoft cloud investments. API (Application Programming Interface) integration is provided to all of the currently available Microsoft cloud services including:
· Azure management events
· O365 Azure Active Directory
· O365 Data Loss Prevention
· O365 Exchange
· O365 Events
· O365 SharePoint
In addition, Sentinel’s Microsoft cloud application provides backup and restore of the server database system to further secure the O365 customer environment. Self-service portals provide for both the onboarding of the service and integration to the Sentinel SECaaS-managed SIEM. Combined with Sentinel’s own CloudSelect® Threat Exchange, security events now have full visibility resulting in easy-to-use executive dashboards, compliance reporting, and more. For organizations that lack around-the-clock security response professionals, there is tight SLA-driven integration with Sentinel’s ALWAYS CONNECTED security operations center (SOC). Key performance indicators (KPIs) are measured and monitored, and once a threshold is met, auto-ticketing engages the Sentinel incident response team 24 hours a day, 7 days a week, 365 days a year. Daily threat hunting by security analysts further identifies actionable events that might not have hit an established threshold, while SECaaS developers add automation to alert and respond to those threats. The overall security environment, including cloud services, is also reported on within Sentinel’s quarterly and monthly security business reviews. Actionable recommendations are made with an ongoing security document constructed by Sentinel security experts specific to events in your environment and what can be done to further protect your digital assets and critical data.
Sentinel’s security team will work
with subscribers to quickly onboard services from their Microsoft cloud
services to the Sentinel SECaaS managed detection solution. Once the
integration is complete, critical logs will be available within the Sentinel
customer security portal. Sentinel offers this service on the Microsoft cloud along
with the option to extend this visibility to the entire organization’s security
infrastructure and other cloud services. Customers can start small and grow as their
security monitoring and response needs change.
After integration, the Sentinel’s Security as a Service (SECaaS)-managed SIEM provides alarm integration with deep inspection capabilities in order to help your security teams or the Sentinel SOC quickly identify and respond to threats. Logs are integrated to Sentinel’s own CloudSelect® Threat Exchange platform where they are parsed, normalized and forwarded to the managed SIEM. Once in the managed SIEM, events are connected by correlation directives, making it easy to find, filter, and respond to actionable security events. Alarms can be customized based on reliability and risk factors to elevate the criticality to meet your organization’s security and compliance needs. Either your security response team or Sentinel’s SOC analysts can apply service-level alerting and auto-ticketing rules to assure that any indications of compromise are investigated and responded to immediately.
Business Visibility and Results
Executive dashboards provide for clear visibility into what is happening within all of your security investments, creating a “single pane of glass” for easier management and analysis.
Customizable executive dashboards provide details on real-time, easy-to-understand security trends involving your cloud and premise environment. Adding Microsoft cloud services helps ensure that not only is this visibility available to your organization’s traditional premise and device security services, but that it extends into your crucial cloud services as well for complete visibility of your distributed digital assets.
Compliance reporting is also available to report to your internal stakeholders or compliance auditors. Custom reporting is available to meet any specialized needs, and can be scheduled and delivered at regular intervals to IT departments, executives, and compliance officers.
In addition, Sentinel offers enhanced email security filtering for inspection of inbound and outbound messages and DLP message services. Hosted by Sentinel within our geographically distributed enterprise cloud data centers and powered by Cisco ESA and Talos threat intelligence, Sentinel’s email security services can enhance and protect your Office 365 email subscribers. Features include email filtering, anti-virus, anti-malware, spam prevention, outbound data loss prevention and more. Sentinel’s SOC constantly monitors and manages the email security gateway services and adds additional filtering rules for identified threats, phishing, and business email risk messages when identified by any subscriber within the system.
SecuritySelect™ Cloud Security Affordable and Easy
With Sentinel’s SecuritySelect™ services, organizations can rest assured that what is happening in their cloud space is no longer a mystery. With thousands of events occurring every second, logging and finding meaningful data may seem like an impossible task. Advanced email filtering services, including inspection of inbound and outbound messages, protects users from unwanted and weaponized email attacks better than standard tools available in Office 365. Sentinel has made these services powerful, easy, and affordable.
According to the most recent Verizon breach report findings, 66% of malware was delivered via weaponized email and 73% were financially motivated. Of the approximate 20% of business email compromises reported to the FBI, also known as CEO fraud, the estimated US losses have exceeded $5.3B