Petra Security

How BNMC (A New Charter Company) Used Petra to Stop a CEO Attack Missed By SaaS Alerts

29-Day Lurking Attacker
Discovered with Petra, missed by prior ITDR
45.9 Days
Revealed MTTR with prior ITDR
67.6 Seconds
New MTTR with Petra
It became crystal clear to us that we needed something in addition to SaaS Alerts to deliver on the protection we were promising.
Ken CurtisKen CurtisSystems Architect, BNMC

BNMC has been the trusted IT partner for hundreds of businesses across the Northeast and beyond since 1991. BNMC prides itself on enterprise-level IT services with the perfect blend of regional reach and local expertise.

The Challenge

BNMC was using SaaS Alerts and seeing attacks increasing.

“We monitor client environments across Azure and Microsoft 365 using multiple platforms, including SaaS Alerts,” says Ken Curtis, Systems Architect at BNMC. “These tools provide great visibility, but when we heard about Petra, it was clear Petra could go deeper. It's no secret that attackers are changing what they do. We wanted to go deeper and detect faster.”

The Evaluation

BNMC wanted to see their detection speed gap, so they ran Petra Scan.

Ken and his team spun up Petra Scan to examine 6 compromises the prior ITDR had been monitoring. “We'd thought attacks were being shut down pretty fast,” says Ken. Then he laughs: “...and then we ran Petra.” Here's what Scan uncovered across 5 compromises:

  • Prior ITDR caught an attack 4 months and 4 days late. The attacker accessed financial emails.
  • Prior ITDR caught an attack 1 month and 27 days late. The attacker created a malicious app to continually exfiltrate data.
  • Prior ITDR caught an attack 29 days and 15 hours late. The attacker accessed 255 emails and sent at least 210 malicious emails.
  • Prior ITDR caught an attack 14 days late. The attacker accessed 84 emails and documents with financial info.
  • Prior ITDR caught an attack 5 days late. The attacker accessed sensitive financial documents and sent at least 510 malicious emails.

By the numbers: the 5 cases the prior ITDR had caught were caught on average 45.9 days late. Across all cases, 66% of attackers accessed financial data and 50% used compromised accounts to launch outbound attacks.

Results with Petra

With Petra, BNMC caught a CEO attack in-progress, missed by SaaS Alerts.

Petra showed a currently lurking live attacker in a client CEO's account. For 29 days, that attacker had added a malicious MFA method, accessed the account from multiple U.S.-based IPs, and viewed and downloaded several sensitive documents. At the time Petra raised the alert, the attacker was uploading a phishing document to impersonate the CEO and distribute invoice fraud emails to external contacts.

SaaS Alerts generated no alerts during the attack — the activity looked normal under traditional rule-based monitoring. It became crystal clear that we needed something in addition.
Ken Curtis, BNMC

The Results

With Petra, BNMC catches attacks faster, and passes the detection boost to clients.

Since deploying, BNMC has used Petra to catch 3 account compromises for clients, much faster — at 59 seconds, 1 minute 6 seconds, and 1 minute 18 seconds after logs.

A normal MSP would have been dealing with the fallout. But because we use Petra, we got to proactively prevent a large-scale phishing campaign that would have come from a trusted executive's account.
Ken Curtis, BNMC

BNMC prides itself on enterprise-level IT services — reducing risk, minimizing downtime, and aligning IT to business goals. Visit bnmc.net or email sales@bnmc.net.

See what's in your last six months of logs.

Run six months of M365 logs through Petra and get insurance-grade forensics within 48 hours. Five minutes to set up with no sales call.