Late in the afternoon on a Friday, I created a bit of a scare for those of you who are part of our Paladin Sentinel monitoring system. I was doing my due diligence removing a monitoring policy we experimented with after our last major system upgrade, but didn’t provide any value to us or you. However, two things happened that were very different than the previous time I did this:
- In our continual process of how can we collectively leverage our tools to better protect all of your networks, I added two new alerts - RDP connections are alerted in real-time and I adapted an old alert of installed and removed server software to also alert real-time. The rationale is the bad guys are using RDP and VNC to quickly jump around the network (i.e. lateral movement) and hurt us. Then they are installing software on our servers and endpoints when we are not looking. The RDP connections are now documented in real-time with locations, points of origin, and user names. Anything that goes in and out of the server - whether manually, automatically, or remotely installed or removed now is alerted in the same manner.
- Most of you are taking network security much more seriously. You are doing what we have asked you to do:
- Reading logs
- Looking at the backup status
- Reviewing alerts
- Questioning alerts and reports and making sure they are going to the appropriate people.
Back to my story.
I innocently press the button to remove a policy. Paladin Sentinel immediately starts removing the unnecessary software everywhere it sees it was installed.
Three minutes later the calls and emails start flooding in.
“I don’t know what this is?” “Do you know what is going on?”
People are calling and emailing our help desk and our individual cell phones.
It was Friday late in the day on a shortened holiday week. Despite that, across the entire region, you were vigilant and proactive - real-time.
I am proud of you. Together we make a powerful team in providing a multi-layered approach to protect your networks. There is no foolproof system or magic product. It is hard work to do what we all do. We are always one user's click away from something bad happening.
However, we cannot be complacent as the threats against us all are evolving and becoming even more sophisticated. There are now reports that Chinese government hacking groups have worked around multi-factor authentication in some situations. At the moment our government’s theory (completely unproven) is that they got in and set themselves up in the MFA system and then established their own private VPNs to do the bad things they wanted to do.