Tech Tidbit – What do we do when we have done everything the vendor told us and it isn’t enough?

December 1st, 2021
Tech Tidbit – What do we do when we have done everything the vendor told us and it isn’t enough?


It has been a very frustrating couple of months trying to keep everyone safe and stable. Since the Spring we have been pummeled by multiple Exchange exploits, a Microsoft 365 exploit, a bunch of printing exploits quickly followed by massive printing stability issues. Add in some Domain Controller exploits, IIS exploits and two incidents with a ManageEngine exploit followed by a Domain Controller authentication stability issue and to top it off multiple VMware security and stability issues! I am sure I missed something in that list. What a wild and crazy time it has been.

Vendors are struggling "keeping up" and fully understanding breaches and exploits.

A number of times now we have had vendors tell us one thing only to completely change their commentary (sometimes multiple times).

Today I was faced with a CISA alert on something that was patched in September, but the "new" information is that despite being patched if an attacker got in before the patch, they have found that the attacker could re-establish their connections around the patch! This is the second time this year that this exact scenario has happened.

The question becomes, what are we supposed to do if we have done what the vendor says, and it is not enough? What are we supposed to do when the attacker exploits a legitimate process so that any antivirus or EDR/MDR/XDR type product doesn't see it as a threat?

Here are my answers:

1 - Maintain a rigorous OS *AND* third party application patching schedule. Most attacks are exploiting longstanding and mostly resolved issues - if only you applied the patch.

2 - Have layers of protection looking at security from different perspectives.

3 - Be hypervigilant about anything in your network that touches the internet. Internet facing devices need to be the most monitored and patched and scanned devices on your network.

4 - Besides traditional antivirus such as Windows Defender aka SCCM Endpoint add an EDR product. CSI offers our CyberSecurity Endpoint Detect and Respond (CSEDR) service which is powered by SentinelOne and supported by a 24x7x365 Security Operations Center provides a level of support that none of us can do on our own.

5 - Add a product that looks for behaviors and not signatures. CSI offers Huntress. It is a smoke alarm. It doesn't block anything or stop anything, but it sees the smoldering smoke as it sees the footprints every attacker ultimately leaves behind. The artificial intelligence analysis followed by live security analyst analysis cuts down on false positives. I do have to say that these "vendor after the fact" disclosures of late that I have encountered have been promptly disclosed by Huntress without endlessly culling through logs or looking for remnant files. Huntress's ability to know what bad looks like remarkable.

I firmly believe that *ANY* Windows device that touches the internet in any way should have a Huntress agent on it defensively.

There are no 100% sure things in technology, and I absolutely hate not knowing what I don't know.

Minimizing the attack surface while increasing monitoring with trained staff available 24x7x365 to jump on and step on threats and having multiple layers of defense is a good start to improving our security posture.

We are here to help in any way you need. Give us a call.

-Scott Quimby