As organizational perimeters disappear and the number of devices required to conduct business increases, securing your company—and its associated end points—against escalating and evolving threats is more challenging than ever. A comprehensive Endpoint Detection and Response (EDR) program can help you discover issues, manage your endpoints, prevent security weaknesses, protect against malicious activity and reduce the time to remediation, which can instantly improve your security posture.
So, what does a modern, mature EDR program look like? It’s a combination of technology at its core, the most efficient software for your specific environment, as well as the disciplines and expertise of your IT teams. But where do you start? These six tenets should show you the way.
As you establish persistent, accurate visibility, you will find you are uncovering potentially unmanaged assets. Today’s next-gen EDR tools are designed to help you recognize these miscellaneous items that you may not know existed. Many companies reveal thousands of unmanaged assets they didn’t know they had. And in seeing them, they can then set up ways to manage and protect those assets.
Companies establishing successful EDR programs will also look for ways to record and analyze not just indicators of compromise (ways you have already been compromised), but also indicators of attack (ongoing events).
Think of the analogy of a crime scene. An indicator of compromise would show you what happened after the crime took place. It’s a cold scene. The police would put together clues based on what they found at the scene—a weapon, maybe a broken window, missing files, or fingerprints. These are all indicators that you have been compromised or that an event has happened. An indicator of attack would have investigators showing up just before the crime happens—because they’ve done the analysis and forensics work—and knew enough to either witness the crime as it’s happening, or jump in and subvert it. When it comes to your cybersecurity, that’s an important distinction. And more and more, companies are considering both indicators of compromise and indicators of attack. They can do this because the tools are more advanced and financially accessible.
Malware attacks are escalating, and destructive malware even more. Destructive malware target computer systems with the goal of destroying them and rendering them inoperable.
For successful EDR, organizations need tools and cybersecurity experts with the ability to seek out malware that never existed, or that at least has never been seen in the company’s environment. How do you make this happen? Start by looking for activity that might seem innocuous or “normal.” All it takes is a piece of malware to enter via email and arrive at the desk of a busy professional who clicks on it and accidentally opens a document—and then you’ve got an infected machine. At the start, that machine might not seem infected. Something can look like normal activity for quite a while. However, the next-generation EDR solution and savvy IT experts will have the ability to recognize the anomaly on any particular endpoint as quickly as possible.
The goal is to reduce the dwell time (the difference between point of entry versus point of discovery.) The shorter this time is, the better. Currently, companies measure dwell time in weeks and months—sometimes even years. This is bad news considering systems can be compromised within minutes after the point of entry. By continually striving to shrink dwell time, companies can significantly reduce their risk. Of course, the ultimate goal is zero dwell time, but the industry isn’t there yet.
How a Security Operations Center (SOC) can help
Since building, implementing, running and managing a 24/7 SOC is cost-prohibitive for most organizations, companies elect to engage an external SOC to help handle their various security operations functions, threat monitoring, detection and response needs. SOCs have historically been used by larger organizations with bigger budgets. However, according to a recent Gartner report, the escalating threat environment and the shift in security defense from prevent (alone) to prevent, detect and respond, have encouraged adoption of SOCs by a wider user base.1Many companies also find success through the more budget-friendly option of relying on managed security services (MSSs) to offset the cost of 24/7 SOC operations and fill coverage and skills gaps, either tactically or as part of their long-term strategies.
Let’s say you found something in your environment. You have to be able to wrap your hands around it and corral all of the impacted assets—everything that could potentially be infected by malware. In order to accomplish this step effectively, companies need to reach beyond their outer edge. But how?
It goes back to that persistent, accurate view. When you see your portfolio of IT assets, you see what each asset does, what’s installed on it, how it’s configured, etc. These attributes you identified within your initial inventory will give you the information you need to prevent future attacks. For example, let’s say you detect malware on Machine A. If you know Machine B is configured in the exact same way, you can be fairly certain that Machine B will potentially be impacted by that same malware. When a company is able to isolate its ongoing attacks in this way, it can see the future potential impact at the same time as it sees the current impact.
This is known as persistent threat hunting. Threat hunting is the process of proactively searching and discovering cyberthreats—regardless of whether they pose a current or future threat. Threat hunting can be a demanding process. It requires a practical understanding of cyberthreats, strong critical thinking, acute problem-solving skills and deep technical expertise. In threat hunting, there are a variety of security-relevant datasets to investigate. The best practice is not to depend solely on one source, but to gather and analyze a variety of sources for a more complete, timely, and accurate picture. You will want to collect from multiple data sources to add context to your threat hunting activities. According to Cybersecurity Insiders 2019 Threat Hunting Report, the most widely-used data includes external threat intelligence feeds (57%), file activity data (51%), and system patch status (47%).2
Because there are hundreds of thousands of companies and millions of networks targeted all over the world, cybersecurity experts can look at this external traffic, noise, targets, malware and breaches and use the information to enhance their own cyber intelligence. Beyond reading the news, forums and blogs, you will want to look at the information you’re gathering and see how it relates to your company’s unique environment. Many companies find that subscription services with external threat intelligence feeds (that you pay for) are the most effective way to gather relevant information.
Look for threat intelligence feeds that give you extremely granular and technically detailed information. These are the specific facts you can use to immediately turn around and scan your own environment.
The EDR Bottom Line
Ideally, for an effective next generation EDR solution, you are going to want to deliver on some or all of these six attributes—in some capacity—in a highly scalable, flexible way—with minimal impact to end-users and administrators. And, if you have the time and budget to run a proof-of-concept of your proposed EDR solution within your live environment, you will significantly improve your program’s effectiveness.