May 12, 2022
“WE CAN STOP INCIDENTS AND ATTACKS MUCH FASTER.”
VIRO is a high-tech consultancy with around 850 employees, that manages a lot of sensitive data. With many big OEM’s (original equipment manufacturers) as customers they face strict confidentiality agreements and accompanying fines. This places a high demand on the security of all their systems.
After Rapid Circle implemented Microsoft 365, VIRO asked us to do a Cyber Security Assessment. We created a roadmap for an integrated set of security tools and completed a Zero Trust rollout which included the entire Microsoft Defender suite among other things. Then we connected VIRO to our Managed Security Operations Center (SOC).
SCATTERED SECURITY TOOLSET
VIRO has 13 locations across The Netherlands, Belgium and Germany, but the IT department works centrally from the head office in Hengelo. IT manager Niek Rensen had an extensive but scattered security toolset at his disposal:
“With McAfee for the endpoints, Barracuda and Netskope we thought we had a good idea of what was happening, but we were time poor and lacked resources so often neglected to follow up on reports. When our colleagues started working from home due to corona, we got the feeling that we were losing control. We had three different portals, with no SIEM solution that collected or analysed all the logs for us which meant we had to log on to every environment and check for incidents. It was repetitive time-consuming manual work that we didn’t always have the time to do.”
“Previously, we did not always get around to following up on incidents.”— Niek Rensen, IT Manager
CYBER SECURITY ASSESSMENT AND ROADMAP
Rapid Circle had successfully implemented Microsoft 365 at VIRO, so Niek decided to contract us to do a Cyber Security Assessment for the entire environment and provide advice on a more integrated set of security tools. “The tools we had were well set up”, said Niek, “but we missed collaboration of the tools to give us a complete picture”. Rapid Circle’s Assessment showed that there was no threat management and no intelligent solution in place that combined machine learning and AI.
“It was good to see the results of the assessment and to determine the priorities together with Rapid Circle. Rapid Circle and Microsoft have a more holistic approach to cybersecurity which was really appealing to us. A holistic view enables us to see relationships between incidents better and be one step ahead of attackers.”
These priorities were translated into a roadmap. The first actions were to secure the endpoints and servers with Microsoft Defender for Endpoint and to roll out better Identity Protection, Conditional Access and Defender for Cloud Apps. This provided better control and more insight into cloud applications and were executed according to the Zero Trust Framework.
As a proof of concept, we also connected VIRO to our Managed SOC. Immediately, we saw the first hacker attempt: suspicious actions on VIRO’s environment indicated that cybercriminals were preparing a ransomware attack. “We immediately scaled up,” says Niek. “Rapid Circle brought in security specialist NorthWave and people from the firewall vendor. Then a cat-and-mouse game began with the hacker. The whole evening and night we kept an eye on the systems. Where we saw suspicious activity, we immediately shut everything down.”
“Our SOC saved VIRO, even in the testing period, from a cyber attack.”— Niek Rensen, IT Manager
“Rapid Circle did the MDR and scaled up with the incident response service from NortWave. Eventually, the hackers gave up. Our Managed SOC had saved VIRO from a potentially devastating cyberattack in the first test period. The disruption to daily work was kept to a minimum after the attack and we were able to continue with the rollout of Microsoft 365 Defender.”
“Fortunately, we were just connected to the SOC. As a result, we managed to stop a hacker in time.”— Huub Kottink, Finance Director
MICROSOFT 365 DEFENDER: IDEAL XDR-SOLUTION
Defender is the ideal solution for Extended Detection and Response (XDR) on Microsoft environments. With Defender, we secure identities, endpoints, cloud apps, email, data and documents for VIRO in a completely integrated way. To minimise the amount of work for the SOC, Defender has an intelligent algorithm that analyses and aggregates alerts. A large part of this is then automatically solved by the system itself. The remaining reports are reported in priority order, so we always work on the most important issue of the moment.
The entire toolset is paid for from an E5 license. A cost-effective solution that guarantees that VIRO can always use the most modern security tooling in the future. However, the business case for the switch to a SOC was already made before the hack.
Niek: “The cost of the tools is about the same if you compare between Microsoft and our old toolset. Then the Managed SOC is an additional cost on top of E-5, but we think the investment is more than worth it. We have a lot of customer data in our systems. So, we are very aware of our responsibility for data security. Moreover, one of our customers recently had a lot of damage during a hacking attempt.”
Outsourcing security to our managed SOC free’s up more time for our IT people. They can provide the VIRO staff with better and faster support, increasing productivity across the whole company.
STEP BY STEP IMPLEMENTATION
The process Rapid Circle followed worked well for VIRO. “A staggered implementation allows you to have a good overview of what works and what doesn’t” says Niek. “We also worked closely together throughout the project. We thought a lot about the process and how to familiarised ourselves with the tools. The implementation is complex and cloud tooling is constantly changing. That is another good reason to outsource the daily work to a partner.
“It is nice to do the implementation step by step. Then you keep the overview.”— Niek Rensen, IT Manager
FROM DETECTION TO ACTION
Rapid Circle’s managed SOC currently monitors all VIRO systems day and night. If we notice deviant behavior, we contact their IT staff. Because we do not yet know all their processes, we cannot judge which behavior in the environment of VIRO is malicious. Therefore, we still present the incidents we observe to them, so that they can make the correct assessment. The longer VIRO is connected to our managed SOC and the better we know their processes, the more we will be able to act proactively. That will increase speed and therefore security.
FULL FOCUS ON SECURITY AWARENESS
Connecting to the managed SOC is a big step towards further modernisation of VIRO’s infrastructure. If you know your environment and data are secure, you are free to keep innovating your business. Although the company won’t move completely to the cloud, said Niek: “We work a lot with technical drawings. These are heavy files that we will continue to keep on premises for the time being. But once they’re stored on the server here, they’re in scope with the SOC. And the backup process is also well set up.”
Another mission-critical system, the ERP, is purchased by VIRO as SaaS. From a technical perspective, VIRO is right where it wants to be, but there are still risks to manage.
“Employees are now the biggest risk. 850 people work here and despite all the security measures, they will keep receiving malicious emails. This is a bigger risk than the technology. The ransomware attack also originated with a device compromised with an email or a website. Our main focus at the moment is on security awareness”.