Endpoint
10/26/2016
03:00 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

20 Endpoint Security Questions You Never Thought to Ask

The endpoint detection and response market is exploding! Here's how to make sense of the options, dig deeper, and separate vendor fact from fiction.

There is a lot of buzz around the endpoint detection and response (EDR) market of late. The legacy endpoint market, traditionally dominated by large anti-virus (AV) vendors, has always been one that security professionals love to hate. Recently, however, several new players have entered the market with a variety of different approaches. These new entrants have shaken up the market and reinvigorated it with hope and cautious optimism for the future.

Perhaps not surprisingly, with the endpoint market estimated to be somewhere between a $5B and $20B market (depending on source of research), hype and noise around it have quickly filled the air. Every potential buyer is bombarded by a long list of vendors, each one of which uses nearly the same marketing language as the other. So how can a security manager make sense of the options, dig deeper, and separate fact from fiction?  You guessed it - by playing a game of twenty questions, or in some cases show and tell.

By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons.
By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons.

Conceptually, viable EDR solutions need to provide three broad buckets of functionality:

Prevent/Detect to block malicious code and prevent infection with a high rate of detection (true positives) and a low rate of both false positives and false negatives. This has long been the bailiwick of legacy anti-virus vendors, though detection rates and overall product efficacy have fallen sharply in the last few years due to a number of different factors. Among these factors are the ability for attackers to morph their malicious code to avoid signature-based detection approaches, as well as the gradual move by attackers away from malicious code and more towards theft of stolen credentials and other techniques involving no malicious code at all.

Analysis that provides the capability to analyze, investigate, and perform forensics on the endpoint and across multiple different endpoints seamlessly.

Response that gives you the ability to contain and remediate endpoints remotely.

As you might have guessed, every EDR vendor will say they cover all three of these categories better than their competitors. Let’s play that game of 20 questions to understand how to find truth amidst the hype and noise:

1. How easy is your solution to deploy?  Whether I have hundreds of thousands of endpoints within my enterprise or far fewer, I need a painless deployment process.

2. How easy is your solution to manage?  With the number of agents I’m deploying, I can’t afford sloppy or immature management.

3. How easy is it to configure rulesets and tune the solution once deployed?  Aside from the fact that threats are continually evolving, if there are activities that appear malicious elsewhere but are benign in my environment, I need a way to filter those out.

4. How easy is it to update your solution’s knowledge base or take advantage of the latest knowledge around attacker activity?  If you can’t make it easy for me to operationalize what you’re selling me on, then your solution isn’t going to work for me.

5. What additional load on the endpoint does your agent introduce? I can’t impact business productivity

6. You want me to install yet another agent? I would be willing to do that if you articulate how you can consolidate functionality that I currently get from multiple different agents into one agent.

7. How does your solution integrate with my existing security infrastructure?  I have a complex ecosystem of products deployed and yours needs to play nice with it.

8. Not all intrusions involve malware. What is your strategy to detect intrusions that use no malware at all?

9. Is your solution part of an overall platform, or is it just another point product that I need to figure out how to integrate into my operational workflow?

10. Does your solution leverage and facilitate correlation with other data? I have a lot of great data elsewhere in my enterprise. Do you know how to take full advantage of it to improve your efficacy?

11. Is your solution based on knowledge of attacker tactics, techniques, and procedures (TTPs)?  If not, how do you identify that type of activity?

12. How does all the knowledge you’re selling me on make its way into the product to help me mitigate risk?

13. Do you really have behavioral analysis and machine learning built into your solution, or is it just signatures and rulesets behind the scenes?

14. Do you provide ability to remotely contain and remediate endpoints?

15. How efficient and powerful is your enterprisewide search?  If I have an incident, or even if I don’t, I need to be able to slice and dice the data collected by my endpoint solution in an instant.

16. How effective is your solution in a real enterprise against binaries you’ve never seen before?

17. What is your true positive detection rate in the wild?  Results from your lab don’t interest me here.

18. What percentage of events and alerts that you fire are false positives? Again, results from your lab don’t interest me here.

19.  What is the upgrade path for your solution?  It should be a smooth and straightforward transition from one version to the next.

20. How does your solution facilitate my information sharing initiatives?

It’s not surprising that the endpoint market is a hot one. Changing attacker behaviors, historical disappointment with legacy endpoint products, the move to the cloud and the resulting loss of network visibility all combine to make endpoints a more critical target than ever before. Playing a good game of 20 questions with prospective EDR vendors will lead you to an educated decision that meet the specific requirements of your organization.

Related Content:

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

Josh is an experienced information security analyst with over a decade of experience building, operating, and running Security Operations Centers (SOCs). Josh currently serves as VP and CTO - Emerging Technologies at FireEye. Until its acquisition by FireEye, Josh served as ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rstoney
50%
50%
rstoney,
User Rank: Strategist
11/3/2016 | 9:31:34 AM
Great Article
While thankfully our team has thought to ask MOST of these questions - great list.  And we will admend our omissions in our upcoming vendor testing.

 

 
Shantaram
0%
100%
Shantaram,
User Rank: Strategist
10/28/2016 | 8:51:21 AM
Re: 192.168.0.1
very interesting article, to the point!
kbannan100
50%
50%
kbannan100,
User Rank: Apprentice
10/27/2016 | 3:37:40 PM
Have a plan
I just read an article that said only 33 percent of respondents have an endpoint security plan in place. Then I read a Forbes article that detailed how stockholders are suing companies for lying about security. This is not something to take lightly! 

It helps to start with making sure you have endpoints like printers that HAVE their own security. A security strategy should be multi-layered. Start on the inside and work your way out! 

--Karen Bannan for IDG and HP
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
Secure Application Development - New Best Practices
Secure Application Development - New Best Practices
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.