Company Overview
One of the largest federally funded research facilities in an educational institution with more than 20 IT departments, 11 universities, and 7 stand-alone ‘operating units’ — including healthcare providers, research institutions within US DoD projects, and multiple state government agencies. Their decentralized security and operations teams manage cybersecurity and risk for 80,000+ employees and nearly 1 million connected devices. They are also responsible for ensuring compliance with PCI, HIPAA/PHI, and FERPA.
The SOC team's objectives are to reduce the time to detection and rapidly remediate threats within their network. The SOC team faces three major challenges to meeting these objectives:
- Skills: Analysts must understand advanced attacker methods and the technologies
- Tools: Analysts must have the right tools to gather relevant host data and analyze it in time to stop damage and loss
- Process: Current processes are dominated by data collection and known indicator search, which is not designed to identify unique, polymorphic attacks
Traditional anti-malware software fails to eliminate threats from infected systems
Prior to Elastic Endpoint Security, the help desk received an alert for a malicious file on an endpoint. The alert highlighted a suspicious activity on the machine, triggering a ticket to the security team’s Tier 1 SOC analyst. The analyst scanned the infected host system with an anti-malware software, identified a variant of the Locky ransomware, and deleted the malicious ransomware file. Once the file was deleted, the IT administrator re-imaged the machine and restored encrypted data from a backup. The Tier 1 SOC analyst changed the alert status to ‘resolved’ and the help desk closed the ticket thinking that ransomware was removed.
Although the file was deleted, the malicious process was still running on the infected systems. Because the attack included a persistence mechanism — a common technique used by attackers to maintain access after system reboot — the ransomware executed on reboot and a Tier 2 SOC investigated the alert. Despite the time the SOC team spent detecting, analyzing, and responding to the alert, they failed to eliminate the threat from the infected system.
Elastic Endpoint Security protects against ransomware
With Elastic Endpoint Security deployed on endpoints, the Tier 1 SOC analyst now receives an alert before the JavaScript downloads and the file executes. The signature-less malware engine generates an alert with a MalwareScore™ — a high-confidence score depicting the maliciousness of a file. The security analyst deletes the file with a single click on the alert. To ensure that the file has no remnants on the system, the Tier 1 analyst runs network, process, and persistence hunts to eliminate any suspicious activity. In less than a minute, the Tier 1 analyst gathers the data and explores various automated hunt capabilities, including how:
- The automated network hunt finds suspicious communications to C2
- The process hunt identifies suspicious processes that were not backed by a file
- Automated persistence hunting in Elastic Endpoint Security identifies an uncommon path where a file is running from the temp directory
Once the hunt artifacts are detected, the Tier 1 analyst deletes the file, kills the process, and stops persistence without any business disruption. The automated hunts enable the SOC to look for similar occurrences across the environment and stop further damage and loss.
Instantly delivering measurable value with Elastic Endpoint Security
Elastic Endpoint Security reduces the time, cost, and complexity of traditional incident response by instantly detecting techniques and patterns used by ransomware and memory-resident malware at the earliest and all phases of the kill chain — all without traditional indicators of compromise (IoCs). Our unique prevention technology halts attacker techniques such as encryption and lateral movement within the network to prevent damage and loss.
