by Joe Hedegaard Ganly

Information Security Adviser

Connect with  on Linkedin Connect with Joe Hedegaard Ganly on Linkedin

Powering up your Detection of Email & Endpoint Response

Emails and Endpoint devices remain two of the main attack vectors contributing to cyber incidents, often as initial access points. While continuously evolving their tactics, once attackers get initial access, they then leverage blind spots in controls to buy precious time to broaden their access in environments. Security teams often struggle to centralise alerts to detect and respond to suspected compromises, with lots of manual work needed to remove attacker’s access.

Joseph Hedegaard-Ganly, a Saepio Solutions Architect, answers some key questions around remediating this vulnerability…

A new bi-directional integration between industry leaders Abnormal and CrowdStrike has focused on looking at suspect account takeovers or identity compromises and sensibly automate parts of the remediation process. The result is better protection and increased operational productivity for security teams.

What are some common techniques used by cybercriminals to evade email and endpoint detection systems?

“We’re starting to see quite a lot of attackers using what Verizon are calling pretexting, which is this concept of sending an email that doesn’t actually have any kind of upfront payload or any risk, it’s coaching or trying to coerce people into taking bad action.

You might have seen ones where people get a WhatsApp saying, “Hi, mom, it’s me, my phone’s broken”. That’s an example of this kind of pretexting to evoke an emotional response. Attackers will often using these in business email compromise attacks, due to their evasion of Secure Email Gateways. Once they get initial access, they’ll often look to see how they can then compromise endpoints or move laterally.

How can organisations detect and respond to advanced persistent threats through email and endpoint monitoring?

A lot of the tactics that attackers are using to hit endpoints and email are actually the same.

The risks that we see that are impacting people via email, they’re trying to use the same tactics at endpoint, but at different times. And probably the best thing that people can do is look at the identity of the person being attacked, which will impact both their machine and their mailbox.

If you can look at how you respond to something like an account takeover, automating a part of that response action is on both parts of the puzzle, but can be done in one go by looking at the identity attributes of that person and that machine.

What are the benefits of integrating the detection and response solutions?

The biggest benefit is that you cut down the amount of work, essentially in half. If you have the right integration across email and endpoint, you’re combining signals that you would normally have to investigate separately.

And if you can sensibly integrate the two, you can look at all of the common signals across both and respond once. We are seeing that cut of customers response times by about 50% and massively free up the amount of effort needed by their teams to respond and remediate.

Contact Us

We’re running a webinar where we talk through some of these considerations together with experts from Abnormal and CrowdStrike. If you’re interested in hearing some of the learnings from that session, please get in touch.