SIEMonster saves Canadian hospital from a ransomware attack
A large hospital in Canada fell victim to a phishing campaign in which the head of the hospital had clicked on a malicious link. After clicking on the link his email was compromised and emails were sent from the boss’s email address to 40 employees who also clicked on the link. At this point, you would expect that the hackers got into the active directory, wiped out all the backups, and unleashed a ransomware attack, costing the hospital millions of dollars to regain their data. But nothing could be further from the truth. In this instance, the attacker’s emails immediately stopped.
According to the head of cyber security, SIEMonster was able to identify the phishing emails and trigger an automated response. SIEMonster then created an incident that kicked off the automation resulting in the active directory changing the users’ passwords twice to invalidate all hashes. The IT team verified that the issue was resolved, and only then would SIEMonster close the incident. Next, it sent an email to the users detailing the events’ timeline. The user is then able to see what exactly happened so they gain a better understanding of how to avoid future incidents.
The head of cyber security spoke about the incident “The key difference because, I mean, there are stories- tons of stories out there- you always see it on the news. “We have this one analyst; he just wasn’t doing his job right” and it’s like, most of the time, once the phishing emails going out to other users, and users clicking on them. At that point, it’s usually too late, you know? But I think the ability to have an early warning system that actually gives you actionable data is the difference”
He went on to say, “.., and that’s the other big thing is I think that with any other solution, I don’t care which one you wanna pick- Splunk, or any of those other guys- what you end up running into is this huge restriction on how much data you can ingest, and then they charge by gigabyte, in most cases.. you end up with this huge bill just for data that’s yours. I think that’s the big separation, the ability to have that scalability you don’t need to worry about the ceiling”, meaning you don’t need to choose what you want to protect.
The head of cyber security also admitted that there was initial confusion on what was required for the hospital’s security posture, but SIEMonster was able to simplify the process. “We need to be able to see everything from one spot. One pane of glass” he said. “Sentinel’s this little thing over here, and I’m taking in everything – all of its smarts.. we just put it all into one spot, so that made a big difference.”
Thanks to SIEMonster’s swift action, the hospital was able to prevent a potentially costly ransomware attack. This incident serves as a reminder of the importance of implementing effective cybersecurity measures and having a trusted partner to help protect against evolving threats.