Challenge:
A New Jersey/Pennsylvania-based Managed Services Provider (MSP) discovered one of its largest customer, a multimillion-dollar enterprise supplier of home supplies, HVAC and plumbing, fell victim to a ransomware attack. The FBI alleges the RaaS organization ALPHV/BlackCat was responsible for the ransomware attack. At the time, CylanceEndpoint was in place for threat detection on all the customer’s endpoints.
How it Started:
The MSP received an alert the customer’s exchange server was running out of space. Upon examination, power shell was running and copying files from the customer’s servers. The customer had been two weeks behind in the latest patch. The MSP installed the latest version and furthermore, ran Microsoft security tools, which reportedly did not find the server had been breached. The IT manager spent the night searching for the source of the problem, and retired for the night at 1 a.m. Four hours later, he woke up to full-blown cyberattack including data exfiltration: VMware hosts had been removed, passwords were changed, and the entire storage network was encrypted. Their offsite backups had also been deleted. The MSP was in a frenzy—why hadn’t Cylance detected and remediated the threat? How had it come this far? One day prior to the cyberattack, the customer had just completed a large amount in sales.
Introducing Overwatch Managed Cybersecurity:
Joe, Senior IT Technician from the MSP, started making calls and searching for a Master Managed Security Services Provider (MSSP). Among the many vendors he reached out to, High Wire Networks was on the list. Within an hour, he received a call from a High Wire Channel Account Manager– and before the end of the day, Overwatch, High Wire’s Managed Cybersecurity Services team, had begun the process of moving nearly 900 endpoints off Cylance and replacing them with SentinelOne sensors. On the same day, Overwatch worked tenaciously to onboard the MSP and its client to the Overwatch Managed Endpoint Detection and Response (MEDR) solution. Overwatch’s Service Delivery team set up all the tenants on behalf of the MSP.
Meantime, the MSP started its recovery efforts. Thankfully, all the customer’s data hadn’t been encrypted. They discovered the bad actors hadn’t touched the SAP consultants’ autonomous backups and restored data within 48 hours. The client did not pay the ransom.
Beyond the Ransom:
Since the ransomware attack, the MSP has been looking closely at the Overwatch MEDR solution on other client environments and discovered:
- A breach detected in 36 seconds. The Overwatch Security Operations Center detected this threat and took the endpoint offline, which was part of the customized playbook the MSP and client and Overwatch agreed upon.
- Joe witnessed in real-time, the Overwatch MEDR dashboard go from red (threat) to green, with the threat eradicated in 100 milliseconds.
- When Joe deleted anomalous data from his directories, he discovered the files had been created again two hours later. Overwatch SOC took the files offline and showed him the logs.
MSP Testimonial:
“As soon as I saw the unbelievable response times, I was thinking, how can I show my customers this right now! The Overwatch response was so quick! It was nothing I’d ever seen. Thinking back to how this all started, it feels like divine intervention. High Wire is the only company I found who was willing to trust us when things were in disarray with the ransomware attack. They onboarded my customer and HELPED us and didn’t make us wait a month before providing resources and security expertise. We were able to accomplish what we needed for the customer in just a few hours. Because of their responsiveness, we saw value for the rest of our client-base (SMB to enterprise). Within 72 hours of the partnership, we started the process to move all clients to Overwatch. God brought us to High Wire Networks, and everything fell into place. We are so happy with their services. They offer the best security solutions out there” (Joe, MSP Account Manager and Senior IT Technician).
MSP + Overwatch Partnership:
The client that suffered a ransomware attack now partners with the MSP for Overwatch MEDR and MXDR (Managed Extended Detection and Response). The rest of the MSP’s clients are using Overwatch MEDR, which combines S1 Complete with a layer of security orchestration automation and response capabilities for higher fidelity alerts and quicker threat response times. The MSP hopes to get them on other Overwatch services, soon.
Joe added, “What I absolutely love about Overwatch, is that when I get an alert and it’s concerning, I can pick up the phone and talk to an Overwatch SOC analyst. It makes all the difference to us that they are 100% U.S. based—it was certainly a deciding factor when we chose Overwatch over its competitors!”
Ready to Partner with Overwatch Managed Cybersecurity? Find us at highwirenetworks.com or email us: overwatchsales@highwirenetworks.com
