Blumira’s security, support, product and sales team members helped a customer recently by detecting a pattern of malicious activity related to the newly disclosed Microsoft Exchange vulnerabilities over the span of a few days.
Initially, Blumira detected threat-like behavior in the environment, or security events, through the customer’s Sophos Central antivirus integration. As the detections continued, the customer engaged with Blumira’s Security Operations (SecOps) team to review and ensure the appropriate incident response steps were taken.
This prompted Blumira’s Incident Detection Engineer Nick Brigmon to investigate and categorize the not-yet-unqualified incident. He then tagged in Blumira’s SA (Dedicated Solutions Architect) Dave Begley, who proactively contacted the affected customer and assisted in configuring many additional log sources to feed back into Blumira. This delivered the additional visibility to properly scope the security incident.
A series of attacker behavior was detected by Blumira’s platform, including an attempt at privilege escalation through PowerShell execution policy bypass.
Blumira also detected a policy violation caused by the clearing of Windows security event logs. This is a very rare finding that attackers perform to eliminate evidence and avoid any investigative trail leading back to their activity. As noted in the MITRE ATT&CK framework, this attacker tactic is a form of defense evasion (T1070.001).
This suspicious pattern of behavior, once correlated with the presence of a vulnerable Exchange server, represented a new level of incident criticality for Blumira’s team and their client.
Working With MSPs to Respond Quickly
Members of Blumira’s security, product and sales teams quickly mobilized the client and their managed service provider (MSP) to coordinate on their next incident response steps, specifically containment and remediation.
Once advised by Blumira’s team, the customer’s MSP was able to take the impacted Exchange machine offline and start the system rebuilding process.
This is a great example of the combination of Blumira’s automated detection and response platform, plus responsive and observant Blumira security analysts. Working with the customer’s MSP, our security analysts advised them on incident response best practices and helped them avoid an enterprise-wise breach.
Learn more about how our platform works, and sign up for a free trial to test out our detections today.
Thu Pham
Thu has over 15 years of experience in the information security and technology industries. Prior to joining Blumira, she held both content and product marketing roles at Duo Security, leading go-to-market (GTM) and messaging for the portfolio solution Cisco Zero Trust. She holds a bachelor of science degree in...
More from the blog
View All PostsWARNING: Some “SIEM” Vendors Are Not Actually Selling A SIEM
Read MoreBuilding a security-first culture for MSPs: Always ready, always protected
Read MoreCustomer Story: Connect Cause
Read MoreSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.