Back to BlogStep Up Incident Response with Blumira’s Security Operations Team
Blumira’s Incident Detection team prides itself on thoughtfully-crafted automated detections and security recommendations, integrated as part of Blumira’s platform. The security team strives to perfect automated findings, making them straightforward enough for any user to be able to handle investigations with ease.
Sometimes our customers need additional advice on an incident investigation. This is where our Security Operations Support team steps in. The Security Operations team excels in security incident investigations and customer communication. We make sure the customer understands the raw data we pass along by explaining it in terms they understand, while including an abundance of relevant and useful details to help them resolve the incident investigation as easily as possible.
We have had a couple of recent incidents I wanted to share that highlight the value our team brings to our partnerships with our customers. The Blumira Security Operations Support team’s service is invaluable – the added benefit of having an experienced security team as an extension of your team is a huge advantage in the SIEM (security incident and event management) market. Below, I will go through some recent examples of our exemplary service.
Anomalous Server Path Access From a Foreign Attacker
We found that one of our financial customers was being targeted by an Ireland-based attacker attempting to access their conferencing server that was facing the internet. Our team was quickly able to find where they were being attacked from and recommended geo-blocking Ireland, assuming it would not affect business.
The geo-blocking policy has matured from there and the attack surface shrank. We also make a point to look for any high-severity vulnerabilities that server or software may be exhibiting. Although scanning from the internet occurs many times a day, some of this scanning becomes a high priority for both teams depending on if the destination server has any exploitable vulnerabilities.
Password Spraying
When we see something as threatening as Password Spraying coming through our notification stream, we tend to reach out to our customers to see if they need a hand or any additional details on what happened around the time of the event. We do this because 1. We love helping our customers, and 2. We love getting our hands dirty with security incidents. This event in particular was found to be a legitimate attack. Our team advised the customer to start by taking the machine off of the network immediately and reimage the machine.
Windows Admin Account Lockouts
Sometimes our customers will work through a finding, but ask additional questions via our ticketing system. This is totally fine by us because we’re able to track issues very easily and provide additional information that way. The example below shows one of our customers asking for additional information on one of our account lockout detections. The user is a domain admin and was triggering account lockouts daily. We were happy to find that this was not due to malicious action but related to a scheduled task running on the domain that was attempting old domain admin credentials.
In conclusion, we hope you can see the value of working with our Security Operations team. To put it simply – we love working with our customers. Whether that includes listening to recommendations from our customers, or showing them a function within the Blumira platform they may have been aware of. “Keep the questions coming” is one of our mottos! We thoroughly enjoy an open dialogue with everyone we get the opportunity to work with.