CASE STUDY

UnderDefense MDR Solution Helped US Government Organization Reduce Threat Response Time to 9 Minutes

Key Results

9 min

is the average time to detect and remediate a threat

32%

of threats resolved outside usual work hours

$700K

saved after entrusting security tasks to UnderDefense

Background

The client is one of the 10 largest government organizations in the U.S. financial sector. The company was already security-conscious and had several security solutions and tools in place, including NGAV (a modified version of EDR). Additionally, they had well-configured policies, an active directory domain, firewalls, and an in-house team to deal with emerging alerts.

But, despite having all of the above in place, the client still had “security blind spots”. They also suffered from alert fatigue and delayed incident response caused by endpoint security and data silos.

The Challenge

Current security tools generated too much data that the client’s analysts could not process to get a comprehensive overview of network activity. This resulted in the inability to investigate an incident from a network-wide perspective and correlate data from various endpoints. Consequently, the client couldn’t respond to threats properly.
Also, the client faced HR challenges related to staff turnover and a lack of personnel with sufficient expertise to monitor the system outside of working hours. They sought a solution to address the gap and guarantee rapid incident detection and response 24/7. Moreover, they wanted to relieve their security team of recurring and time-consuming tasks.

Although the client’s company didn’t experience any breaches, they wanted to get in front of it. Knowing about security risks and their potential consequences made the decision easy.
So, when the time came to choose a security partner, they considered the value and capabilities each company had to offer. With UnderDefense, it was the ability to “Roll up your sleeves and get your hands dirty”. In other words, it was more than just the alerting capabilities but the ability to help the client resolve any issue.

Client Introduction

Industry

Government/Finance

Headquarters
Texas, USA 

Project Duration

December 2021 – ongoing

Technologies and Tools

QRadar
Office365 + AD
Windows Servers
Palo Alto Firewall
CortexXDR

Covered Endpoints

1200+

Automated Rules Enabled

547

Challenges

  • A limited internal IT team of 4 people without the necessary expertise to efficiently process all alerts promptly
  • IT team was overwhelmed by alert fatigue, preventing them from concentrating on their primary tasks
  • The inability to detect suspicious behavior from logs resulting from data fragmentation
  • Alerts couldn’t be processed outside of standard business hours
  • The inability to identify, assess, and respond to risks rapidly and effectively
  • The inability to expand the team due to a lack of funding

Results

  • Throughout the first 11 months, 12,500 alerts were identified, analyzed, and resolved, with 1,500 being of high or critical risk
  • Around 1000 working hours were saved due to the reduction in the number of False Positives
  • A custom SIEM was created with automated rules to collect data from all security software
  • 32% of threats occurring outside of the typical working hours were promptly addressed due to 24/7 monitoring
  • The average time it took to identify, analyze, and deal with high and critical alerts was 9 minutes
  • An estimated $700,000 was saved by entrusting monitoring responsibilities to UnderDefense

Challenges & Results

Challenge

  • A limited internal IT team of 4 people without the necessary expertise to efficiently process all alerts promptly

Result

  • Throughout the first 11 months, 12,500 alerts were identified, analyzed, and resolved, with 1,500 being of high or critical risk

Challenge

  • IT team was overwhelmed by alert fatigue, preventing them from concentrating on their primary tasks

Result

  • Around 1000 working hours were saved due to the reduction in the number of False Positives

Challenge

  • The inability to detect suspicious behavior from logs resulting from data fragmentation

Result

  • A custom SIEM was created with automated rules to collect data from all security software

Challenge

  • Alerts couldn’t be processed outside of standard business hours

Result

  • 32% of threats occurring outside of the typical working hours were promptly addressed due to 24/7 monitoring

Challenge

  • The inability to identify, assess, and respond to risks rapidly and effectively

Result

  • The average time it took to identify, analyze, and deal with high and critical alerts was 9 minutes

Challenge

  • The inability to expand the team due to a lack of funding

Result

  • An estimated $700,000 was saved by entrusting monitoring responsibilities to UnderDefense

It can take one email for your company to come from “Woohoo!” to “D’oh!”

