The Need for Managed Security Monitoring in the SMB Space
We received a call to work a malware incident at a small healthcare firm in the Pacific Northwest. We contacted their IT Admin, got a remote session going and started collecting initial information to do some quick triage and find out what we were dealing with.
Our Security Engineer quickly identified the malware as Synack Ransomware, and it had compromised four of the endpoints within the environment, one containing patient records. The IT Admin had taken the affected systems off of the network and had rebuilt two of them. At the time, there was concern expressed to our SE about the practice being down for several days to complete the eradication and recovery efforts. When I spoke to the practice owner, I got a different story altogether.
The practice owner and I spoke about what went wrong, and then she began telling me about the looming legal & compliance issues, and that their insurance company was requesting proof that patient health information was not exfiltrated during the attack.
She didn’t give a whip about downtime for a few days. She was staring down the barrel of a HIPAA violation and her first priority was proving no data leakage had taken place, being able to reassure patients, and avoiding the damage to her practice’s reputation this could have.
This is a very small practice with less than a dozen endpoints and about the same number of employees, and the impact of a ransomware attack was now threatening their growing business. I had to break the news to the owner that without basic network security monitoring capabilities like IDS, stored packet captures, and sufficient network ingress & egress flow logs, we really didn’t have a lot to go on in terms of proving data was not exfiltrated.
Even though this is a very small practice, their need for sophisticated cybersecurity tools is no less than that of a much larger practice, because they store, process, and transmit PHI and they face the same legal and compliance challenges too.
Synack (ransomware) exploits vulnerabilities in Microsoft’s Remote Desktop Protocol service, and the practice’s IT Admin confirmed that they were exposing RDP to the Internet for remote access. There was no network intrusion detection and prevention in place to alert on the attack, so this important fact was discovered manually.
The lessons learned from this incident reinforce our position that the SMB market desperately needs 24×7 security monitoring and incident response backed by sophisticated NSM & SIEM tool-sets and skilled security analysts and engineers.
Businesses across all verticals that are in the 1000 employees and less size range typically do not have sufficient in-house cybersecurity staff, and a lot do not have any dedicated cybersecurity staff. This skills and coverage gap makes SMBs attractive targets for hackers, which amplifies the business risks associated with intrusions, data breaches, and malware attacks that can cost a serious amount of money, put clients at risk, and cause irreparable harm to the business’ brand and reputation.
We believe that this simply should not be the case. With 24×7 Managed SOC solutions costing about the same or less than a single FTE, signing up should be an easy decision. With that investment, our clients get all of the tools and capabilities that much larger firms have access to, and they have the peace of mind knowing that they have a security partner who can respond quickly to critical security events, and who have access to logs, packet captures, alerts, and other data that enable rapid identification, containment, eradication, and recovery.
Contact us today if you would like to find out how affordable a fully managed SOC solution can be. We would love to help you protect, adapt, and survive in a world full of cyber-threats.
Telephone: 919-769-2916
Email: [email protected]