Blog: Threat Monitoring & Disruption
Threat Monitoring & Disruption

secure your organization

Author: Brian Dagan
Senior IT Security Consultant, FSi Strategies

Basic security hygiene involves enabling Multi-Factor Authentication (MFA) for everyone, enabling user and sign-in risk metric monitoring, ensuring devices are centrally enrolled, managed and updated by an endpoint management solution, and that the Endpoint Detection & Response (EDR) solution is healthy and up to date. Just these actions alone are the biggest contributors to your organization’s security posture. What happens though when these basic defenses break down? This is where defense-in-depth comes into play.

Defense-in-depth involves configuring numerous additional security policies to provide constant monitoring of your organization’s deployed assets—the identities, devices, and data that all play a role in determining if you have sufficient controls in place around the same to prevent a data breach. It’s never ideal to find out after the fact that, “If only this one alert had been turned on, we would’ve caught [non-monitored behavior that was a precursor/contributor to the incident]!” or, worse yet, finding out that the alert did get generated but wasn’t actioned.

If we relate alerting to the Microsoft ecosystem and are examining solely the alerts pertaining to Microsoft 365 (ignoring Azure resources for the time being), there are around 50 individual alert policies that need to be managed. If we add to that the Defender for Cloud Apps alerting policies, you’re looking at another ~35 metrics to monitor. In both cases, these are just the pre-canned alerting policies that would go to you, the Tenant administrator who’s likely struggling to put together a cohesive understanding of which alerts require action, by whom, and with what urgency. It’s a lot for anyone to handle, especially given the pressures inherent in fortifying the organization’s security posture while continuing to advance the purpose and goals of the organization as a whole—you’re not being paid solely to tune alerting and chase false positives; you have work to do!

The corollary to ensuring you have the correct monitoring and alerting enabled is the concept of alert fatigue, which describes the difficulty in parsing out the signal from the alerting noise. Should the _______ alert be enabled despite the high number of false positives (standard, expected user behavior) that it generates? Are there any alerts that could be indicative of the beginning stages of an attack, and if so, are these alerts correlated with other alerts in the same attack chain into a single incident that shows you an attack story that’s easily understandable? Are you responding quickly enough, considering that many attackers can parlay initial access into lateral movement and exfiltration in as little as a couple hours?

This is where automated response actions can help save the day—if the behavior of a user’s identity shows signs that the identity itself might be compromised, you’d want the system to act automatically—and as soon as possible. Individual alerts, such as the creation of a suspicious inbox rule, sudden sharing of a large volume of files, logins from atypical locations, an EDR detection on a potentially malicious script, and others (to name a few) should trigger actions to disrupt the threat actor activity by forcing a password reset, re-requiring MFA, remediating the damage done by a malicious script, or other fixes deemed necessary based on the behaviors analyzed and correlated by your Extended Detection & Remediation (XDR) framework.

With FSi’s Threat Monitoring and Disruption capabilities of our Protect offering, which is part of FSi Total Care Managed Services, we do the heavy lifting of configuring these alerts, remediations, and escalations for you—as well as enabling the secure baseline of security configuration settings mentioned at the outset of this post. If you’re drowning in alerts, worried about your organization’s security posture, and want to ensure that your Managed Service Provider is doing everything possible to ensure the security of your identities, devices and data, reach out to us—we’re here to help.

Contact us today to learn more about how Protect and FSi Total Care Managed Services can help secure your organization with our approach to Threat Monitoring and Disruption.