What Happens on the Endpoint Stays on the Endpoint

When attacks bypass endpoint security, it can often take months for enterprises to discover them. Some security reports even estimate that it requires U.S. companies an average of 191 days to detect a data breach, enabling threat actors to stay undetected within infrastructures for a very long time.

Today, companies are continuously seeking ways to modernize endpoint security in order to detect threats faster and ensure effective response across complex infrastructures. Attack forensics is just one element of improving endpoint detection and response. Another critical factor is complete visibility. Intelligence-gathering on what happened before, during and after an attack has never been more vital, not only for the sake of better protecting infrastructures, but also because new laws and legislation such as GDPR require organizations to provide thorough reporting of data breaches.

Traditional endpoint security is focused on identifying and blocking malware and other potential threats. This means it is ill-equipped to provide IT and security teams the visibility required to backtrack security incidents that were not directly associated with malware.

Best Practices for Deploying Cyberattack Forensics

Attack forensics on endpoints should include a well-laid-out plan of policies and procedures that enable security engineers to understand the value of forensic investigation data and what characteristics of the data should be relevant. Effective attack forensics teams have procedures in place to prepare endpoints for evidence retrieval, to authorize the right personnel to retrieve that data and to direct where to store and document the evidence. To illustrate: This means making sure that logs are stored in secure locations, defining who gets to access those logs and determining how those logs are actually stored.

Assessing the evidence is also vital. Investigators need to understand what data is relevant to their investigation, from which systems and platforms they derive and how to (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Liviu Arsene. Read the original post at: