Discussions

We utilize the full suite of Microsoft Defender (formerly ATP) tools to monitor the behavior of our endpoints, cloud apps, domain controllers, and email.  Microsoft's AI analyzes the info it collects and alerts us to things it thinks might be potentially dangerous.  We've been receiving and handling these alerts in-house, but more often than not, I find myself wishing that we had security professionals doing this work to minimize the risk of an actual attack going undetected.  

I'm curious as to how many schools employ this type of detection (generally known as EDR or XDR), and for those that do, how do you handle the alerts that are generated?  Does anyone employ a 3rd-party SOC?  Depending on the solution you choose, how much time and/or money do you spend on handling the alerts?

Also, on a separate note, does anyone have a company they recommend for penetration test or red team test?

Steve Herman
Systems Administrator
Germantown Academy

#CybersafetyandDataSecurity

------------------------------
Steve Herman
Germantown Academy
------------------------------

Hi Steve,

Great question and highlight of the fact that schools need to include the employ of a cyber/network security professional. Whether in-house or outsourced via a third party SOC (security operations center), this is becoming a reality for all of us. Like much of IT, it's another 'add' and not one to be toiled with when time allows. Rather, we need to be diligent and see this as a priority.

To answer your question about EDR/XDR alerts, we use Sophos, all alerts go into our 'netops' alerting email. We follow up with each user via email, asking them to come to the help desk to mitigate. For servers, we handle ourselves.

One of the best actions we have taken recently is a PEN test using Fortalice. There are several out there. I selected them after reading "Manipulated" by Theresa Payton (I know geeky) but it was a fascinating read. Theresa served as the CIO in the Whitehouse under George W. Bush. She founded Fortalice and has a great team that customizes their approach for each client. We were provided an amazing list of vulnerabilities all documented in detail with information on how to resolve. We are still working through the list! What we found, and I suspected, was that we are quite secure from the outside in due to our Meraki firewall with IDP but from the inside there are several issues. I strongly recommend everyone do a PEN test at least once a year. They aren't cheap but necessary and will be required, if not all ready, by your cyber insurance provider.

Stay safe out there....

------------------------------
Allyn Wenzel
Director of Technology
Stevenson School
------------------------------

Original Message:
Sent: 02-11-2022 09:26 AM
From: Steve Herman
Subject: How do you handle alerts from your security systems?

We utilize the full suite of Microsoft Defender (formerly ATP) tools to monitor the behavior of our endpoints, cloud apps, domain controllers, and email.  Microsoft's AI analyzes the info it collects and alerts us to things it thinks might be potentially dangerous.  We've been receiving and handling these alerts in-house, but more often than not, I find myself wishing that we had security professionals doing this work to minimize the risk of an actual attack going undetected.  

I'm curious as to how many schools employ this type of detection (generally known as EDR or XDR), and for those that do, how do you handle the alerts that are generated?  Does anyone employ a 3rd-party SOC?  Depending on the solution you choose, how much time and/or money do you spend on handling the alerts?

Also, on a separate note, does anyone have a company they recommend for penetration test or red team test?

Steve Herman
Systems Administrator
Germantown Academy

#CybersafetyandDataSecurity

------------------------------
Steve Herman
Germantown Academy
------------------------------

We also use Defender ATP.  We send alerts to our Technology distribution list (Google group), and there are three of us who actively monitor to see what's coming in on that list -- we also receive network monitoring alerts to it, so we stay on top of it to make sure we don't have downtimes.  We tend to triage the alerts (most Informational alerts just indicate that a potentially malicious file was blocked and/or deleted, so we don't usually follow up on those unless we get a whole bunch from the same computer), and depending on the severity of the alert and/or the number of alerts we get from a given computer, we may either ignore them, ask the user to come in so we can take a look at their convenience, or disable connectivity to that computer and require them to come in ASAP for a reimage.

So far, this in-house monitoring method has worked well for us, but obviously the threat landscape evolves, so we'll periodically re-evaluate.

------------------------------
David Fulton-Howard
Technical Service Specialist
McDonogh School
------------------------------

Original Message:
Sent: 02-11-2022 09:26 AM
From: Steve Herman
Subject: How do you handle alerts from your security systems?

We utilize the full suite of Microsoft Defender (formerly ATP) tools to monitor the behavior of our endpoints, cloud apps, domain controllers, and email.  Microsoft's AI analyzes the info it collects and alerts us to things it thinks might be potentially dangerous.  We've been receiving and handling these alerts in-house, but more often than not, I find myself wishing that we had security professionals doing this work to minimize the risk of an actual attack going undetected.  

I'm curious as to how many schools employ this type of detection (generally known as EDR or XDR), and for those that do, how do you handle the alerts that are generated?  Does anyone employ a 3rd-party SOC?  Depending on the solution you choose, how much time and/or money do you spend on handling the alerts?

Also, on a separate note, does anyone have a company they recommend for penetration test or red team test?

