As you might have gleaned from yesterday’s deep dive into a real-life NTLM brute force attack or our best-in-class results for MDR in MITRE’s 2020 ATT&CK evaluation, our Vigilance MDR team are a talented and dedicated crew. But what’s life like for a security analyst defending some of the world’s top enterprises? And how do you become a security analyst anyway? Igor Glik is a Vigilance Team Lead at SentinelOne. In this blog post, we go behind the scenes of Vigilance MDR and chat with Igor to get his unique perspective on how his team operates, the challenges they face and much more.
Igor has been with SentinelOne for the past 2.5 years. He joined as a security analyst at the Israeli site and after an outstanding year was promoted to manage the EMEA Vigilance team, SentinelOne’s MDR (Managed Detection and Response ) service. The team consists of a large group of analysts and threat researchers and works alongside the SentinelOne site in North America (Eugene, Oregon) to provide 24/7 coverage to its subscribers.
Vigilance is provided in two tiers, Response and Monitor. The services are used by various customer segments: from a 500-employee company that lacks the proper manpower to monitor their endpoints and react to incidents to the largest enterprises on the planet with over 100,000 employees and dedicated SOC teams that want to augment their analysts with additional firepower.
What Does A Regular Day Look Like at Vigilance?
Our team day-to-day is a combination of reacting to threats seen by customers and proactive work by the whole team in an effort to ensure customer safety with minimal friction to their user experience.
The team monitors millions of endpoints and handles tens of thousands of alerts each day. The average analyst in our team will handle between 500 to 1200 threats per working day. That allows only a few minutes to decide whether to escalate the threat to a higher tier or assign it a known classification and recommend action according to the team playbook. With each alert, we have to analyze all IOCs and decide whether further escalation is needed, whether we require an expert consultant, or whether the information we have is enough to make a final decision.
How Do You Train Someone to be an MDR Analyst?
We have developed a dedicated training method to teach analysts decision-making based on threat data received by the agent, and when to deep dive for additional data using tools such as our EDR solution or other forensic tools the team has.
Analysts are trained to identify anomalies and escalate unusual or complex incidents to higher tier teams dedicated to handling such incidents.
A crucial part of handling a verified threat after classification is identifying the infection vector and containing the threat as fast as possible, isolating infected machines while protecting the client’s crucial assets.
How Varied is the Work of an MDR Analyst?
Due to the nature of our job and the fear of “burnout” by analysts, we use several techniques to diversify team tasks, allowing team members to work in different roles and task types. In that way, a senior threat analyst can spend a day in the Tier 1 SOC position and get input on the front line action, and then rotate into threat research and other diverse tasks on other days.
What Are the Most Common Cyber Incidents Vigilance Has Seen Recently?
I would say the most common attack vector would be thumb drives with various “USB” worms. Following that would be malicious documents received by email and usually resulting in an Emotet / TrickBot infection attempt.
From the APT perspective, we see a rise in attacks leveraging a vulnerable, usually unprotected and unpatched, machine within an organization, open to the outside world and the organizational network.
Attackers will always look for the weakest link in the chain, so while it is popular to discuss zero-day exploits, in real life we usually see the entry point in devices that were unprotected, with poor security configuration allowing the attacker to try and move laterally. Such attacks will usually be fileless and hard to discover with a signature-based solution.
Can You Describe Some Incidents Where Vigilance’s Intervention Was Crucial?
Sure. One memorable incident I recall was a customer that suffered a breach from several unprotected machines. The attacker gained user credentials and was spreading laterally, and at some point, we had to isolate several hundred machines and wake the IT team in the middle of the night. Fortunately, since it was night time most users were unaffected, but such an incident usually requires user credentials replacement, which is a painful process for some customers.
Another memorable incident I have in mind is a potential customer that was performing a paid pentest as part of a technical review of our product. During that pentest an alert was raised. As a general policy, we never assume that an alert is related to the pentest and treat each alert as a real malicious attack. One of these suspicious alerts that we communicated to the customer was found to be unrelated to the pentest and was an actual attacker using a penetration framework against the customer.
What Is A Common Source Of Cyber Incidents?
Many incidents start from an unsecured host: an endpoint that the client was unaware of in their inventory or that wasn’t installed with an endpoint protection agent for some reason or another.
Other causes of cyber incidents are lack of 2FA, obsolete software, obsolete Windows versions, unpatched systems and configuration errors like leaving RDP open with no MFA. Lack of network segregation without implementing a multi-layer security approach and no NLA is also a great starting point for an attacker.
How Has the COVID-19 Pandemic Affected Vigilance?
The COVID-19 situation has added some complexity to an already global distributed team, but I think since our starting point was already a team that is largely accustomed to either full or partial remote work, so the transition has not been too bad. As a company, SentinelOne has been very supportive in the transition, both globally to all teams but also specifically to our team’s unique needs.
We did an analysis of the team’s needs and how we could be affected by these changes to the work environment. This covered both the logistic part such as missing equipment, employee home set up, etc, and issues related to our work processes, such as how to replace the office interaction and face to face conversations with a virtual communication process.
So What Does Vigilance MDR Look For When Hiring?
During the last 12 months, we’ve invested in building strong fundamentals for the team of senior threat researchers and threat analysts and nowadays we are mostly left with junior Tier 1 positions, which can be a great entry-level position.
Usually, the candidate must have some background and passion for the security world. For a Tier 1 Junior position, we do consider candidates with relatively short experience if we find their skillset appropriate for the team’s challenges and tasks.
We’d like to thank Igor for taking the time to talk with us about his role and the fascinating work of the Vigilance MDR team. If you’re interested in working with us at SentinelOne, check out our open positions here.