Endpoint Advanced Protection Buyer’s Guide: Detection and Response Use Cases

Posted under: Research and Analysis

As we continue documenting what you need to know to understand Endpoint Advanced Protection offerings, now we are going to delve into Detection and Response. Remember that before you should be picking anything, you have to understand what problem you are trying to solve. Aspiring to detecting all endpoint attacks within microseconds and without false positives isn’t really an achievable goal. You need to determine the key use cases most important to you, while making an honest assessment of your team and your adversaries.

Why is this introspection necessary? Hardly anyone will say they don’t want to detect active attacks and hunt for adversaries. It’s cool and it’s necessary. No one wants to be perpetually reacting to attacks. That being said, if you don’t have enough staff to work through half of the high priority alerts coming from your security monitoring systems, how are you going to find time to proactively hunt for stuff you monitoring systems don’t catch?

To use another example, your team may consist of a bunch of entry level security analysts struggling to figure out what is an actual device compromise and what is a false positive. Thus tasking these less sophisticated folks to do advanced memory forensics to identify file-less malware may not be the best use of their time.

The point here is that effective procurement of advanced endpoint detection and response (EDR) technology matches what you buy with the ability of your organization to use the technology. Of course, you want to be able to grow into a more advanced program and capability. But you don’t want to pay for an Escalade when a Kia Sportage is where you are at this point in time.

Over the next 5 days, we’ll explain what you need to know about Detection and Response (D/R) in order to be an educated buyer of these solutions. We’ll start by helping you understand the key use cases for D/R, and then we’ll delve into the capabilities important for each of the use cases, the underlying technologies that make it all work, and finally some key questions to ask your vendors to understand their approach to solve your problems.

Planning for Compromise

Before we get into the specific use cases, we should level set regarding the situation you face, which we highlighted in the introduction to the Endpoint Advanced Protection Buyer’s Guide. For many years there was little innovation in endpoint protection. Even worse, far too many organizations didn’t upgrade to the latest version of their vendor’s offerings – they were trying to detect 2016 attacks with 2011 technology. Predictably, that didn’t work very well.

Now that there are better alternatives for prevention, where does that leave endpoint detection and response? Well, it’s leaves it in the same place it’s always been – a necessity. Regardless of how good your endpoint prevention strategy is, it’s not good enough. You will have devices that get compromised. And that means you have to be in a position to detect the compromise and respond to it effectively and efficiently.

The good news is that in the absence of effective prevention options, many organizations have gone down this path of investing in better detection and response. They’ve been growing their network-based detection and centralized security monitoring infrastructure (ergo the wave of security analytics offerings hitting the market), and these organizations have also invested in technologies focused on gathering telemetry from endpoints and making sense of it.

To be clear, you’ve always been able to analyze what happened on an endpoint after an attack, assuming you did some measure of logging and could take a forensic image of the device once you had physical possession. There are decent open source tools for advanced forensics, which have always been leveraged by the forensicators that charge you hundreds of dollars an hour to do their thing.

What you don’t have are enough people to do that kind of response and forensic analysis. You hardly have enough people to work through the alert queue, right? This is where the advanced endpoint detection and response (EDR) tools can add real value to your security program. Facing a significant and critical skills gap, the technology needs to help your less experience folks by structuring their activities and making the next step in the process somewhat intuitive. If these tools can’t make your people better, faster – than why bother?

But all of the vendors say that, right? They claim their tools find unknown attacks. And don’t create a bunch of work validating false positives. And help you prioritize your activities. The magic tools even find attacks before you know they are attacks, while being bundled with a side of unicorn dust.

Our objective with this selection criteria is to make sure you understand how to dig deeper into the true capabilities of the products, and know what is real and what is marketing puffery. To understand whether the vendor understands the entire threat landscape or are focused on a small set of high profile attack vectors, and whether they will be an effective partner as the adversaries and their tactics inevitably change. Yet, as we mentioned above, you need to focus your selection on the problem you need to solve, and that gets to defining the main use cases for EDR.

Key Use Cases

Let’s be pretty clear and concise about the use cases. There are three main functions you need these tools to perform, and there is a quite a bit of overlap with the technologies that underlie endpoint prevention tools.

  • Detection: When you are attacked, it’s a race against time. The attackers are moving to burrow deeper into your environment and continue towards achieving their mission. The sooner you detect that something is amiss on an endpoint, the more likely you’ll contain the damage. The challenge in today’s environment is that it’s not just detecting an attack on a single endpoint, rather figuring out the extent of a coordinated campaign against many endpoints and other devices within your environment.

  • Response: Once you know that you have been attacked, then it’s about responding quickly and efficiently. This use case focuses on providing the analyst with the ability to drill down, validate the attack and determine the extent of the attacker’s actions on all affected device(s), while assessing the potential damage. You’ll also need to able to figure out effective workarounds and remediations to instruct the operational team to prevent further outbreaks of the same attack. Don’t forget the need to make sure evidence is gathered in a way not to preclude prosecution (maintaining chain of custody). Response is not a one size fits all function, so assembling a tool kit of sorts for analysts to leverage is the objective here, but to make the technology easy and intuitive to use. Yes, that’s a tall order.

  • Hunting: The adversary doesn’t always trigger an alert, which would then warrant a validation and response process. But that doesn’t mean they aren’t active on your networks, the third use case for EDR technology is to proactively hunt for adversaries on your network before they do damage. This is a bit more of an art than a science, since the hunter is more of a detective having to see signs of the attacker as they work hard to remain hidden.

You’ll need to do all three of these use cases to implement a comprehensive endpoint detection and response process, but the priority of the use cases in your environment will vary based on the adversary you face and the sophistication of your team. As we dig into the key capabilities for EDR technology, always keep in mind not whether you need the capability, but whether you can use the capability. There is a big difference, and you likely bought a ton of security tools over the years that you needed, but couldn’t figure out how to use consistently and effectively.

In the next post, we’ll start peeling back what you need to know specifically about detection.

– Mike Rothman
(0) Comments
Subscribe to our daily email digest

This is a Security Bloggers Network syndicated blog post authored by info@securosis.com (Securosis). Read the original post at: Securosis Blog