Endpoint Detection and Response (EDR) Solutions: Expert Tips & Strategies
12 security experts reveal the best approaches and solutions for Endpoint Detection and Response.
Endpoint detection and response is a top concern among organizations today, as security perimeters grow and are constantly in flux. The proliferation of mobile devices, removable storage, and other technologies provide an increasing number of difficult-to-monitor points of entry for hackers.
How should companies approach endpoint detection and response? What are the best solutions for mitigating risks? To gain some insight into these questions, we reached out to a panel of security professionals and asked them to weigh in on this question:
"What are the best approaches and solutions for Endpoint Detection and Response?"
Meet Our Panel of Security Professionals:
David is the managing director of Design Compliance and Security, LLC and is an experienced IT security, compliance and risk management professional. His background includes both being an auditor and assisting small and large businesses with designing, building and maintaining compliance management programs.
"From my experience with improving the security posture of organizations..."
I have found that the weakest link on endpoint devices is not always an element of technology but rather the user. In today's world, users are targeted by outsiders through the use of phishing, social engineering and other techniques that are designed to persuade a user to unlock the door to allow them to come in. If the users are not aware of these threats, then they may actively work against any technology based solution that you implement to protect your endpoints. Therefore, one of the first things to implement for endpoint protection is a security training and awareness program that includes courses designed to teach the users of these risks. Parallel to that program, I will also begin a simulated phishing campaign in order to test the effectiveness of the training. Users that fall for the simulated phishing emails are given additional training so that they will hopefully do better with future tests. The other element of this program is to create a gamification culture around identifying and reporting attempted phishing and social engineering attempts. As part of the simulated phishing campaign, I will roll out the capability to report suspected phishing emails to employees and run contests to see which department reports the highest percentage of simulated phishing emails.
Of course, no endpoint detection and response solution is complete without having a technology solution that works in tandem with the user training. While there are a lot of great technology solutions for endpoint protection in the marketplace today, they should be selected based upon how they meet the requirements of the organization's security and data protection requirements, budget and risk tolerance.
Jason Remillard, CISSP, MBA is the Founder and CEO of ClassiDocs.com – a Data Classification and remediation platform. He is also the former VP of CISO Global Security Architecture and Engineering at Deutsche Bank. He has been in the security business for over 25 years.
"Endpoint detection has a wide swath of product competitors..."
Most of them are quite capable and do a reasonable job of detection. The real question is – how do they fit into your response model? Response is going to vary by industry, maturity, and capability. Tooling is a part of it, but your IR plan has to be well defined, exercised and ingrained in your security team before any technology can help you. My personal preference is to try and have the tech take care of as much of the grunt work as possible, leaving true emergencies and/or very complex scenarios for the carbon lifeforms to manage. For example, if malware is detected on a workstation speaking to a CnC machine, that is a well defined and understood vector. Orchestration can take care of most of the problem without any human intervention (move the machine to a quarantine VLAN, block the ports on egress firewalls/proxies, alert the help desk to send deskside support to assist in cleanup, call the end user, etc). Integrating your response activities should rely on a form of customizable workflow that you can model after the organization.
David Cox is the CEO & Founder of LiquidVPN.
"In terms of the best approaches to endpoint detection and response, I would say..."
Get involved with an ISAO (Information Sharing and Analysis Organization). ISAOs are grouped by sectors, providing cyber security data and best practices for detection and response. Beyond that, I think cloud-based threat-management services are the bedrock of many successful programs. More traditional on-premise solutions require highly trained staff to manage large amounts of raw data and analysts to review and take appropriate action before it is too late. The interoperability of cloud platforms allows SMEs to integrate a broad range of cyber security technologies, quickly build new capabilities, and share information without compromising security policies. Most cloud-driven cyber security platforms are integrating AI and machine learning into their process of sorting and analyzing the massive amounts of data generated by threat intelligence and management platforms. In the next couple years, cloud-based cyber security platforms will be able to process and fully understand the impact of any threat data. The centralized nature of the cloud, AI, and machine learning represent a fundamental shift in threat management.
