KPMG Leverages SentinelOne to Tackle Cyber Risk

When it comes to modern cyber attacks, the best offense is a good defense. Every day, more businesses around the globe learn that breach response plans alone aren’t enough to constitute an adequate—let alone comprehensive—cybersecurity capability. To stay protected against increasingly sophisticated and frequent cyber attacks, organizations must build their programs to be resilient today, and prepared for whatever may come tomorrow.

Helping clients securely navigate this digital world is what’s driving the Cyber Security Services practice at KPMG. For over 30 years, KPMG LLP (KPMG) has been a global leader in helping organizations mitigate risk and grasp opportunities. The KPMG Cyber Security Services team has been involved in many of the most high-profile breaches across 16 countries worldwide.

Ed Goings, U.S. & Global Lead of Cyber Response Services, and David Nides, Cyber Security Services Principal, pride themselves on delivering “high quality, highly effective digital forensics and incident response to KPMG clients globally.” Simultaneously, Ed & David’s teams work with clients on building cyber strategy: proactive measures for long-term resilience, such as building and testing cyber incident response plans, performing purple team exercises, creating ransomware resiliency programs, and improving incident preparedness. “Whether they’re new or existing, clients come to KPMG as their trusted advisor for cyber challenges and issues,” emphasizes David.

To follow through on this objective, KPMG must be empowered by technology that delivers visibility, ease of deployment, ease of use, and quality of service they need across a comprehensive Cyber Security Services portfolio. SentinelOne, an industry leader in detection and response technology, has emerged as a piece of this puzzle.

Identifying, Understanding, and Closing Security Gaps with Compromise Assessment

If ransomware has taught us anything, it’s that the cost of cybersecurity only grows by waiting until the moment of impact. Conducting a compromise assessment across the full enterprise estate can help us understand our current risk posture and identify if any active threats are present in the environment. While these assessments can be particularly insightful for incoming CISOs wanting an accurate baseline of their inherited environment or for organizations with new and changing risk following a merger or acquisition, there’s never a bad time to do due diligence.

At KPMG, data-rich compromise assessments start with deploying SentinelOne’s Sentinel Agent across the complete enterprise environment. This rollout is markedly faster than what’s possible with most compromise assessments, thanks to the agent’s Singularity Ranger capability. What might otherwise take days, if not weeks, now takes just a handful of hours.

Ranger, SentinelOne’s network discovery and attack surface control solution, “enables us to provide the client a means of self-deploying SentinelOne within the environment through self-propagation of the agent. Ranger covers not only known assets, but also unknown assets,” says David.

“Especially in larger IT estates, there tends to be a bit of shadow IT, which often stems problems and poses a significant risk. These types of environments or the systems within them are usually an afterthought or candidly not even known. With Ranger Pro, as long as those assets are deployed to the network, they’re covered in an automated fashion.”
David Nides, Cyber Security Services Principal, KPMG

Proactive Monitoring and Threat Hunting to Uncover Hidden Threats

Following deployment, the team performs a short period of active monitoring and proactive threat hunting as part of the compromise assessment. A critical component of threat hunting is having the data to baseline ‘normal’ and find outliers. Attackers often want to blend in with ordinary users to acquire user credentials from phishing campaigns, so understanding a user’s typical behavior is a useful benchmark for investigating anomalous file access or login events.

SentinelOne’s EDR and XDR telemetry and intuitive hunting workflows enable even the most covert attacker activity to be uncovered. With the ability to retain raw, benign data for extended periods of time, KPMG can also leverage historical data that can be leveraged to map advanced threat campaigns across time. It also enables the performance of post-breach monitoring for extended periods of days after the security incident, to sustain containment and eradication of the threat actor.

Investigating and Analyzing Threats at Enterprise Scale

While proactive security practices will take you a long way in staying protected against threats, incidents are almost as certain as death and taxes. For KPMG, lending authority and expertise to clients in response to an imminent security event is its bread and butter. Whether a client wants to dive deeper into a potential email compromise that led to money transfer out of the organization or contain and identify the root cause of a proliferating ransomware attack, Ed & David’s team relies on solid, scalable EDR technology to drive their breach response operations from one end of the incident response lifecycle to the other.

“We leverage SentinelOne as one of our EDR platforms. In many responses, our clients may already have an EDR in their environment, but if they’re calling us, it’s normally because they do not have a mature solution or an effective solution that has the desired coverage. SentinelOne is one of our go to solutions to deploy.”
Ed Goings, U.S. & Global Lead of Cyber Response Services, KPMG

Since the name of the game is rapid response and recovery, KPMG particularly values toolsets and workflows that will accelerate their incident response process.

Having the Right Data for Streamlined Investigations

With SentinelOne’s data platform following the acquisition of Scalyr, David and the team have been able to integrate KPMG’s proprietary Digital Responder (KDR) tool for triaging forensic endpoint data at scale with SentinelOne’s data ingestion, correlation, and analysis capabilities. “More times than not, we get pulled into an incident after it’s already occurred,” David explains. “SentinelOne’s data platform provides the ability to go back in time en masse and deploy tools and scripts to do true enterprise forensics.”

When KPMG Digital Responder forensic data is sent to data platform for investigation and analysis—it can be done all within the same SentinelOne ecosystem, without sending data back and forth to KPMG for processing. This availability has significantly streamlined investigations for KPMG, turning what used to take days into mere minutes. The result is getting more clients—no matter how expansive their environment—from deployment and investigation to containment and eradication faster.

Monitoring for Threats and Maintaining Risk Posture

Since cyber risk mitigation isn’t just a point-in-time exercise, it’s crucial to have a program in place for around-the-clock security monitoring, especially if your operations span the globe. In both pre-and-post-breach scenarios, KPMG helps clients build and manage their security operations, as well as the intelligence and response workflows underlying them, using EDR technology they trust for immediate breach response.

If you would like to learn more about Ranger, STAR, and the SentinelOne Singularity XDR platform, contact us for more information or request a free demo.