CASE STUDY
How Full-Spectrum Security with SIEM and SOC Helped Avoid a Potential $650K Loss
Background
Our client’s company issues business licenses and hosts events. Before reaching out to us, they had growing concerns about cyber attacks, especially during a big event coming up. One of their contacts had suggested setting up a SIEM (Security information and event management) system to monitor their environment. Still, the company had no idea how SIEM works or how to implement it properly.
Moreover, their internal team didn’t have a dedicated security function. Instead, an ICT (Information Communication Technology) manager handled multiple roles, including IT management, data management, and basic security tasks. They had no security systems – no SIEM, no endpoint detection tools – and their security posture needed improvement.
When we met them, they asked for a consultation. We explained the basics of SIEM and told them that the system alone wouldn’t be effective without solid endpoint monitoring and management, literally EDR (endpoint detection and response) and skilled experts to configure, operate, and respond to threats 24/7. After learning about the benefits, they decided to invest in a full-scale Managed Detection and Response (MDR) service that includes EDR/SIEM integration, maintenance, and continuous monitoring.
The Challenge
The client’s environment was highly vulnerable, lacking the infrastructure to detect or respond to potential threats. Although they used AWS Cloud as their infrastructure platform, they had no mechanisms to detect malicious activity or stop cyberattacks.
- Data: Stored on AWS Cloud for financial and business purposes
- Team: ~100 employees, no dedicated security team
- Technology:
- Vulnerability Scanner: Nessus
- Security Solutions: None (No EDR, SIEM, etc.)
The turning point came when we started the onboarding process for their MDR service. During the security audit, we made a shocking discovery: 11 mission-critical servers were already infected with Cobalt Strike beacons, a dangerous tool used by attackers to compromise and control networks. The infection had occurred long before the client realized they were at risk.
About the client
Headquarters:
Colorado, USA
Business Licensing Services
December 2023 – Ongoing
Elastic + Elastic Defend, Nessus
Key Results
The Solution
Given the severity of the situation, we kicked off our SOC and Incident Response (IR) activities. The priority was to mitigate the current threat and implement a full monitoring solution to prevent future incidents.
Here’s what we did:
- Immediate Remediation: We took action when we found the Cobalt Strike infection. The team identified malicious activity on 11 servers and contained the threat. Within 24 hours, all known malware was removed, and critical security controls were put in place.
- Managed detection and response (MDR):
- Installed EDR on all endpoints to monitor, detect, and respond to threats.
- Brought in an entire SOC team to monitor and respond 24/7.
- Deployed SIEM to track, analyze, and respond to threats in real time
- Enabled advanced logging to capture all security-related data for further analysis.
- Ongoing Monitoring and Support:
- Provided the client with regular security assessments and penetration testing to keep their defenses strong.
- Set up a feedback loop between our experts and the client’s internal team to guide them in proactively managing risk.
Complete Timeline
Here is a timeline outlining each phase of the client’s project, detailing key milestones and progress at each stage based on the NIST-defined incident response framework. All dates and timestamps are recorded in the UTC zone, providing a clear sequence of actions and results throughout the incident. Each phase is described in detail, offering insights into the steps taken to address and resolve the security challenges.
Outcomes
Thanks to our SOC and IR team’s quick thinking and expertise, we stopped what could have been a ransomware attack. If the attackers had encrypted the company’s data, the business would have lost $650K in revenue and the ransom demand.
Here’s what we did:
- 11 servers cleaned of Cobalt Strike: It took us less than 24 hours to move from detecting Cobalt Strike to removing the malware from 11 critical servers before it was too late, saving the company from data loss and downtime.
- 24/7 monitoring to detect and respond to future threats: The client now has 24/7 monitoring to detect and stop future threats before they can do damage.
- 40% faster response to critical alerts: Our monitoring and orchestrated SIEM integration means the client responds 40% faster to alerts, giving the attacker less time to exploit.
- Regular security reports and training to stay ahead of the threats: We provide the client with regular security reports and training, so their team is informed about the latest threats and best practices.
- Best-in-class tools to handle attacks proactively, not reactively: The client now has the tools and training to identify and mitigate threats early before they become incidents.
To further harden their security and reduce future risk, the client has taken several key steps based on UnderDefense’s recommendations and implemented the following:
- Security awareness training: The client trains all employees on basic security practices to build a defensive posture.
- Agent coverage across critical infrastructure: They’ve deployed Elastic and Sysmon agents across all critical infrastructure with a special focus on the DRS-MainFile server to ensure monitoring and threat detection.
- Inventory of public-facing resources: The client surveyed their environment for public-facing resources and shared it with the SOC team to strengthen monitoring and eliminate blind spots.
- MFA for VPN access: To further protect VPN access, they implemented MFA(Multi-Factor Authentication) to prevent unauthorized logins and add an extra layer of security.
- Regular patching: They’ve committed to patching all servers and related software to reduce the attack surface.
- Stronger password policies: The client has implemented stronger passwords so weak credentials are no longer risky.
- Ongoing vulnerability assessments: They now conduct regular vulnerability assessments to stay ahead of threats, gain visibility into security gaps, and address them proactively.
Based on UnderDefense’s recommendations the client has hardened their existing defenses and is now positioned for long-term resilience against cyber threats. Regular updates and assessments give them visibility into their security ecosystem to stay ahead of the attacks
Conclusion
This is a great example of why having a SIEM and MDR service integrated is so important. The client came to us to secure their events but 11 critical servers were already compromised. Without monitoring and, in our case, Cobalt Strike detection, the client could have lost revenue and damaged their reputation.
The company can now sleep at night knowing their data and systems are protected thanks to the layered security and real-time response. By continuing to work with us, the company is hardening its cyber resilience over time and getting the benefits of proactive security.
Preparation and vigilance in security are the key. As we’ve seen in this case, they often make the difference between a close call and a costly mess.
Total Cybersecurity: 24/7 Protection with MDR, SOC, and Managed SIEM
UnderDefense’s Managed Detection and Response (MDR), powered by the UnderDefense MAXI MDR platform, provides 24/7 monitoring, threat detection, and incident response. Combining AI-driven technology with human expertise means real-time threat detection and mitigation so you can stay ahead of the threats and avoid breaches.
Our Security Operations Center (SOC) as a Service provides continuous monitoring with a dedicated cybersecurity team. Longing for real-time threat intelligence and incident response, you can outsource your SOC to maintain a solid defense against attacks.
Managed SIEM gives you total visibility into your security and optimizes your SIEM solution with custom correlation rules and complete integration. With SIEM as a service, you have a solution to detect and respond to threats more efficiently while supporting compliance and delivering detailed security reports.