Leveraging a Rapid Risk Assessment and Incident Response to help a Customer in need
Background
Six months prior to Ascent Solutions beginning its engagement with a multibillion-dollar, 12,000-seat construction conglomerate, the company had fired their security director after the company experienced a $2M business email compromise (BEC). The root cause of the former security director’s failure was in not implementing the technologies the company had already purchased. The company culture was decidedly not security-focused – there was a lack of leadership, funding, and support. The new IT team itself lacked the necessary skillset to properly protect the company. As such, the customer was largely flying blind – and, as it turned out, heading for a potentially more serious problem.
HOW ASCENT SOLUTIONS GOT INVOLVED
The client knew they needed a new plan and they engaged with Microsoft to begin the process of figuring it out. The Microsoft sales team, understanding the dire nature of this customer’s recent experience, connected them with Ascent to develop its security strategy. The client needed help in two critical areas:
- Their IT team needed to develop a robust Microsoft security strategy.
- The company acknowledged that they had to build out the people and processes required for them to carry the load after the products were implemented.
THE GAME PLAN
The Ascent team began the engagement with a Rapid Risk Assessment as the first critical step. This assessment would leverage Ascent’s unique threat hunting methodology to discover active and latent threats to create specific, targeted priorities. In addition to the threat and vulnerability profile, Ascent would deliver both a short-term project roadmap centered on their Microsoft Security tools as well as a long-term roadmap with 3 years of prioritized needs.
Of their internal initiatives, the most challenging to-date was implementing MFA for users due to the organizational impact. At the time, they were only partially protected on their users’ machines. The Ascent team emphasized that the company was still dangerously exposed to additional BEC or ransomware and recommended an immediate mitigation plan for them. MFA, along with a recommended move to Microsoft Defender Advanced Threat Protection, would close that gap. Against Ascent’s recommendations, the IT and security teams at the customer felt they could implement on their own, and Ascent’s engagement with the customer ended.
Unfortunately, and within a month, the security team leader called the Ascent team on a Sunday morning with an emergency message, stating that the company had been hit with a ransomware attack. Unfortunately, it was discovered that little progress had been made against the security recommendations Ascent had made a few short weeks ago, with no work at all performed on MFA or MDATP. To further the problems, the IT team had not fully implemented their Nasuni backup solutions, reducing their ability to successfully recover from the ransomware attack.
Ascent gave immediate guidance over the phone and responded within hours with a full Incident Response team on-site to lead the recovery effort. Ascent personnel coordinated all IR activities, including internal and external communications, for the client during this difficult time. Within days, the team had contained the security incident, with both MFA and MDATP 100% implemented. Once completed, default usernames, RDP open to the internet, and visibility tools were needed as an immediate follow-up to close remaining high-priority gaps. After recovery, Ascent Solutions re-created a comprehensive roadmap for the following three years, with Microsoft’s security and productivity products front and center.
CONCLUSIONS
Coming out of this incident, Ascent delivered a comprehensive threat-based security strategy to build organizational resilience, implemented critical Microsoft security tools to provide visibility and security controls to prevent future security incidents, and enabled the client to recover from the incident with no impact to the business or financial loss.
Ascent’s work in providing critical knowledge transfer to the client’s IT security team helped not only increase the overall maturity and skills of the security team but build confidence around the security team and the CIO. These actions helped dramatically reduce the overall security risks to the organization and helped prove the ROI from their Microsoft security investment.
Although not an ideal way to get a wake-up call, Ascent has stood by this important customer through good times and bad, and are now embarking on a multi-project, multi-year journey. The customer and Ascent teams have developed a lasting security advisory relationship and recently worked together to convince the CEO of the importance of security products and services. He is now “all in” and is leading the firm on a journey toward future threat avoidance.
