Partner Perspectives //

Carbon Black

7/11/2016
03:30 PM
John Markott
John Markott
Partner Perspectives
50%
50%

Saving The Security Operations Center With Endpoint Detection And Response

EDR is the beginning of our return to control in the fight against cybercrime.

The endpoint detection and response (EDR) market isn’t about endpoint security, it’s about saving the security operations center (SOC). And I’m not just talking about enhancing our ability to catch the bad guys; I’m also talking about our ability to lower the cost to build and maintain a security team. The fact of the matter is that after years of increasing security budgets, we are continuing to lose ground against cybercrime.

Security today requires a high volume of work. We are drowning in a non-stop flood of security logs and events. The Industry touts “advanced analytics” and “correlation,” but honestly, aren’t we continuing to get hacked? What are we missing to make these investments hum? Is there a way to propel our security teams forward, achieving an optimal level of effectiveness?

As a CISO or security leader, choosing where to invest is complex. Do you staff up to address the volume of alerts? Should you add additional context or controls to gain visibility or address gaps? Or do you assess current configurations to tune noisy rules or add rules to address new threats? You can’t address them all at once.

Organizations are dropping like flies, and the average CISO lasts about 18 to 24 months. So how do you, as a CISO or security leader, gain an advantage over the attacker and move to a position of control? It is not an endpoint product but a SOC optimization tool that will propel you to respond faster and more effectively. The end result will put you in the driver’s seat.

To quickly illustrate my point, take the following brief test. The questions posed frame the most universal limitations in security operation centers today. Can your security team answer these questions consistently, confidently, and in a short period of time (minutes)?

  1. When an inbound exploit is identified targeting a random IP address, can you rapidly validate whether the exploit is targeting the right OS and application?
  2. When a successful network exploit is identified, can you identify the detailed next steps taken by the attacker?
  3. If an outbound connection is identified with a known command and control (C2), can you identify the process that initiated the connection and trace the action back to its source?
  4. When an encrypted inbound communication is identified with a known C2, can you identify what was in the communication or payload?
  5. When malware is found, can you identify the dwell time, how the file arrived, and the endpoints or servers that are infected or impacted?
  6. What actions took place when an end user opened an email attachment?
  7. What actions took place when an end user clicked on a URL within their email?
  8. What were the step-by-step actions of an identified attack, from start to finish?

If your security team struggled to answer these questions, don’t feel bad. These are common pitfalls of the status quo. This is life without EDR. EDR is a great tool for detecting advanced threats, and as half of the questions show, EDR is the perfect complement to triaging events and alerts triggered by the current controls in your environment.

Whether firewall, intrusion detection/prevention, secure web gateway or even SIEM (security information and event management), EDR is a SOC effectiveness tool that effectively extends and optimizes your existing security architecture and investment. EDR provides visibility and access to data previously unavailable, enabling on-the-spot response. The resulting time savings not only justify EDR’s usage, they lower the cost to maintain and expand your current security operations practice. With time, your security analysts will transform to include incident-response skills. This shift will blur the lines between threat monitoring and incident response, creating perhaps the most epic evolution in security people, process, and technology since the origin of this industry.

What Is EDR anyway?

Since advanced attackers can effectively slip through security defenses and live on endpoints for an estimated 250 days before being identified, EDR takes the approach of a surveillance camera in a local bank or retail store. EDR records all endpoint activity, creating a pristine record of all actions that occur on critical servers and endpoints. When attackers compromise an endpoint and erase their tracks, the entire chain of events is captured and securely stored for future reference. When an alert of any nature is triggered, EDR provides the method in which security analysts can quickly query to validate threats, eliminate false positives, and look back in time to research and respond. EDR is metaphorically a seat belt in a speeding car, and we know there’s trouble ahead.

With such a phenomenal data set, EDR can also be considered an endpoint SIEM. Nowhere, not even in big data or SIEM, will you find the quantity or depth of endpoint context as you will with EDR. Ask your security team and you’ll quickly learn that big data and SIEM have size and scale limitations. Many data sets are known to “tip over” storage and processing capabilities of big data and SIEM such as DNS, firewall, proxy, and endpoint data. This technical limitation causes blind spots and introduces the reality that effective security operations require an EDR overlay and the ability to mine this data for new endpoint attacks. As a result, EDR detection capabilities are synonymous to the correlation and analytics you find on SIEM.

And when a security incident is identified, EDR provides advanced tooling to take action, banning malicious files from executing in the environment, killing the malicious processes, or quarantining the machines affected. With the best EDR products, you can even gain command line access to the affected machines, taking memory dumps, recording packet captures, and more. And through the analysis of attacks captured by EDR, you can glean the TTPs (tools, techniques, and practices) of the attackers, their trade craft, as well as the patterns of compromise needed to identify similar techniques in the future.

EDR is the beginning of our return to control in the fight against cybercrime.

John Markott is a Director of Product Management at Carbon Black. His mission is to help managed security service providers and incident-response firms ride the wave and reap the rewards of next-generation endpoint security. With nearly two decades of experience in InfoSec, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kbannan100
50%
50%
kbannan100,
User Rank: Apprentice
7/12/2016 | 11:03:29 AM
It's all about the endpoint
Totally agree! Endpoint security is absolutely key! Its something that everyone knows about but seems to forget. Just look at the fact that 63 percent of organizations said they had a printer-related security breach. Makes sense since there are more than 30 million printers and MFDs out there and all are connected to the network. 
--Karen Bannan for IDG and HP
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
NC Water Utility Fights Post-Hurricane Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.