The endpoint detection and response (EDR) market isn’t about endpoint security, it’s about saving the security operations center (SOC). And I’m not just talking about enhancing our ability to catch the bad guys; I’m also talking about our ability to lower the cost to build and maintain a security team. The fact of the matter is that after years of increasing security budgets, we are continuing to lose ground against cybercrime.
Security today requires a high volume of work. We are drowning in a non-stop flood of security logs and events. The Industry touts “advanced analytics” and “correlation,” but honestly, aren’t we continuing to get hacked? What are we missing to make these investments hum? Is there a way to propel our security teams forward, achieving an optimal level of effectiveness?
As a CISO or security leader, choosing where to invest is complex. Do you staff up to address the volume of alerts? Should you add additional context or controls to gain visibility or address gaps? Or do you assess current configurations to tune noisy rules or add rules to address new threats? You can’t address them all at once.
Organizations are dropping like flies, and the average CISO lasts about 18 to 24 months. So how do you, as a CISO or security leader, gain an advantage over the attacker and move to a position of control? It is not an endpoint product but a SOC optimization tool that will propel you to respond faster and more effectively. The end result will put you in the driver’s seat.
To quickly illustrate my point, take the following brief test. The questions posed frame the most universal limitations in security operation centers today. Can your security team answer these questions consistently, confidently, and in a short period of time (minutes)?
- When an inbound exploit is identified targeting a random IP address, can you rapidly validate whether the exploit is targeting the right OS and application?
- When a successful network exploit is identified, can you identify the detailed next steps taken by the attacker?
- If an outbound connection is identified with a known command and control (C2), can you identify the process that initiated the connection and trace the action back to its source?
- When an encrypted inbound communication is identified with a known C2, can you identify what was in the communication or payload?
- When malware is found, can you identify the dwell time, how the file arrived, and the endpoints or servers that are infected or impacted?
- What actions took place when an end user opened an email attachment?
- What actions took place when an end user clicked on a URL within their email?
- What were the step-by-step actions of an identified attack, from start to finish?
If your security team struggled to answer these questions, don’t feel bad. These are common pitfalls of the status quo. This is life without EDR. EDR is a great tool for detecting advanced threats, and as half of the questions show, EDR is the perfect complement to triaging events and alerts triggered by the current controls in your environment.
Whether firewall, intrusion detection/prevention, secure web gateway or even SIEM (security information and event management), EDR is a SOC effectiveness tool that effectively extends and optimizes your existing security architecture and investment. EDR provides visibility and access to data previously unavailable, enabling on-the-spot response. The resulting time savings not only justify EDR’s usage, they lower the cost to maintain and expand your current security operations practice. With time, your security analysts will transform to include incident-response skills. This shift will blur the lines between threat monitoring and incident response, creating perhaps the most epic evolution in security people, process, and technology since the origin of this industry.
What Is EDR anyway?
Since advanced attackers can effectively slip through security defenses and live on endpoints for an estimated 250 days before being identified, EDR takes the approach of a surveillance camera in a local bank or retail store. EDR records all endpoint activity, creating a pristine record of all actions that occur on critical servers and endpoints. When attackers compromise an endpoint and erase their tracks, the entire chain of events is captured and securely stored for future reference. When an alert of any nature is triggered, EDR provides the method in which security analysts can quickly query to validate threats, eliminate false positives, and look back in time to research and respond. EDR is metaphorically a seat belt in a speeding car, and we know there’s trouble ahead.
With such a phenomenal data set, EDR can also be considered an endpoint SIEM. Nowhere, not even in big data or SIEM, will you find the quantity or depth of endpoint context as you will with EDR. Ask your security team and you’ll quickly learn that big data and SIEM have size and scale limitations. Many data sets are known to “tip over” storage and processing capabilities of big data and SIEM such as DNS, firewall, proxy, and endpoint data. This technical limitation causes blind spots and introduces the reality that effective security operations require an EDR overlay and the ability to mine this data for new endpoint attacks. As a result, EDR detection capabilities are synonymous to the correlation and analytics you find on SIEM.
And when a security incident is identified, EDR provides advanced tooling to take action, banning malicious files from executing in the environment, killing the malicious processes, or quarantining the machines affected. With the best EDR products, you can even gain command line access to the affected machines, taking memory dumps, recording packet captures, and more. And through the analysis of attacks captured by EDR, you can glean the TTPs (tools, techniques, and practices) of the attackers, their trade craft, as well as the patterns of compromise needed to identify similar techniques in the future.
EDR is the beginning of our return to control in the fight against cybercrime.