We live in an age in which cyber attacks make front page news on a weekly, sometimes even daily basis. As the threat actors behind these attacks move faster, more deliberately, and more audaciously than ever before, it becomes increasingly clear that cyber incident preparedness and response must be treated as more than just a checkbox for today’s businesses. Moreover, not all approaches to incident response are created equal. Few organizations know this better than Kroll.
For 50 years, Kroll has been a premier provider of services and digital products related to valuation, governance, risk, and transparency, including cyber risk and incident response services. As organizations around the globe face disruptive, potentially devastating security events, they call on Kroll to detect, mitigate, and recover from the incident as quickly, accurately, and efficiently as possible. Evolving at pace with the growing complexity of cyber attacks requires Kroll’s responders to be equipped with the “latest and greatest technology,” defined by proven accuracy, enterprise scalability, and deep investigative capabilities.
Dave Wagner, Senior Vice President of Cyber Risk, heads up response operations at Kroll. As the front line operators of EDR technology from deployment and triage through remediation and recovery, Dave’s team “needs a partner that empowers us to deliver at the high level our clients expect and not be bound by technological limitations.” Enter SentinelOne.
“We are dealing with a complex threat landscape. Attacks are shifting really fast. The quicker we can get answers, the more likely our clients are to avoid costly implications.” — Dave Wagner, Vice President of Response Operations, Kroll
For SentinelOne clients, Kroll delivers three critical stages of the response process: collection of forensic artifacts, hunting and monitoring of active threat actor activity, and eradication of malicious activity in the environment followed by steps to build resilience in the long term. Plus, Kroll can also help with post-incident challenges thanks to their end-to-end solutions across cyber governance, assessments, and litigation support.
A crucial tool for the success of each of these steps is Remote Script Orchestration (RSO) powered by SentinelOne. Thanks to proprietary integrations between Kroll’s digital forensics tools like KAPE, SentinelOne RSO eliminates the need for Kroll clients to deploy additional agents during an incident, maximizing the value of the existing security stack to conduct forensics at scale and remotely respond to events on endpoints.
This enables Kroll to rapidly pull forensic triage from a client’s entire enterprise estate; Dave compares this to the days—if not weeks—it sometimes requires firms who are still markedly limited in their remote collection and response capabilities.
Additionally, RSO empowers the Kroll team to more quickly identify and diagnose the “patient zero” machine from an attack often in just minutes or hours, saving clients precious time and money, while formulating an appropriate response. For example, in the case of a ransomware attack, Kroll can leverage SentinelOne to determine the degree of data exfiltration that has occurred in the client environment.
From these collected artifacts and the live telemetry recorded through SentinelOne’s ActiveEDR technology, Dave’s team can then determine relevant Indicators of Compromise (IOCs) and hunt for malicious behaviors using the Deep Visibility module. With these IOCs, they can also put detections in place using Storyline Active ResponseTM (STAR). STAR lets Kroll incorporate custom detection logic and immediately push it out to their customer’s entire fleet, or a subset, to either kill any matching process or alert on it for further investigation.
“With STAR, Kroll’s team can automate responses to suspicious processes based on additional behaviors such as IP address or DNS, which is helpful when IOCs are not hashes where a hash blacklist makes sense. We want to treat these IOCs as malicious, so whatever is reaching out will be killed and quarantined automatically, helping with containment. We use STAR rules as part of our engagements and are really pleased with it.” – Dave Wagner
With a clear, comprehensive picture of the attacker’s movements in the client environment, Kroll can then engage RSO once more to roll out custom remediation scripts and/or automated response playbooks to impacted machines.
These scripts can not only eradicate the malicious files that may have been found, but also capture, log, and remove any persistence mechanisms or other malicious artifacts that may have been put in place.
An added bonus? SentinelOne’s approach to RSO helps orchestrate script usage, mitigating delays or errors that might otherwise result when systems are offline.
Implementing the right course of action in a cyber incident starts with visibility and insight. In turn, SentinelOne’s Ranger helps accelerate Kroll’s response by quickly identifying potential blind spots in coverage.
The network discovery and attack surface control capabilities of SentinelOne Singularity Ranger allow Dave and team to understand their coverage of the client environment and the scope of the threat within.
With Ranger, Dave can track the deployment of the Sentinel Agent in a tangible, measurable way. If 80% of an environment is covered by an agent, Ranger can quickly and easily install the agent on the unprotected 20%. Having eyes on every corner of the enterprise environment helps ensure his team carries out a complete, comprehensive response.
Ranger also comes into play in the many cases where attacks move laterally within the client’s network. Ranger can, for example, help Dave’s team hone in on DNS records resolving to a device with a particular IP address, and achieve visibility of the device’s current connectivity. This allows them to identify and contain affected devices in the attacker’s path, and even prevent further proliferation of the threat.
Though many of the world’s top incident preparedness and response firms are equipped with a sweeping array of technologies with which they can eliminate a cyber threat, these technologies alone do not guarantee the most comprehensive, effective incident response.
It’s when technology is paired with expertise and strategic partnership that we can deliver sustainable solutions for organizations in their moments of need. That’s why SentinelOne and Kroll, partnered together, are following through on speed, efficiency, and accuracy for Kroll’s clients every day.
Beyond an intuitive user interface and support team that makes it easier to streamline operations, the response team at Kroll also has access to a dedicated Technical Account Manager at SentinelOne for immediate, informed guidance—even in the midst of an engagement. This ultimately drives faster results and recovery for Kroll’s clients when they need it most.
The Kroll team even directly interfaces with SentinelOne’s product management team, helping both parties to evolve their solutions and approach as the threat landscape grows in complexity and pace.
With this teamed approach, Kroll and SentinelOne can continue to defeat the cyber threats putting organizations around the globe at risk.
To read more, visit the SentinelOne Cyber Risk Partners page. If you would like to learn more about RSO, STAR, and the SentinelOne Singularity XDR platform, contact us for more information or request a free demo.
Cyber Risk Partners
SentinelOne partners are ready to respond to any type of security incident, and extend our technology, intelligence, and expertise to the complete security lifecycle.