Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives //

Carbon Black

03:30 PM
John Markott
John Markott
Partner Perspectives

Saving The Security Operations Center With Endpoint Detection And Response

EDR is the beginning of our return to control in the fight against cybercrime.

The endpoint detection and response (EDR) market isn’t about endpoint security, it’s about saving the security operations center (SOC). And I’m not just talking about enhancing our ability to catch the bad guys; I’m also talking about our ability to lower the cost to build and maintain a security team. The fact of the matter is that after years of increasing security budgets, we are continuing to lose ground against cybercrime.

Security today requires a high volume of work. We are drowning in a non-stop flood of security logs and events. The Industry touts “advanced analytics” and “correlation,” but honestly, aren’t we continuing to get hacked? What are we missing to make these investments hum? Is there a way to propel our security teams forward, achieving an optimal level of effectiveness?

As a CISO or security leader, choosing where to invest is complex. Do you staff up to address the volume of alerts? Should you add additional context or controls to gain visibility or address gaps? Or do you assess current configurations to tune noisy rules or add rules to address new threats? You can’t address them all at once.

Organizations are dropping like flies, and the average CISO lasts about 18 to 24 months. So how do you, as a CISO or security leader, gain an advantage over the attacker and move to a position of control? It is not an endpoint product but a SOC optimization tool that will propel you to respond faster and more effectively. The end result will put you in the driver’s seat.

To quickly illustrate my point, take the following brief test. The questions posed frame the most universal limitations in security operation centers today. Can your security team answer these questions consistently, confidently, and in a short period of time (minutes)?

  1. When an inbound exploit is identified targeting a random IP address, can you rapidly validate whether the exploit is targeting the right OS and application?
  2. When a successful network exploit is identified, can you identify the detailed next steps taken by the attacker?
  3. If an outbound connection is identified with a known command and control (C2), can you identify the process that initiated the connection and trace the action back to its source?
  4. When an encrypted inbound communication is identified with a known C2, can you identify what was in the communication or payload?
  5. When malware is found, can you identify the dwell time, how the file arrived, and the endpoints or servers that are infected or impacted?
  6. What actions took place when an end user opened an email attachment?
  7. What actions took place when an end user clicked on a URL within their email?
  8. What were the step-by-step actions of an identified attack, from start to finish?

If your security team struggled to answer these questions, don’t feel bad. These are common pitfalls of the status quo. This is life without EDR. EDR is a great tool for detecting advanced threats, and as half of the questions show, EDR is the perfect complement to triaging events and alerts triggered by the current controls in your environment.

Whether firewall, intrusion detection/prevention, secure web gateway or even SIEM (security information and event management), EDR is a SOC effectiveness tool that effectively extends and optimizes your existing security architecture and investment. EDR provides visibility and access to data previously unavailable, enabling on-the-spot response. The resulting time savings not only justify EDR’s usage, they lower the cost to maintain and expand your current security operations practice. With time, your security analysts will transform to include incident-response skills. This shift will blur the lines between threat monitoring and incident response, creating perhaps the most epic evolution in security people, process, and technology since the origin of this industry.

What Is EDR anyway?

Since advanced attackers can effectively slip through security defenses and live on endpoints for an estimated 250 days before being identified, EDR takes the approach of a surveillance camera in a local bank or retail store. EDR records all endpoint activity, creating a pristine record of all actions that occur on critical servers and endpoints. When attackers compromise an endpoint and erase their tracks, the entire chain of events is captured and securely stored for future reference. When an alert of any nature is triggered, EDR provides the method in which security analysts can quickly query to validate threats, eliminate false positives, and look back in time to research and respond. EDR is metaphorically a seat belt in a speeding car, and we know there’s trouble ahead.

With such a phenomenal data set, EDR can also be considered an endpoint SIEM. Nowhere, not even in big data or SIEM, will you find the quantity or depth of endpoint context as you will with EDR. Ask your security team and you’ll quickly learn that big data and SIEM have size and scale limitations. Many data sets are known to “tip over” storage and processing capabilities of big data and SIEM such as DNS, firewall, proxy, and endpoint data. This technical limitation causes blind spots and introduces the reality that effective security operations require an EDR overlay and the ability to mine this data for new endpoint attacks. As a result, EDR detection capabilities are synonymous to the correlation and analytics you find on SIEM.

And when a security incident is identified, EDR provides advanced tooling to take action, banning malicious files from executing in the environment, killing the malicious processes, or quarantining the machines affected. With the best EDR products, you can even gain command line access to the affected machines, taking memory dumps, recording packet captures, and more. And through the analysis of attacks captured by EDR, you can glean the TTPs (tools, techniques, and practices) of the attackers, their trade craft, as well as the patterns of compromise needed to identify similar techniques in the future.

EDR is the beginning of our return to control in the fight against cybercrime.

John Markott is a Director of Product Management at Carbon Black. His mission is to help managed security service providers and incident-response firms ride the wave and reap the rewards of next-generation endpoint security. With nearly two decades of experience in InfoSec, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
7/12/2016 | 11:03:29 AM
It's all about the endpoint
Totally agree! Endpoint security is absolutely key! Its something that everyone knows about but seems to forget. Just look at the fact that 63 percent of organizations said they had a printer-related security breach. Makes sense since there are more than 30 million printers and MFDs out there and all are connected to the network. 
--Karen Bannan for IDG and HP
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.