©2024 Akamai Technologies
The Challenge
With more than 6,000 laptops deployed across the organization, the IT security team had growing concerns about the fleet’s risk to the broader IT environment. Additionally, ongoing issues with shadow IT activity by some of the company’s power users needed to be addressed.
Although some security measures had been put into place by the end user computing team, they were limited. None could granularly control system access for users or limit peer-to-peer communication to stop malware propagation effectively — the latter a significant concern at the organization.
To address these gaps, the stakeholders wanted to improve the business’s security posture by introducing a solution that would allow them to extend visibility and granular segmentation controls to employees’ devices. This would also grant them the ability to observe and prevent unauthorized lateral movement.
The Solution
For some time, the security stakeholders had been considering using the Guardicore Centra Platform for multiple cybersecurity use cases. The organization finally decided on a phased approach. Since Guardicore’s software-defined segmentation policies aren’t tied to the underlying infrastructure, the provider had the option to tackle any number of security initiatives. However, with the employee laptop fleet identified as high-risk, the team prioritized deploying Guardicore agents to its endpoints.
The Results
Once the project began, the rollout of Guardicore’s streamlined Windows agent to the organization’s computers went quickly. This extended the process-level visibility to user access and laptop activity.
The IT security team was then able to create and manage security controls for these endpoints centrally, all based on accurate environment data. They then promptly set up several policies — including an alert around specific Microsoft Remote Desktop Protocol (RDP) activities, including failed login attempts.
Granular visibility in action
A short time after deployment, the policy configured to report unusual RDP-related activity delivered a flurry of alerts. It was quickly apparent that a bad actor was attempting a brute force attack as failed login after failed login was observed.
The IT security team closely monitored the situation and, as attackers continued their assault, decided to make the call and block RDP on every endpoint with a Guardicore agent. In just a few clicks, they created and enforced a new segmentation policy that disabled RDP, stopping the attacker before a single endpoint was compromised.
Ransomware stopped in its tracks
During the post-mortem process, the security team quickly realized all indicators pointed to a major and well-known ransomware threat actor.
If the campaign had been successful, the attackers would likely have attempted to proceed with their usual tactics, encrypting anything in reach before issuing a ransom note. Because of the provider’s organizational size and current trends, the bad actor’s demands would have certainly exceeded $1 million. This would have come with significant added disruption and downtime if business-critical assets, such as the ERP system, had been compromised.
However, thanks to the fast-acting security team and Guardicore, there was no impact on the organization from the attempted attack.
Stopping shadow IT
In addition to stopping external threats, the team was also able to address internal challenges using the platform. Before Guardicore, the limited endpoint visibility made it easier for some users to circumvent official processes, executing activities on their own that were not compliant with the organization’s official policies. The new insight and ability to enforce security controls on endpoints allowed IT security to curb shadow IT. This included preventing members of the DevOps organization from spinning up new resources without going through official channels for authorization.
Expanding protection with Guardicore
For the communications infrastructure provider, protecting endpoints is only the beginning. Shortly, it plans to explore more new features and roll out Guardicore to its data center, secure its Citrix environment, and apply third-party access controls for external vendors.
With the flexible nature of the platform, the team has the assurance that they can extend protection against advanced threats anywhere in the environment — no matter how their mergers and acquisitions strategy or digital transformation initiatives unfold in the future.