Endpoint detection and response (EDR) is a driving force of evolutionary change in security operations centres (SOC), shedding light into areas where most organisations are blind.
In today’s network-centric world, EDR provides a fast path to endpoint context, enabling rapid identification of false positives or the origin of attacks.
To illustrate this point, consider a litmus test to review common limitations in security information and event management (SIEM), and threat monitoring. Because most SIEMs have insufficient endpoint data, threat analysts struggle to answer even the most fundamental questions, such as:
- Is the attack targeting a critical, sensitive or regulated asset?
- Does the identified exploit target the right operating system or application?
Or the more complex questions such as:
- What process executed a connection to the known malicious IP or URL?
- What occurred following the successful inbound attack?
For organisations without EDR, researching and responding to threats is a maddening exercise. With limited access to endpoints or endpoint context, threat analysts — particularly in large enterprise or managed security service provider (MSSP) — have few choices other than to open a ticket and delegate the research to others with access to the targeted machine.
The stakeholder could be in another department or region. For MSSPs, this is the heartbeat of communication between the SOC and customer under attack. Tickets might be answered quickly, but a large majority take days or weeks. Some aren’t answered at all. In fact, due to the substantial delays incurred, special tools have been created to address the hold-up.
One such tool is called alert suppression. Using this, mature SOCs can hide repetitive alerts waiting for information requested from stakeholders. Another technique is to auto-notify and close tickets without response. Finally it is often easier to simply re-image the machine than to investigate root cause.
These procedures are typical in the day-to-day lives of threat analysts in the SOC. They are neither slick nor cost effective. Repeated tens (if not hundreds) of times daily or weekly, these procedures drive up organisational costs to an unsupportable level. When we hear such people say: ‘I can’t afford to build or staff a SOC,’ it’s not surprising given the status quo. Manual and human intensive tasks give security a bad name. This is life without EDR
Life with EDR
The introduction of EDR heralds a major evolution in SOC effectiveness. Threat analysts no longer need to ask others to validate threats, while the data is available to real-time query. With immediate access to the data, three incredible things happen:
üSOC analysts can research and respond to alerts in rapid succession, dramatically increasing their workload.
üArmed with endpoint context, Tier 1 threat analysts can perform more sophisticated analysis, encroaching on the role typically assigned to Tier 2.
üBy eliminating the high volume of tickets requesting context, MSSP customers or stakeholders of large enterprise are relieved of the deluge of inquiries.
Inevitably, a breach will occur. When that does happen, utilising a best-in-class EDR solution that includes continuous and centralised recording takes the guesswork out of incident response. The attacker may have erased his/her tracks, but EDR recorded the attacker’s every move with an endpoint DVR, the cyber equivalent to a surveillance camera.
With a complete historical recording of an attacker and his/her actions, incident responders don’t need to fly to the scene of the crime, scrape RAM, or image machines to look for clues. The full recorded history of the attack enables on-the-spot incident response.
EDR represents much more than an endpoint security product; it is causing an evolution in the people and process utilised within security operation centres globally. For individual corporations or customers who rely on MSSPs to deliver skills and expertise, EDR is a non-optional technology. It is a foundational requirement of the next generation security operation centre, and the primary reason why we will collapse the average ~250 day gap between attack initiation and discovery.