Multinational financial services firm maximizes control efficacy with Prelude

Hindering configuration drift with continuous monitoring

In dynamic security environments, controls and devices are prone to change. Operating systems update, policies get deployed in error, mergers and acquisitions occur, and so on. Regardless of the reason, the security team at this firm needed to understand how their control environment changed on a regular basis to provide consistent assurance to investors and stakeholders.

Leveraging Prelude’s continuous monitoring capabilities, the security team was able to surface a large volume of critical production endpoints being assigned a suboptimal prevention policy in CrowdStrike. 

This policy had key prevention settings such as Vulnerable Driver Protection disabled. In this case, an attacker could leverage an outdated or poorly coded driver installed by an end-user to deploy malware without any alert or prevention from CrowdStrike—a tool expected to protect against such behavior. 

Vulnerable driver protection: Prevents known vulnerable drivers from being written to the endpoint which interrupts BYOVD attacks more easily than traditional Device Guard policies.

Armed with this information, the security team was able to quickly launch an investigation and identify a dynamic group that was assigning the weaker policy to those endpoint devices based on an incorrect hostname filter. 

“Within 10 minutes of deploying Prelude, we were diagnosing configuration drift across our security tools and identifying where we needed to focus both our technical and strategic efforts.”

Preventing an insider threat with deeper visibility

By regularly comparing devices in the firm’s asset management tool against where the CrowdStrike’s Falcon sensor was installed, Prelude is able to quickly identify any devices missing the critical control. In this case, the firm’s security team received an alert from the Prelude Platform notifying them of a new device without EDR installed, including key details as to when it was last seen and its hostname. 

With this information, the incident response team was able to ascertain that the device belonged to a recently off-boarded employee. Though not immediately a threat, the device was still capable of being remote into. Without EDR installed, this device was entirely susceptible to an attacker—including the off-boarded employee—and would otherwise be unknown to the firm’s team if not for Prelude’s autonomous control assessment. 

Putting controls in fighting shape

Given the regulatory environment and the important nature of their trading services, the firm regularly uses Prelude’s control monitoring and configuration capabilities to ensure their tools are running in an optimal state. This ensures that their tooling investments are well spent, but also prepares their controls for more robust adversary emulation powered by Prelude’s testing library.