Ondrej Krehel, CISSP, CEH, CEI, EnCE, is the founder and principal of LIFARS LLC, an international cybersecurity and digital forensics firm.
"The best approaches to Endpoint Detection and Response are..."
Based on behavior and immediate triage capabilities. The detection portion is based on behavior, because signature detection is becoming out of date. The speed of changes in malware variants and the continuing rise in polymorphic malware is quickly making signatures obsolete. Behavioral analysis has the ability to detect malware by the way it acts, and not how it looks, increasing the likelihood of detection. Thanks to many years of development, behavioral analysis has matured to a level that rarely has false positives for normal end users. The response portion should rely on immediate triage abilities, like grabbing RAM, remote network connections, running processes, and the like. This is extremely helpful for quickly gathering evidence before isolating the suspected host. Therefore, you can avoid choosing between letting things run to collect evidence or immediately stopping the malware, but also eliminating evidence.
Jean Turgeon is the VP and Chief Technologist, Software Defined Architecture for Avaya. He holds an Executive MBA from the University of Ottawa and has more than 30 years of experience in networking design and implementation. In his current role, JT is responsible for defining SDA strategic direction, working across the Avaya portfolio to deliver on automation and orchestration. He also ensures accelerated growth of Fabric Technology deployments and strategic solutions initiatives.
"The days of a fixed network edge defined by office and a few home workers using corporate laptops is long gone..."
For the last several years, we’ve been living with an “Everywhere Perimeter.” We now connect a wide range of devices to our networks, such as medical imaging systems and video surveillance cameras, and each of these devices creates another potential backdoor path for a hacker. For example, an unprotected endpoint, such as a surveillance camera, could provide the back-door entry into an enterprise network.
It’s widely acknowledged that one of the most overlooked security strategies for protecting this ever expanding perimeter is network segmentation and isolation. A good network segmentation security strategy will provide businesses the ability to create stealth segments that span the entire network. The three core pillars as I call them: hyper-segmentation, stealth and elasticity.
- Hyper-Segmentation allows you to create secure zones across the enterprise to help securely isolate traffic over a single converged network. It creates dead ends: someone who gets access to one virtual segment can’t go elsewhere on the network. If that person has a malicious or criminal intent, the potential for damage can be detected and contained. Today, segmentation is achieved through complex access control lists using VLANs, VRF’s or firewall policies. Now, these become optional, not obsolete, as each hyper-segment is isolated by default, unlike the legacy, which is chatty as soon as IP routing is enabled.
- Stealth: By eliminating the dependency on the IP layer to forward traffic flows, it’s possible to hide the topology of the network by leveraging ESPs (Ethernet Switch Paths), which make full use of Ethernet switching while delivering IP shortcuts. This delivers native stealth, meaning that in the event the network is breached, the hacker is unable to see the IP topology and all of its devices. You can’t hack what you can’t see—it’s that simple.
- Automatic Elasticity: An elastic hyper-segment automatically stretches services to the ‘perimeter’ only as required and only for the time needed once successfully authenticated. As applications end, or endpoints/devices close down and disconnect, the networking services retract. This simplifies deployment of hundreds of segments for tens of thousands of endpoints. It also eliminates human error and static configuration — two key causes of many security breaches — by automating network access of devices.
If a hacker is able to connect to a particular network segment, that will be the only segment they can impact; and if they use a DoS or DDoS attack method to flood a segment, only that segment will be seen and impacted.
Being a victim of a data breach is never desirable but what’s far worse is to be victimized and know that practical, affordable steps could have been taken to stop it. While there is no one-size-fits-all solution, there are best practice approaches and solutions to detect and respond to endpoint hacking – such as a network segmentation strategy - that can drastically decrease the effects and reach of a breach.
Eric Hobbs is the CEO of Technology Associates. Hobbs started in 1991 as Network Administrator for a professional liability insurance carrier and was later promoted to IT Manager. In 1997, Eric started Technology Associates with the mission to provide 'Big Company IT' to businesses who do not have an IT staff. Over the years, Eric has worked with businesses large and small to help leverage technology for a competitive advantage.
