Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives //

Carbon Black

03:30 PM
John Markott
John Markott
Partner Perspectives

Saving The Security Operations Center With Endpoint Detection And Response

EDR is the beginning of our return to control in the fight against cybercrime.

The endpoint detection and response (EDR) market isn’t about endpoint security, it’s about saving the security operations center (SOC). And I’m not just talking about enhancing our ability to catch the bad guys; I’m also talking about our ability to lower the cost to build and maintain a security team. The fact of the matter is that after years of increasing security budgets, we are continuing to lose ground against cybercrime.

Security today requires a high volume of work. We are drowning in a non-stop flood of security logs and events. The Industry touts “advanced analytics” and “correlation,” but honestly, aren’t we continuing to get hacked? What are we missing to make these investments hum? Is there a way to propel our security teams forward, achieving an optimal level of effectiveness?

As a CISO or security leader, choosing where to invest is complex. Do you staff up to address the volume of alerts? Should you add additional context or controls to gain visibility or address gaps? Or do you assess current configurations to tune noisy rules or add rules to address new threats? You can’t address them all at once.

Organizations are dropping like flies, and the average CISO lasts about 18 to 24 months. So how do you, as a CISO or security leader, gain an advantage over the attacker and move to a position of control? It is not an endpoint product but a SOC optimization tool that will propel you to respond faster and more effectively. The end result will put you in the driver’s seat.

To quickly illustrate my point, take the following brief test. The questions posed frame the most universal limitations in security operation centers today. Can your security team answer these questions consistently, confidently, and in a short period of time (minutes)?

  1. When an inbound exploit is identified targeting a random IP address, can you rapidly validate whether the exploit is targeting the right OS and application?
  2. When a successful network exploit is identified, can you identify the detailed next steps taken by the attacker?
  3. If an outbound connection is identified with a known command and control (C2), can you identify the process that initiated the connection and trace the action back to its source?
  4. When an encrypted inbound communication is identified with a known C2, can you identify what was in the communication or payload?
  5. When malware is found, can you identify the dwell time, how the file arrived, and the endpoints or servers that are infected or impacted?
  6. What actions took place when an end user opened an email attachment?
  7. What actions took place when an end user clicked on a URL within their email?
  8. What were the step-by-step actions of an identified attack, from start to finish?

If your security team struggled to answer these questions, don’t feel bad. These are common pitfalls of the status quo. This is life without EDR. EDR is a great tool for detecting advanced threats, and as half of the questions show, EDR is the perfect complement to triaging events and alerts triggered by the current controls in your environment.

Whether firewall, intrusion detection/prevention, secure web gateway or even SIEM (security information and event management), EDR is a SOC effectiveness tool that effectively extends and optimizes your existing security architecture and investment. EDR provides visibility and access to data previously unavailable, enabling on-the-spot response. The resulting time savings not only justify EDR’s usage, they lower the cost to maintain and expand your current security operations practice. With time, your security analysts will transform to include incident-response skills. This shift will blur the lines between threat monitoring and incident response, creating perhaps the most epic evolution in security people, process, and technology since the origin of this industry.

What Is EDR anyway?

Since advanced attackers can effectively slip through security defenses and live on endpoints for an estimated 250 days before being identified, EDR takes the approach of a surveillance camera in a local bank or retail store. EDR records all endpoint activity, creating a pristine record of all actions that occur on critical servers and endpoints. When attackers compromise an endpoint and erase their tracks, the entire chain of events is captured and securely stored for future reference. When an alert of any nature is triggered, EDR provides the method in which security analysts can quickly query to validate threats, eliminate false positives, and look back in time to research and respond. EDR is metaphorically a seat belt in a speeding car, and we know there’s trouble ahead.

With such a phenomenal data set, EDR can also be considered an endpoint SIEM. Nowhere, not even in big data or SIEM, will you find the quantity or depth of endpoint context as you will with EDR. Ask your security team and you’ll quickly learn that big data and SIEM have size and scale limitations. Many data sets are known to “tip over” storage and processing capabilities of big data and SIEM such as DNS, firewall, proxy, and endpoint data. This technical limitation causes blind spots and introduces the reality that effective security operations require an EDR overlay and the ability to mine this data for new endpoint attacks. As a result, EDR detection capabilities are synonymous to the correlation and analytics you find on SIEM.

And when a security incident is identified, EDR provides advanced tooling to take action, banning malicious files from executing in the environment, killing the malicious processes, or quarantining the machines affected. With the best EDR products, you can even gain command line access to the affected machines, taking memory dumps, recording packet captures, and more. And through the analysis of attacks captured by EDR, you can glean the TTPs (tools, techniques, and practices) of the attackers, their trade craft, as well as the patterns of compromise needed to identify similar techniques in the future.

EDR is the beginning of our return to control in the fight against cybercrime.

John Markott is a Director of Product Management at Carbon Black. His mission is to help managed security service providers and incident-response firms ride the wave and reap the rewards of next-generation endpoint security. With nearly two decades of experience in InfoSec, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
7/12/2016 | 11:03:29 AM
It's all about the endpoint
Totally agree! Endpoint security is absolutely key! Its something that everyone knows about but seems to forget. Just look at the fact that 63 percent of organizations said they had a printer-related security breach. Makes sense since there are more than 30 million printers and MFDs out there and all are connected to the network. 
--Karen Bannan for IDG and HP
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-23
PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying CefSharp.BrowserSubprocess.exe.
PUBLISHED: 2020-09-23
** UNSUPPORTED WHEN ASSIGNED ** peg-markdown 0.4.14 has a NULL pointer dereference in process_raw_blocks in markdown_lib.c. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
PUBLISHED: 2020-09-23
A vulnerability in the web management interface of Cisco Unity Connection could allow an authenticated remote attacker to overwrite files on the underlying filesystem. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted HTTP re...
PUBLISHED: 2020-09-23
A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device. The vulnerability is due to improper validation of incoming emails. An attacker could exploit t...
PUBLISHED: 2020-09-23
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (UCM) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based...