How commodities firm ED&F Man solved its threat detection challenges

After a minor security incident, ED&F Man, a 236-year-old trader and broker of commodities such as animal feed, coffee, molasses and sugar, has chosen Vectra’s Cognito network detection and response platform as the focal point of a revitalised cyber security posture.

The non-data loss incident quickly caught the attention of the $10bn firm’s management, according to ED&F Man’s cyber security manager, Carmelo Gallo, who joined the business in the wake of the incident.

“We didn’t get hacked in the sense that data was exploited, so there was no theft, but a server was compromised, and I think that was a wake-up call to the business to start taking cyber security seriously, and actually bring in a security team,” Gallo tells Computer Weekly.

“Prior to me, there were a couple of people trying to do the job on their own, which was an impossible task.”

Gallo embarked on a top-to-tail reworking of the business’ security posture, creating a new security operations centre (SOC) from scratch to give himself broader visibility into threat history and reduce the chance that threat actors can operate in his environment long enough to do any damage.

“We had no tools to discover what was going on on the network,” he says. “Our endpoint protection was a legacy, signature-based detection system which, nowadays, is not cut out to do the job of discovery.”

Gallo’s so-called “SOC visibility triad” comprises integrated network detection and response, endpoint detection and response, and security information and event management (SIEM).

Key to this is the Vectra Cognito platform, which Gallo says he selected partly because it was easy to install and, from the moment he deployed it, gave him near-instant visibility of attacker behaviours hiding in network traffic.

“We started seeing the usual command and control activity, and some cryptomining, that was going on in the background that we had had no visibility of,” he says. “On the back of that, we could start to take action.”

Gallo recounts one early issue he quickly found at a site in Vietnam. “We found a cryptominer that knew what timezone it was in, waited until there was no activity, and then kicked into life,” he says. “Vectra picked that up, drilled down to which process it was, and secured it. With our legacy endpoint protection, we had no visibility of that kind of stuff.”

The Vectra platform works by bringing together and storing network metadata, which is then enriched with security insights. Its Cognito Detect machine learning feature then uses the enriched metadata to detect and prioritise attacks in real time, while the Cognito Recall feature conducts artificial intelligence (AI)-assisted threat hunting.

“Investigations used to take, realistically, one or two hours – now it’s literally just a click of the fingers,” says Gallo. “We can drill down from a network alert straight to the host, down to the process, see how it moves, if it’s done any lateral movement, in minutes.”

ED&F Man is also using Cognito’s privileged access analytics (PAA) detection models to keep track of interactions between user accounts, services and hosts, in the hope of catching any attackers attempting to use privileged accounts to get into its systems.

“Privileged access analytics gives me continuous visibility into the accounts, services and hosts that are most valuable to me,” says Gallo. “We can easily scrutinise the behaviours on each to see if they represent a significant risk to our organisation.”