Steve Herman
Systems Administrator
Germantown Academy

#CybersafetyandDataSecurity

------------------------------
Steve Herman
Germantown Academy
------------------------------

It would be awesome sometime for those of us using Defender ATP to compare notes on setup and alerting. I feel like I have done an incomplete job in configuring Defender and setting up appropriate alerts. There are so many pieces to the puzzle to setup. Has anyone ever used an outside consultant to come in and help with that configuration to get it to a good baseline?

------------------------------
Brian Hoyt
French American School of Puget Sound
------------------------------

Original Message:
Sent: 02-14-2022 10:54 AM
From: David Fulton-Howard
Subject: How do you handle alerts from your security systems?

We also use Defender ATP.  We send alerts to our Technology distribution list (Google group), and there are three of us who actively monitor to see what's coming in on that list -- we also receive network monitoring alerts to it, so we stay on top of it to make sure we don't have downtimes.  We tend to triage the alerts (most Informational alerts just indicate that a potentially malicious file was blocked and/or deleted, so we don't usually follow up on those unless we get a whole bunch from the same computer), and depending on the severity of the alert and/or the number of alerts we get from a given computer, we may either ignore them, ask the user to come in so we can take a look at their convenience, or disable connectivity to that computer and require them to come in ASAP for a reimage.

So far, this in-house monitoring method has worked well for us, but obviously the threat landscape evolves, so we'll periodically re-evaluate.

------------------------------
David Fulton-Howard
Technical Service Specialist
McDonogh School

Original Message:
Sent: 02-11-2022 09:26 AM
From: Steve Herman
Subject: How do you handle alerts from your security systems?

We utilize the full suite of Microsoft Defender (formerly ATP) tools to monitor the behavior of our endpoints, cloud apps, domain controllers, and email.  Microsoft's AI analyzes the info it collects and alerts us to things it thinks might be potentially dangerous.  We've been receiving and handling these alerts in-house, but more often than not, I find myself wishing that we had security professionals doing this work to minimize the risk of an actual attack going undetected.  

I'm curious as to how many schools employ this type of detection (generally known as EDR or XDR), and for those that do, how do you handle the alerts that are generated?  Does anyone employ a 3rd-party SOC?  Depending on the solution you choose, how much time and/or money do you spend on handling the alerts?

Also, on a separate note, does anyone have a company they recommend for penetration test or red team test?

Steve Herman
Systems Administrator
Germantown Academy

#CybersafetyandDataSecurity

------------------------------
Steve Herman
Germantown Academy
------------------------------

I think one very important thing here is to determine how you have configured your alerts from all of the systems you might use.  We use Sophos as well as InterMapper, Google alerts for email, amongst others, All of these things create a lot of noise, and determining priority levels for these is important. 

Without having priorities set and focusing on individual user issues or key infrastructure issues it can be impossible. As we look at new and different solutions the outsourcing of some of those is a strong consideration (given budget availability) as we don't have the internal bandwidth (pun intended) to do it ourselves.

------------------------------
William Stites
Director of Technology
Montclair Kimberley Academy
------------------------------

Original Message:
Sent: 02-11-2022 09:26 AM
From: Steve Herman
Subject: How do you handle alerts from your security systems?

We utilize the full suite of Microsoft Defender (formerly ATP) tools to monitor the behavior of our endpoints, cloud apps, domain controllers, and email.  Microsoft's AI analyzes the info it collects and alerts us to things it thinks might be potentially dangerous.  We've been receiving and handling these alerts in-house, but more often than not, I find myself wishing that we had security professionals doing this work to minimize the risk of an actual attack going undetected.  

I'm curious as to how many schools employ this type of detection (generally known as EDR or XDR), and for those that do, how do you handle the alerts that are generated?  Does anyone employ a 3rd-party SOC?  Depending on the solution you choose, how much time and/or money do you spend on handling the alerts?

Also, on a separate note, does anyone have a company they recommend for penetration test or red team test?

Steve Herman
Systems Administrator
Germantown Academy

#CybersafetyandDataSecurity

------------------------------
Steve Herman
Germantown Academy
------------------------------

Original Message:
Sent: 2/11/2022 9:27:00 AM
From: Steve Herman
Subject: How do you handle alerts from your security systems?

We utilize the full suite of Microsoft Defender (formerly ATP) tools to monitor the behavior of our endpoints, cloud apps, domain controllers, and email.  Microsoft's AI analyzes the info it collects and alerts us to things it thinks might be potentially dangerous.  We've been receiving and handling these alerts in-house, but more often than not, I find myself wishing that we had security professionals doing this work to minimize the risk of an actual attack going undetected.  

I'm curious as to how many schools employ this type of detection (generally known as EDR or XDR), and for those that do, how do you handle the alerts that are generated?  Does anyone employ a 3rd-party SOC?  Depending on the solution you choose, how much time and/or money do you spend on handling the alerts?

Also, on a separate note, does anyone have a company they recommend for penetration test or red team test?

Steve Herman
Systems Administrator
Germantown Academy

#CybersafetyandDataSecurity

------------------------------
Steve Herman
Germantown Academy
------------------------------