Partner Perspectives //

Carbon Black

7/11/2016
03:30 PM
John Markott
John Markott
Partner Perspectives
50%
50%

Saving The Security Operations Center With Endpoint Detection And Response

EDR is the beginning of our return to control in the fight against cybercrime.

The endpoint detection and response (EDR) market isn’t about endpoint security, it’s about saving the security operations center (SOC). And I’m not just talking about enhancing our ability to catch the bad guys; I’m also talking about our ability to lower the cost to build and maintain a security team. The fact of the matter is that after years of increasing security budgets, we are continuing to lose ground against cybercrime.

Security today requires a high volume of work. We are drowning in a non-stop flood of security logs and events. The Industry touts “advanced analytics” and “correlation,” but honestly, aren’t we continuing to get hacked? What are we missing to make these investments hum? Is there a way to propel our security teams forward, achieving an optimal level of effectiveness?

As a CISO or security leader, choosing where to invest is complex. Do you staff up to address the volume of alerts? Should you add additional context or controls to gain visibility or address gaps? Or do you assess current configurations to tune noisy rules or add rules to address new threats? You can’t address them all at once.

Organizations are dropping like flies, and the average CISO lasts about 18 to 24 months. So how do you, as a CISO or security leader, gain an advantage over the attacker and move to a position of control? It is not an endpoint product but a SOC optimization tool that will propel you to respond faster and more effectively. The end result will put you in the driver’s seat.

To quickly illustrate my point, take the following brief test. The questions posed frame the most universal limitations in security operation centers today. Can your security team answer these questions consistently, confidently, and in a short period of time (minutes)?

  1. When an inbound exploit is identified targeting a random IP address, can you rapidly validate whether the exploit is targeting the right OS and application?
  2. When a successful network exploit is identified, can you identify the detailed next steps taken by the attacker?
  3. If an outbound connection is identified with a known command and control (C2), can you identify the process that initiated the connection and trace the action back to its source?
  4. When an encrypted inbound communication is identified with a known C2, can you identify what was in the communication or payload?
  5. When malware is found, can you identify the dwell time, how the file arrived, and the endpoints or servers that are infected or impacted?
  6. What actions took place when an end user opened an email attachment?
  7. What actions took place when an end user clicked on a URL within their email?
  8. What were the step-by-step actions of an identified attack, from start to finish?

If your security team struggled to answer these questions, don’t feel bad. These are common pitfalls of the status quo. This is life without EDR. EDR is a great tool for detecting advanced threats, and as half of the questions show, EDR is the perfect complement to triaging events and alerts triggered by the current controls in your environment.

Whether firewall, intrusion detection/prevention, secure web gateway or even SIEM (security information and event management), EDR is a SOC effectiveness tool that effectively extends and optimizes your existing security architecture and investment. EDR provides visibility and access to data previously unavailable, enabling on-the-spot response. The resulting time savings not only justify EDR’s usage, they lower the cost to maintain and expand your current security operations practice. With time, your security analysts will transform to include incident-response skills. This shift will blur the lines between threat monitoring and incident response, creating perhaps the most epic evolution in security people, process, and technology since the origin of this industry.

What Is EDR anyway?

Since advanced attackers can effectively slip through security defenses and live on endpoints for an estimated 250 days before being identified, EDR takes the approach of a surveillance camera in a local bank or retail store. EDR records all endpoint activity, creating a pristine record of all actions that occur on critical servers and endpoints. When attackers compromise an endpoint and erase their tracks, the entire chain of events is captured and securely stored for future reference. When an alert of any nature is triggered, EDR provides the method in which security analysts can quickly query to validate threats, eliminate false positives, and look back in time to research and respond. EDR is metaphorically a seat belt in a speeding car, and we know there’s trouble ahead.

With such a phenomenal data set, EDR can also be considered an endpoint SIEM. Nowhere, not even in big data or SIEM, will you find the quantity or depth of endpoint context as you will with EDR. Ask your security team and you’ll quickly learn that big data and SIEM have size and scale limitations. Many data sets are known to “tip over” storage and processing capabilities of big data and SIEM such as DNS, firewall, proxy, and endpoint data. This technical limitation causes blind spots and introduces the reality that effective security operations require an EDR overlay and the ability to mine this data for new endpoint attacks. As a result, EDR detection capabilities are synonymous to the correlation and analytics you find on SIEM.

And when a security incident is identified, EDR provides advanced tooling to take action, banning malicious files from executing in the environment, killing the malicious processes, or quarantining the machines affected. With the best EDR products, you can even gain command line access to the affected machines, taking memory dumps, recording packet captures, and more. And through the analysis of attacks captured by EDR, you can glean the TTPs (tools, techniques, and practices) of the attackers, their trade craft, as well as the patterns of compromise needed to identify similar techniques in the future.

EDR is the beginning of our return to control in the fight against cybercrime.

John Markott is a Director of Product Management at Carbon Black. His mission is to help managed security service providers and incident-response firms ride the wave and reap the rewards of next-generation endpoint security. With nearly two decades of experience in InfoSec, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kbannan100
50%
50%
kbannan100,
User Rank: Apprentice
7/12/2016 | 11:03:29 AM
It's all about the endpoint
Totally agree! Endpoint security is absolutely key! Its something that everyone knows about but seems to forget. Just look at the fact that 63 percent of organizations said they had a printer-related security breach. Makes sense since there are more than 30 million printers and MFDs out there and all are connected to the network. 
--Karen Bannan for IDG and HP
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
SEC: Companies Must Disclose More Info on Cybersecurity Attacks & Risks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/22/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.