Endpoint
10/26/2016
03:00 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

20 Endpoint Security Questions You Never Thought to Ask

The endpoint detection and response market is exploding! Here's how to make sense of the options, dig deeper, and separate vendor fact from fiction.

There is a lot of buzz around the endpoint detection and response (EDR) market of late. The legacy endpoint market, traditionally dominated by large anti-virus (AV) vendors, has always been one that security professionals love to hate. Recently, however, several new players have entered the market with a variety of different approaches. These new entrants have shaken up the market and reinvigorated it with hope and cautious optimism for the future.

Perhaps not surprisingly, with the endpoint market estimated to be somewhere between a $5B and $20B market (depending on source of research), hype and noise around it have quickly filled the air. Every potential buyer is bombarded by a long list of vendors, each one of which uses nearly the same marketing language as the other. So how can a security manager make sense of the options, dig deeper, and separate fact from fiction?  You guessed it - by playing a game of twenty questions, or in some cases show and tell.

By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons.
By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons.

Conceptually, viable EDR solutions need to provide three broad buckets of functionality:

Prevent/Detect to block malicious code and prevent infection with a high rate of detection (true positives) and a low rate of both false positives and false negatives. This has long been the bailiwick of legacy anti-virus vendors, though detection rates and overall product efficacy have fallen sharply in the last few years due to a number of different factors. Among these factors are the ability for attackers to morph their malicious code to avoid signature-based detection approaches, as well as the gradual move by attackers away from malicious code and more towards theft of stolen credentials and other techniques involving no malicious code at all.

Analysis that provides the capability to analyze, investigate, and perform forensics on the endpoint and across multiple different endpoints seamlessly.

Response that gives you the ability to contain and remediate endpoints remotely.

As you might have guessed, every EDR vendor will say they cover all three of these categories better than their competitors. Let’s play that game of 20 questions to understand how to find truth amidst the hype and noise:

1. How easy is your solution to deploy?  Whether I have hundreds of thousands of endpoints within my enterprise or far fewer, I need a painless deployment process.

2. How easy is your solution to manage?  With the number of agents I’m deploying, I can’t afford sloppy or immature management.

3. How easy is it to configure rulesets and tune the solution once deployed?  Aside from the fact that threats are continually evolving, if there are activities that appear malicious elsewhere but are benign in my environment, I need a way to filter those out.

4. How easy is it to update your solution’s knowledge base or take advantage of the latest knowledge around attacker activity?  If you can’t make it easy for me to operationalize what you’re selling me on, then your solution isn’t going to work for me.

5. What additional load on the endpoint does your agent introduce? I can’t impact business productivity

6. You want me to install yet another agent? I would be willing to do that if you articulate how you can consolidate functionality that I currently get from multiple different agents into one agent.

7. How does your solution integrate with my existing security infrastructure?  I have a complex ecosystem of products deployed and yours needs to play nice with it.

8. Not all intrusions involve malware. What is your strategy to detect intrusions that use no malware at all?

9. Is your solution part of an overall platform, or is it just another point product that I need to figure out how to integrate into my operational workflow?

10. Does your solution leverage and facilitate correlation with other data? I have a lot of great data elsewhere in my enterprise. Do you know how to take full advantage of it to improve your efficacy?

11. Is your solution based on knowledge of attacker tactics, techniques, and procedures (TTPs)?  If not, how do you identify that type of activity?

12. How does all the knowledge you’re selling me on make its way into the product to help me mitigate risk?

13. Do you really have behavioral analysis and machine learning built into your solution, or is it just signatures and rulesets behind the scenes?

14. Do you provide ability to remotely contain and remediate endpoints?

15. How efficient and powerful is your enterprisewide search?  If I have an incident, or even if I don’t, I need to be able to slice and dice the data collected by my endpoint solution in an instant.

16. How effective is your solution in a real enterprise against binaries you’ve never seen before?

17. What is your true positive detection rate in the wild?  Results from your lab don’t interest me here.

18. What percentage of events and alerts that you fire are false positives? Again, results from your lab don’t interest me here.

19.  What is the upgrade path for your solution?  It should be a smooth and straightforward transition from one version to the next.

20. How does your solution facilitate my information sharing initiatives?

It’s not surprising that the endpoint market is a hot one. Changing attacker behaviors, historical disappointment with legacy endpoint products, the move to the cloud and the resulting loss of network visibility all combine to make endpoints a more critical target than ever before. Playing a good game of 20 questions with prospective EDR vendors will lead you to an educated decision that meet the specific requirements of your organization.

Related Content:

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

Josh is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA. Prior to joining IDRRA, Josh served as vice president, chief technology officer, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rstoney
50%
50%
rstoney,
User Rank: Strategist
11/3/2016 | 9:31:34 AM
Great Article
While thankfully our team has thought to ask MOST of these questions - great list.  And we will admend our omissions in our upcoming vendor testing.

 

 
Shantaram
0%
100%
Shantaram,
User Rank: Ninja
10/28/2016 | 8:51:21 AM
Re: 192.168.0.1
very interesting article, to the point!
kbannan100
50%
50%
kbannan100,
User Rank: Apprentice
10/27/2016 | 3:37:40 PM
Have a plan
I just read an article that said only 33 percent of respondents have an endpoint security plan in place. Then I read a Forbes article that detailed how stockholders are suing companies for lying about security. This is not something to take lightly! 

It helps to start with making sure you have endpoints like printers that HAVE their own security. A security strategy should be multi-layered. Start on the inside and work your way out! 

--Karen Bannan for IDG and HP
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Be a unicorn, not a donkey...
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.