"The best approach for securing endpoints is multi-layered..."
Your approach should include: 1) patch management, 2) an endpoint-based anti-virus, 3) DNS protection, 4) Anti-Spam, and 5) ransomware protection.
While patching operating systems is a no-brainer, people often forget to patch software running on the PC. Hackers are increasingly taking advantage of this fact with attacks aimed at applications such as Adobe Acrobat, various browsers, etc. Don't assume that you are safe after patching just the operating system.
Deploying your solution(s) is only the first, and often the easiest, step. It takes ongoing management and monitoring to ensure your tools are working as expected, updating properly and configured optimally against the changing threat landscape. If you rely on built-in alerting from your toolset to ensure things are running properly, you most certainly will be disappointed. There is no substitution for back-checking the installation of your security suite. Workstations come and go and new users are configured. This constant change is a prime opportunity for things to get out of alignment without your notice.
Responding to a security issue can be tricky – obviously the first step is isolation through physically separating the impacted machine from the rest of the network. Containment is critical in preventing a single issue from becoming a full scale outbreak. Having a rock-solid backup and data recovery solution is your ace-in-the-hole to getting systems back up and running.
The recovery phase needs to take a measured approach. Don't be too hasty to get systems back up and running without doing your due diligence in discovering how and why the breach occurred in the first place. Isolate the entry point and review your security suite – was it working properly? Review the attack vectors of the infection – how did it work its way in? Be certain to take a systemic approach to breaching so you don't leave yourself open to another attack.
Scott B. Suhy
Scott B. Suhy is the Chief Executive Officer of NetWatcher. As an entrepreneur, Scott has successfully built businesses for large, mid-size and start-up companies over the past 25 years. Scott has a great balance of deep technical skills, broad leadership, and business experience. Prior to NetWatcher, Scott co-founded PointAbout (a mobile applications company sold to 3Pillar Global), grew GreenLine Systems (a data analytics company sold to AT Solutions) and was a General Manager at Microsoft for over 15 years. Scott has a BS in Engineering from the University of Pittsburgh.
"It's important to have visibility to corporate asset behavior on and off the corporate network..."
Employees take assets home, on business travel, and on vacation, and they connect those assets to insecure WiFi networks across the globe. Unfortunately, most solutions today only provide visibility to the asset while it is on the local network, and if the asset is attacked, the user can easily bring the problem back to headquarters. However, several new security-as-a-service endpoint solutions are starting to appear that provide a secure VPN and intrusion detection, log ingestion, and advance correlation of asset data when the asset is off the corporate network. This allows the team responsible for corporate assets to deal with the isolated issue prior to the asset connecting back to the corporate network.
Michael is a network engineer from Accelerated Connections Inc., a Canadian ISP and Private Network provider for large distributed enterprises.
"The best approach to securing your work environment is..."
By taking a multi-pronged method by protecting your perimeter, endpoints and monitoring the environment. Protecting with a next generation firewall secures your perimeter just as you would put locks on your doors and windows. It acts as a net to catch and prevent exposure to and from the outside world and filters out malicious traffic from reaching your endpoints. Endpoint security should use both an anti-malware/virus scanner, as well as an advanced malware protection (AMP) agent to monitor file level activity. Anti-malware scanners use signature based technology to protect against known threats that have been identified in the global security community, whereas AMP uses algorithms to monitor traffic and file level access to determine malicious behavior. This provides the ability to assess, restrict and track where a malevolent file has been in your environment.
This approach is different from scanning. It can protect against a previously identified “good” file that has now gone rogue, and isolate that endpoint and other endpoints in the environment the malware has spread to. Combining endpoint protection with perimeter-based solutions ensures that if something slips through the firewall or if someone brings malware into the office via a USB key or infected laptop, it can be secured without hours of assessment and administrative headache. Having these products in place is critical to securing your environment; however, it is also important that you monitor your deployment through security information and event management (SIEM) systems. Knowledge is half the battle and SIEM solutions provide visibility into what is happening in real-time in your environment through alerts and reporting. This is a critical component to securing your environment. If you don’t have visibility you are blindly trusting tools to do their jobs.
