Partner Perspectives //

Carbon Black

8/2/2016
09:05 AM
John Markott
John Markott
Partner Perspectives
50%
50%

How the Adoption of EDR Transforms a SOCs Effectiveness

Endpoint detection response is helping take the headache out of responding to threats by providing visibility where most organizations are blind.

Endpoint detection and response (EDR) is much more than a next-generation endpoint capability, it is a driving force of evolutionary change within security operations centers (SOC) today. EDR provides visibility where most organizations are blind. In our network-centric world, EDR provides a fast path to endpoint context, enabling rapid identification of false positives or the origin of attacks. 

To illustrate this point, I created a litmus test to review common limitations in security information and event management (SIEM) and threat monitoring today. Because most SIEM have insufficient endpoint data, threat analysts struggle to answer even the most fundamental questions, such as: 

  • Is the attack targeting a critical, sensitive, or regulated asset?  
  • Does the identified exploit target the right operating system or application?

Nor the more complex questions such as:

  • What process executed a connection to the known malicious IP or URL?
  • What occurred following the successful inbound attack? 

Life without EDR 

For organizations without EDR, researching and responding to threats is a maddening exercise. With limited access to endpoints or endpoint context, threat analysts -- particularly in large enterprise or managed security service provider (MSSP) -- have few choices other than to open a ticket and delegate the research to others with access to the targeted machine. 

The stakeholder could be in another department or region. For MSSPs, this is the heartbeat of communication between the SOC and customers under attack. Tickets may be answered quickly but a large majority take days and weeks. Some aren’t answered at all. In fact, due to the substantial delays incurred, special tools have been created to address the hold up. 

  • One such tool is called alert suppression. Using alert suppression, mature SOCs can hide repetitive alerts waiting for information requested from stakeholders.
  • Another technique is to auto notify and close tickets without response.
  • Last but not least, it’s often easier to simply re-image the machine than to investigate root cause. 

This is the average day to day of threat analysts in the SOC. It’s not sexy, nor is it cost effective. Repeated tens (if not hundreds) of times on a daily or weekly basis drives up organizational costs to an unsupportable level. When I hear people say: “I can’t afford to build or staff a SOC,” it’s not surprising given the status quo. Manual and human intensive tasks give security a bad name. This is life without EDR. 

Life with EDR

The introduction of EDR is a major evolution in SOC effectiveness. Threat analysts no longer need to ask others to validate threats, the data is available to real-time query. With immediate access to the data, three incredible things happen:

  1. The SOC Analyst can research and respond to alerts in rapid succession, dramatically increasing their workload. 
  2. Armed with endpoint context, Tier 1 threat analysts can perform more sophisticated analysis, encroaching on the role typically assigned to Tier 2.
  3. By eliminating the high volume of tickets requesting context, MSSP customers or stakeholders of large enterprise are relieved of the deluge of inquiries. 

Inevitably, a breach will occur. When that does happen, utilizing a best-in-class EDR vendor that includes continuous and centralized recording takes the guesswork out of incident response. The attacker may have erased their tracks, but EDR recorded the attackers every move with an endpoint DVR, the cyber equivalent to a surveillance camera. With a complete historical recording of an attacker and their actions, incident responders don’t need to fly to the scene of the crime, scrape RAM, or image machines to look for clues. The full recorded history of the attack enables on the spot incident response. 

EDR is much more than an endpoint security product; it’s causing an evolution in the people and process utilized within security operation centers globally. And for individual corporations or customers who rely on MSSPs to deliver skills and expertise, EDR is a fundamental technology that is not optional. It’s a foundational requirement of the next generation security operation center and primary reason we’ll collapse the average ~250 day gap between attack initiation and discovery.

John Markott is a Director of Product Management at Carbon Black. His mission is to help managed security service providers and incident-response firms ride the wave and reap the rewards of next-generation endpoint security. With nearly two decades of experience in InfoSec, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8030
PUBLISHED: 2018-06-20
A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 7.0.0-7.0.4 when AMQP protocols 0-8, 0-9 or 0-91 are used to publish messages with size greater than allowed maximum message size limit (100MB by default). The broker crashes due to the defect. AMQP protocols 0-10 and 1.0 a...
CVE-2018-1117
PUBLISHED: 2018-06-20
ovirt-ansible-roles before version 1.0.6 has a vulnerability due to a missing no_log directive, resulting in the 'Add oVirt Provider to ManageIQ/CloudForms' playbook inadvertently disclosing admin passwords in the provisioning log. In an environment where logs are shared with other parties, this cou...
CVE-2018-11701
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x005cb509, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
CVE-2018-11702
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00578cb3, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
CVE-2018-11703
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00402d6a, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.