Don’t postpone your business security, request a quote today

Outcomes

The client stepped back from the old security and log management style that required collecting as much data as possible without the possibility of handling it. They moved to the next-gen security approach introduced by UnderDefense 24/7 Turnkey Managed Detection and Response (MDR) solution.

By doing so, the client streamlined data analysis, improved security quality, ensured full perimeter protection, and saved resources. Today, they are confident that attacks will be repelled at any time, and their team can focus on other critical tasks.

24/7 visibility and immediate threat response

The UD team enabled phenomenal security effectiveness and prompt reaction to threats by consolidating data in SIEM, setting up IDS/IPS systems, initiating continuous education of in-house employees, and implementing automated rules that eliminated alert fatigue.

As a part of the MDR solution, UnderDefense provided a dedicated SOC team to detect, investigate, and respond to suspicious activity twenty-four-seven. With such an approach, 32% of the alerts occurring after-hours and on weekends were immediately addressed by the SOC engineers.

Optimized network monitoring and costs

The workflow introduced by UnderDefense allowed the client to increase the effectiveness of security threat detection. During the first 11 months of cooperation, we automated the processing of 495,000,000 logs and detected over 12,500 alerts. Meanwhile, 1,500 of them were of high or critical risk. Doing all that manually would have been an unfeasible task for the client’s team, so those threats might have even gone unnoticed.
The UnderDefense team created correlation rules aligned with all TTPs by MITRE. It gave the client complete visibility of the situation inside the security perimeter and helped to deal with alert fatigue. Automated alert classification and assessment accelerated threat analysis, triage, and all the following investigations within the network. Consequently, the customer achieved transparent visibility, speeded up the analysis stage, and shortened response time.
After the implementation of automated algorithms, the client’s team was able to respond and resolve alerts within 23 minutes. Meanwhile, the most serious alerts were resolved in 9 minutes. The delegation of monitoring activities to UnderDefense allowed the client to save around $700,000 and 1,000 man-hours. Finally, all that empowered the client to promptly respond to actual threats and prevent potential financial or reputational losses from data breaches.

Improved staff cyber hygiene

To prevent breaches caused by human error, UnderDefense helped the client improve their employees’ digital literacy. To do that, we created a comprehensive strategy aimed at reducing the possibility of infiltration through social engineering techniques. It included regular training sessions to teach staff the latest tactics and common red flags associated with cyber threats. Additionally, we kept their personnel updated on the latest developments in cyber security and potential attack vectors.

Additional intrusion barriers

To address those cases when an intrusion still occurs, we suggested the client modify Active Directory Group Policy Objects (AD GPOs) on the Windows server infrastructure. Such an approach would slow down malicious actors and restrict lateral movement within the network. Furthermore, to prevent unauthorized downloading of sensitive data, the client established Firewall rules to limit activated alerts and unnecessary inbound and outbound traffic (block/allow lists).
Internal networks have been divided into distinct subnets by grouping departments and adding Firewall restrictions between them. Also, to help avert potential lateral movement, the HR, Sales, and Accountant divisions have been split apart since they are usually the most vulnerable to phishing and social engineering.

A more trustworthy network environment

In addition to the 24/7 turnkey MDR solution, UnderDefense also gave recommendations on network assessment and security improvement. So, we advised utilizing a DMZ (demilitarized zone) to contain any internet-based services that should not be exposed to the internal network. The client also started using encrypted access to the web server (SSL/TLS), configured restrictive network policies, and reviewed users’ permissions to the network and resources.
As of today, we continue our cooperation and continuous network monitoring and assessment. Our team carries out regular external vulnerability scanning and reports on the detected issues and vulnerabilities. Additionally, we conduct regular dark web monitoring of leaked email passwords with the client’s domain. While we’re proud of the results we’ve achieved with the client, there are still many plans and goals to work on.

Being prudent makes all the difference

Join 500+ companies that work with UnderDefense to protect their operations