Customer: A Large Wine and Spirits Distributor

About the Customer

The second largest premium wine and spirits distributor in the United States, with over 7000 employees and operations in various locations across the United States.

The Problem

The business is subject to an increasingly broad array of attacks, both sophisticated and simple, which if successful, could immensely damage the brand and reputation of the business. The ecosystem of tools used by the security team had grown in an ad-hoc manner. As a result, the team’s efforts to detect, investigate and respond to attacks were mired in the extra work required to stitch together the disconnected alerts. Without a wire data analytics tool in place, they were restricted to using shallow information from systems, devices, users and applications.

Simultaneously, their field of vision was narrowing as Android, iPad and iPhone devices - uninstrumented by endpoint monitoring agents - were increasingly used to access critical business applications and data. The team had no way to quantify how big their blind spots were and could not identify threats lurking beyond their field of vision.

The combination of alert noise, shallow data and weakening visibility meant the risk of a brand-damaging incident was reaching unacceptable levels.

The Challenges

  • Impossible to effectively prioritize triage of the riskiest threats because they were inundated with a multitude of uncorrelated alerts from across their environment.
  • Growing number of threat detection coverage gaps as employees were using an increasing number of uninstrumented, non-Windows devices on the network.
  • Investigations became mired in the additional effort to locate and access message payload details related to specific events or specific machine to machine communications.

The Solution

Corvil met and exceeded the team’s requirements for a single solution with broad visibility across their environment, analytics for alert prioritization, and deep network content inspection to simplify forensic investigation.

Our platform captures, decodes, analyze and enrich network data in real-time, across all connected devices, including matching activities against current threat intelligence. The breadth of visibility, including communications from non- Windows devices such as Android, iPad, and iPhone enabled them to understand the scope of their endpoint coverage gaps and identify threats posed by suspicious activities conducted by uninstrumented systems.

The depth of information provided by Corvil, down to the payload details of application communications, empowered the team to efficiently investigate diverse cyber threats. It minimized the manual effort required to inspect and validate attacks, including those that bypass more traditional security controls.
Our analysis and data enrichment powered correlated views of multiple attack indicators for every host, device and operating system - which met their need to dramatically simplify alert prioritization and triage. Our ability correlate observed activities with user accounts exceeded their expectations and enabling them to retrospectively identify the scope of the attack and covertly track compromised user accounts in real-time. As a result, the accuracy and effectiveness of their response was significantly improved.

With Corvil, the security team can:

  • Focus on the most important threats first by correlating multiple attack indicators for rapid prioritization
  • Eliminating blind-spots by identifying instrumentation coverage gaps by observing communications from devices without agents installed
  • Detect threats even within existing instrumentation coverage gaps by matching observable device activities against risk factors indicated by threat intelligence feeds
  • Obtain visibility into threats by site location or other network categorization to classify high-risk vs low-risk attack sites
  • Rapidly validate and triage detected threats with payload information unavailable in other tools
  • Streamline investigations by accessing message payload details directly from the event being inspected
  • Rapidly determine the lateral spread of a threat and develop effective containment strategies with user activity tracking

Future Plans For Corvil

With the productivity gains from using Corvil for alert prioritization and deep forensics, the security team is working to fully integrate Corvil with the rest of their security ecosystem. They plan to leverage the extended visibility Corvil provides by streaming our high value, low volume data into their SIEM. They are also identifying specific endpoint security workflows that can be automated by using shared data and analysis to trigger protective actions.