Who Has Your Login Info? A Managed Defense Case Study
We’ve done a lot of cybersecurity work at SWC. As you can imagine, we’ve just about seen it all.
One thing we do see, unfortunately, is that most organizations don’t begin to seriously develop a security strategy until after they have been hit by a cyberattack and damage has been done. We can’t stress enough how important it is to have a proactive approach, not reactive, to protect your company’s data and people.
Today we want to showcase an example of how one company took steps to proactively protect themselves from two of the most common security incidents organizations will face: malware and phishing.
Hackers Want Your Login Info
Both malware and phishing have the same end goal: to get their hands on employee identities, usually through login and passwords. They’ll then be able to sign into a machine as that employee, from anywhere in the world, and either extracts additional data or insert harmful malware, both of which can cause serious harm to your business.
Thousands of Risky Sign-Ons
Let’s look at one example. We worked with one global logistics company with 8,000 employees based in multiple offices. In this case, they already had security tools that their IT team was utilizing, so that’s a good start. In one month, however, they were alerted to over 1,100 risky sign-on events globally. This means that the tools were identifying suspicious employee logins from all over the world. Some of these could be harmless – an employee checking her work email while on vacation, for example. But some could be a sign of a data breach. How could they know the difference?
The IT teams were overwhelmed by alerts coming it at all hours of the day and night and didn’t have the bandwidth or knowledge to handle properly.
Their problem was that like most organizations, they didn’t have a uniform process and program to proactively monitor and remediate these threats. They also didn’t have the bandwidth and staffing to provide 24/7/365 coverage.
SWC partnered with the organization and began Managed Defense, which provides continuous monitoring of their environment using global threat intelligence and machine learning while maintaining security policies to prevent future vulnerabilities.
Here’s what we found.
As we said, there were 1,160 risky sign-ons over the past month from various global locations.
Of those 1,160 risky sign-ons, 198 were determined to be low-risk, 956 were determined to be medium-risk, and five were labeled high-risk.
Breaking it down further, we noted that there were five credentials had been leaked and 142 sign-ons from IP addresses not associated with the organization.
There were also 768 “unfamiliar location events,” meaning sign-ons from locations that were not typical to the employee. Again, some of these could be normal, if they were visiting another office or checking email on their phone on vacation. Still – these events need to be investigated to confirm.
There were 46 “impossible travel events,” meaning a login from an employee in, say, Chicago, and then an hour later, a login from the same employee in Brazil. It would be impossible for that employee to travel to Brazil in an hour and sign-on, pointing to evidence of phishing.
There were 198 “malware risk events” as well. This risk event type identifies sign-ons from devices infected with malware, that are known to actively communicate with a bot server. This is determined by correlating IP addresses of the user’s device against IP addresses that were in contact with a bot server.
SWC’s team investigated each alert to determine if it was a true threat or not. If it was, the team took action – disabling hijacked employees’ credentials so they couldn’t be used and notifying the client’s IT team.
The client is now able to focus their IT team’s time on other high-value initiative and not worry that they’re not covered from cyberattacks.
To learn more about SWC’s Managed Defense solution, contact us today and a member of our Security team will be in touch.