Dr. Christopher Pierson
Dr. Pierson is the Chief Security Officer & General Counsel for Viewpost. As a recognized cybersecurity & privacy expert he serves on the DHS’s Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittee, is a Distinguished Fellow of the Ponemon Institute, and previously was the Chief Privacy Officer for the Royal Bank of Scotland (RBS).
"When looking at endpoint protection..."
You have to first determine what risks you are trying to protect against. Ensuring your endpoints have anti-malware protection, a data loss prevention solution that monitors sensitive data, encryption of data in transit and at rest, an intrusion prevention system (IPS), an intrusion detection system (IDS), and control of and communication from ports such as a firewall is critical to success.
In addition, it is really becoming a best practice to deploy forensic tools to endpoint machines, behavioral-based or machine learning tools that scan for malicious traffic and actions, and systems that include Indicators of Compromise (IoC) and can identify when a computer is talking to another known bad network or computer. More recently, the machine-based learning and behavioral identification and defense controls have gained steam by looking at patterns of known bad behavior, spikes in these activities, and times and locations when and where this activity should either be happening or not. By identifying each endpoint’s baseline, security operations can examine when things spike into malicious behavior. These same tools can find patient zero, segregate bad machines or processes, and allow for forensic response to begin.
Nir Gaist is the CEO of Nyotron, a cyber security company.
"The best approach for endpoint protection is to..."
Use a threat-agnostic defense solution. A threat-agnostic approach is able to stop every threat imaginable, including threats yet to be conceived. Unlike traditional endpoint security solutions, such as signature-based antivirus, threat agnostic security proactively detects, prevents, responds to, and analyzes known and unknown threats, regardless of the type of attack, who generated it, or how, where, or when the attack penetrated the organization.
Brady Keller works for Atlantic.Net, a hosting solution for businesses seeking enterprise-class data centers. They provide Cloud, Dedicated, HIPAA Compliant, and Managed hosting with both domestic and international data center locations.
"When I think about the best approach and solution to Endpoint Detection and Response..."
The resounding answer is prevention. By providing awareness training and educating users about the potential for dangerous malware, viruses, ransomware, phishing schemes, and other damaging tactics, you can minimize the amount of time it takes for detection and response. Users should also be performing updates and adding patches regularly. This greatly increases security and can drastically reduce preventable cyberattacks. Educating users and applying software updates are both preventative measures. However, in the event of an actual breach, it will come down to the qualified members of your IT team. By hiring experienced team members who are prepared, organized, and highly responsive, you will be ready for any attack that may come your way. So be careful with your hiring, take a lot more time, look at a lot more candidates, check a lot more references and don't just make a hire out of desperation.
Mordechai Guri, Morphisec's Chief Science Officer, has more than 20 years of practical research experience. He is lead researcher and lab manager at the Ben Gurion Cyber Security Research Center and was awarded the prestigious IBM PhD International Fellowship (2015-2016). Guri manages academic research in various aspects of cybersecurity to the commercial and governmental sectors.
"The unceasing arms-race between cyber attackers and cyber defenders has gained unprecedented levels of sophistication and complication..."
As defenders adopt new detection and response tools, attackers develop various techniques and methods to bypass those mechanisms. Deception techniques have traditionally been among the favorite methods in the attackers' arsenal. Moving Target Defense (MTD) aims at creating asymmetric uncertainty on the attacker's side, by changing the attack surface. The US Department of Homeland Security (DHS) defines MTD as, the concept of controlling change across multiple system dimensions in order to increase uncertainty and apparent complexity for attackers, reduce their window of opportunity and increase the costs of their probing and attack efforts.
MTD is the best approach to protect and respond to endpoint threats because absolute security is not an achievable goal; there is an asymmetry between the attackers' and the defenders' costs and efforts. Therefore, there is a need to implement a new paradigm for changing the costs and efforts in this adversarial game.