MegaplanIT is always looking for new ways to help its clients guard against constantly evolving cyberattacks. Andrew Haslett, Security Consultant at MegaplanIT, confirmed, “To win new business and foster the loyalty of our existing clients, we’re continually building our capabilities by adding new services and growing our security operations center [SOC]. Developing our offering is vital because our adversaries are getting more advanced all the time. The volume and velocity of network traffic is also rising, which means network detection and response [NDR] is crucial to help us monitor activity and protect our clients.”
In recent years, cyber criminals have adopted more systematic, professional approaches. As brute force attacks gave way to sophisticated exploits that utilize specially designed toolsets and methodologies, MegaplanIT needed to make it easier for SOC analysts to leverage the latest innovations in NDR to identify and tackle threats.
Gavin Shirk, SOC Lead at MegaplanIT, said, “We adopt a layered approach to security, which is built on endpoint detection and response [EDR], security information and event management [SIEM] and NDR technologies. Each of these feeds into a central security orchestration, automation and response [SOAR] system. By combining insights from multiple sources, the aim is to give analysts a clearer view of what’s happening in our clients’ networks.”
To deliver its NDR capabilities in the past, MegaplanIT relied on an all-in-one SIEM/network intrusion detection system (NIDS) appliance powered by open-source rules. However, the platform generated a significant amount of false positives, reducing responsiveness as analysts attempted to sort signal from noise.
“Our previous appliance would often fire large numbers of alerts for completely normal network activity, and any time our analysts are sifting through false positives, it’s a distraction from drilling down into the real issues,” said Haslett. “To make it easier to meet our client service-level objectives, we wanted to gain more accurate insights into suspicious network activity.”
Dominick Vitolo, VP of Security Services at MegaplanIT, commented, “We also recognized that augmenting our NDR capabilities would be a powerful way to differentiate ourselves in the MSSP marketplace. By offering advanced capabilities across the entire security stack, we could gain a significant competitive advantage, helping us to forge relationships with new customers.”
By using OpenText NDR to gain greater visibility of network traffic, we can deliver actionable insights to our clients 50% faster.
“In our experience, open-source signature rules for NDR are no longer sufficient for today’s threat landscape, since cybercriminals can conceal their command-and-control techniques from these solutions using traffic encryption,” said Haslett.
“To fight back, we need to understand broad behaviors rather than narrowly focusing on individual packets. That’s exactly what OpenText NDR helps us to do. With the OpenText solution, we achieve an excellent detection rate, which allows us to offer much more effective NDR capabilities to our clients.”
Working with OpenText, MegaplanIT configured and integrated the new NDR solution with its SOAR. Today, the company’s SOC uses OpenText NDR to reveal threats in its clients’ networking data, giving the organization critical insights to stop attackers in their tracks.
“Partnering with a global enterprise like OpenText gives us the peace of mind that expert support is always there if our clients need it,” said Haslett. “It was fast and easy to get started with OpenText NDR, and setting up new clients on the platform is just as straightforward. All we need to do is stand up a virtual machine, and we’re ready to go.”
MegaplanIT has introduced OpenText NDR capabilities to many of its clients, and the solution is already making a positive difference to their security posture. Shirk explained, “When the Log4Shell zero-day became publicly known, OpenText NDR was one of the first tools in our portfolio to start firing alarms. This was invaluable information for our analysts, as we were just beginning to see the first real-world exploits of the vulnerability in the wild. In fact, we showed several clients who didn’t believe they were using a vulnerable Apache framework that they actually were at risk, allowing them to put remediation plans into action rapidly.”
Even when we’re having a very busy day in the SOC, OpenText NDR keeps the volume of alerts to a manageable level.
“The OpenText solution opens up many opportunities to save time in the SOC, which directly contributes to the responsiveness of our services,” said Haslett. “We now send alerts from OpenText NDR directly into our SOAR, which means that our analysts can cross-correlate data related to specific incidents and threat hunt based on rich data from multiple different sources.”
Vitolo confirmed, “By using OpenText NDR to gain greater visibility of network traffic, we can deliver actionable insights to our clients 50% faster. Not only can we detect events more quickly, we can also offer our clients a more complete picture based on log data from our SIEM, endpoint data from our EDR platform and network traffic logs from OpenText NDR.”
“The feedback from our SOC team has been very positive, and everyone appreciates the increased visibility we’re getting from OpenText NDR,” added Shirk. “Even when we’re having a very busy day in the SOC, OpenText NDR keeps the volume of alerts to a manageable level. And because the solution is so accurate, alerts almost always lead to an investigation of some kind. We really trust the OpenText solution to show us where we need to focus our attention.”
Equipped with enhanced NDR capabilities from OpenText, MegaplanIT is in a strong position to expand its MSSP offering and reach new clients.
“When we see alerts firing in the SOC, our analysts and incident response specialists need to work backwards quickly to reconstruct the event. In essence, we need to tell our clients a story about what’s happening,” concluded Shirk. “By combining OpenText NDR and other tools, we can ensure that we’re getting the full story about cyber incidents before we notify our clients. The result? Our clients can start their mitigation and remediation work immediately and shut down threats fast.”