Earlier this Spring, M.A. Polce’s Managed Detection and Response (MDR) service detected malicious activity on a client’s active directory server endpoint. The incident involved the attempted creation of an administrative account through an external VPN connection. Through the MDR service, M.A. Polce’s Security Operations Center (SOC) identified the event. Below is a chronological account of the security incident and M.A. Polce’s response:
Security Incident Response Timeline
- 11:08 AM SOC alerts on the addition of an administrator account via remote executions.
- 11:08 AM SOC analyst begins triaging the event.
- 11:10 AM SOC analyst escalates the event to a senior analyst.
- 11:16 AM SOC senior analyst begins the investigation.
- 11:19 AM SOC senior analyst eliminates the threat by isolating domain controllers.
- 11:23 AM POC is contacted with details of the incident and recommendations for the next steps.
MDR Reduces Detection and Response Times
The affected company was extremely pleased with how M.A. Polce’s MDR service performed. Human eyes were on the situation within one minute of the initial alert. Within two minutes, the event was escalated. From start to finish, the affected servers were isolated, and the threat was contained within 11 minutes. Normal business operations were restored within two hours.
The Importance of MDR
This incident is a distinct reminder of the importance of having the right security systems in place to combat today’s sophisticated attacks. Without MDR service in place, this business would have likely fallen victim to a full ransomware situation, leading to weeks or months of downtime, damage to its reputation, and potentially millions of dollars expended in ransom payouts and lost revenue.
Managed Detection and Response reduces the time it takes to identify and contain threats by monitoring your network 24x7x365 and is highly effective at stopping attacks.