Endpoint Detection and Response Products Offer Detailed Insight, But Are Time Intensive
For aviation accidents, in-flight recorders provide crucial technical details around when a mishap occurred. For desktops and laptops that have been attacked by a hacker, the equivalent is endpoint response and detection, a popular class of products produced by vendors such as FireEye, Carbon Black, Tanium, Crowdstrike and others.
See Also: How to Scale Your Vendor Risk Management Program
EDR products are powerful tools that provide a play-by-play of exactly what happened on a computer during and after an attack. The insights can reveal details of how a hacker mounted an attack and moved throughout systems. Programmed with the right rules, EDR products can also cut off potentially infected machines from the network and stem further damage.
Many anti-virus companies have long collected this type of information, but just never made it available to customers. Making that data available spawned a whole new class of products.
But there are caveats: EDR products record so much technical data from endpoints that it can be difficult, without trained specialists, to make sense out of it. That’s challenging for smaller IT security teams, which may not have the resources to get EDR’s full benefits.
Eric Ouellet, a research vice president with Gartner, gave a rundown of what organizations should keep in mind with EDR at the firm’s Security & Risk Management Summit in Sydney on Tuesday. The bottom line? EDR has amazing capabilities, but organizations should be aware of what’s required to make the most of it.
EDR products evolved from anti-malware solutions, which rely on detecting malware based on known bad binaries, the signature approach, or by predicting that there’s a likelihood that a file is malicious based on its behavior.
This approach still works on some levels, but attackers have changed their techniques to work around detection. That includes using in-memory malware as well as legitimate tools, such as Microsoft’s PowerShell scripting language, to move around on systems and appear on the surface to be legitimate users.
“This is where EDR really shines,” Ouellet says. “It’s not that AV is not good. It’s a solution that addresses a very specific model.”
EDR software doesn’t record in-session information, such as what someone is writing in an email or a Word document. Instead, it records very granular information around what a user is doing, such as if someone visited a certain website, downloaded a document and if unusual processes or binaries were launched as a result.
If admins suspect that an attack took place, it’s possible to query other machines running the EDR’s software agent to see if those computers may have those same clues that may indicate a wider compromise, Ouellet says.
“Now you have narrowed down the potential pool of problematic environments and now you address those,” he says. “You can interrogate this data in a very, very sophisticated and very, very finely detailed way.”
Vendors typically provide a console with a graphic that shows the process flow or history with a timeline, which provides additional insight into what technically happened on an endpoint, Ouellet says. That allows admins to know the right point at which to roll back a machine to an uncompromised state.
So if you have the equivalent of a black-box recording, what do you do next? One of the trickier parts of working with EDR is interpreting masses of data. That’s what Ouellet says has caused some EDR buyers to feel remorse.
“They didn’t anticipate how much work it actually required of their teams to get to do something with this solution,” Ouellet says. “There have to be warm bodies looking at this stuff because otherwise you’re creating an inventory of data that if you’re not actioning it … it’s going to become overwhelming.”
If you don’t have the expertise, it can be easy to overlook or not see signals, Ouellet says. Take WannaCry, the ransomware worm that raged through 300,000 systems in 150 countries in May (see WannaCry Ransomware Outbreak Spreads Worldwide). “You are an active participant in the identification of what you’re looking for in terms of a target,” he says “You can’t just go and say, ‘I want to find WannaCry within my environment.’ It just doesn’t work. You have to know what the conditions are to allow WannaCry to exist in your environment.”
And that’s tricky, Ouellet says, because the qualified people who are able to make sense of the data are in high demand. But having those people on staff is especially important if organizations want to be proactive and use EDR for threat hunting in real time versus just using EDR’s forensics capability. As a result, some organizations turn to managed services for that task.
“You need not just one smart person,” Ouellet says. “You need a team of people that are going to do this active threat hunting.”
EDR is a premium security tool. Ouellet says it can cost $8 to $10 per seat, with some platforms costing near $30 per endpoint. That’s between three to five times the cost of an endpoint protection platform, or EPP. It’s a significant investment if organizations aren’t using an EDR platform to its full capabilities.
However, EDR and EPP are converging, Ouellet says. EDR vendors are adding anti-malware protection into their products, while EPP vendors are adding EDR-like capabilities. EPP vendors have realized the threat that comes from EDR, Ouellet says.
“What we’re seeing is the endpoint protection platform vendors are now in a rush, not only to add the next-gen functionality – like machine learning, software behavior analytics, anti-exploit – but they’re also rapidly running to produce EDR as well,” he says.
That’s essentially good news for end users seeking to get into EDR: EPP vendors are increasingly providing the capabilities. And it’s helpful for those organizations where a pure-play EDR buy might be overkill.
“You really have to consider what you need to get out of it,” Ouelett says.