cherezoff - stock.adobe.com
How commodities firm ED&F Man solved its threat detection challenges
After a minor server breach, leading commodities trader turned to Vectra’s Cognito service to expose hidden threats, spot privilege misuse, and conduct conclusive investigations
After a minor security incident, ED&F Man, a 236-year-old trader and broker of commodities such as animal feed, coffee, molasses and sugar, has chosen Vectra’s Cognito network detection and response platform as the focal point of a revitalised cyber security posture.
The non-data loss incident quickly caught the attention of the $10bn firm’s management, according to ED&F Man’s cyber security manager, Carmelo Gallo, who joined the business in the wake of the incident.
“We didn’t get hacked in the sense that data was exploited, so there was no theft, but a server was compromised, and I think that was a wake-up call to the business to start taking cyber security seriously, and actually bring in a security team,” Gallo tells Computer Weekly.
“Prior to me, there were a couple of people trying to do the job on their own, which was an impossible task.”
Gallo embarked on a top-to-tail reworking of the business’ security posture, creating a new security operations centre (SOC) from scratch to give himself broader visibility into threat history and reduce the chance that threat actors can operate in his environment long enough to do any damage.
“We had no tools to discover what was going on on the network,” he says. “Our endpoint protection was a legacy, signature-based detection system which, nowadays, is not cut out to do the job of discovery.”
Gallo’s so-called “SOC visibility triad” comprises integrated network detection and response, endpoint detection and response, and security information and event management (SIEM).
Key to this is the Vectra Cognito platform, which Gallo says he selected partly because it was easy to install and, from the moment he deployed it, gave him near-instant visibility of attacker behaviours hiding in network traffic.
“We started seeing the usual command and control activity, and some cryptomining, that was going on in the background that we had had no visibility of,” he says. “On the back of that, we could start to take action.”
Read more about threat detection
- Network traffic analysis, network detection and response – whichever term you prefer, the technology is critical to detecting new breeds of low-and-slow threats.
- Experts discuss the increasingly complex methods of malware detection needed when dealing with everything from low-level attackers to advanced persistent threat groups.
- Network security analytics gives organisations an additional level of protection against malicious attacks. It works closely with network analytics tools.
Gallo recounts one early issue he quickly found at a site in Vietnam. “We found a cryptominer that knew what timezone it was in, waited until there was no activity, and then kicked into life,” he says. “Vectra picked that up, drilled down to which process it was, and secured it. With our legacy endpoint protection, we had no visibility of that kind of stuff.”
The Vectra platform works by bringing together and storing network metadata, which is then enriched with security insights. Its Cognito Detect machine learning feature then uses the enriched metadata to detect and prioritise attacks in real time, while the Cognito Recall feature conducts artificial intelligence (AI)-assisted threat hunting.
“Investigations used to take, realistically, one or two hours – now it’s literally just a click of the fingers,” says Gallo. “We can drill down from a network alert straight to the host, down to the process, see how it moves, if it’s done any lateral movement, in minutes.”
ED&F Man is also using Cognito’s privileged access analytics (PAA) detection models to keep track of interactions between user accounts, services and hosts, in the hope of catching any attackers attempting to use privileged accounts to get into its systems.
“Privileged access analytics gives me continuous visibility into the accounts, services and hosts that are most valuable to me,” says Gallo. “We can easily scrutinise the behaviours on each to see if they represent a significant risk to our organisation.”
ED&F Man is based in the UK, but with more than 100 sites around the world, including many remote farms in the global south, Gallo also quickly realised that the spread of the business was a potential source of security weakness. Fortunately, the Cognito platform was able to help here, too.
“The diversity and dispersal of our people is a big issue in terms of security awareness, and issues such as providing training in multiple languages,” says Gallo. “In places like Africa, South America or Vietnam, our major coffee-producing operations, getting localised security awareness is complex.”
The firm used to conduct security training via a questionnaire-style form, which Gallo describes as “archaic”. Also, he found it was possible to measure the drop-off in awareness in terms of weeks. Usually, the service desk would receive more calls for a couple of months or so, but after that, most people had, by and large, forgotten what they had learned.
“Now we send a monthly two-and-a-half-minute video on a subject, say we want to target phishing, for example,” he says.
“Cognito allows us to do targeted campaigns, so if we see certain sites or parts of the business that need it, we can target them, or if someone clicks a phishing link or does something they shouldn’t, we can target them directly.”
Future use cases
Gallo is already anticipating future enhancements to ED&F Man’s threat detection strategy, and highlights two projects he hopes to embark on in the near future – privileged access management and network access control (NAC).
“Most hacks are happening through privileged access exfiltration,” he says. “We’ve seen more and more of that kind of attack, and external [security] companies confirm what we see, so that’s a target.
“Then there is NAC. Because of the diversity of the business, it can be hard to manage what people in, say, Tanzania are doing. I’ll get an alert later, but it’ll be long after the action, so if there’s something malicious, it can get in. Yes, we can get it later, but I want to stop it getting in to start with.”