October is Cyber Awareness Month. To mark this I’m writing about a subject that is close to my heart, a subject I believe is our best chance of keeping our adversaries and bad-actors at bay.
Specifically, the proactive detection of cybersecurity incidents within the Federal Government infrastructure. And using technologies to drive Endpoint Detection and Response (EDR) towards active cyber hunting, incident response, and remediation.
Ours is a world that is constantly under attack.
In 2020, the Cybersecurity & Infrastructure Security Agency (CISA) worked to accelerate the removal of more than 7,000 fraudulent domains and blocked more than 6,829 malicious domains from attacking Federal networks.
Chief Information Security Officers (CISO) in Government agencies understand the importance of incident response in the context of an overall enterprise risk management strategy. Common strategies to perform a so-called “shift right” transition in emphasis on the prevent-detect-respond scale underscore how critically essential it has become for CISO-led teams to have effective tools, processes, and procedures to support their incident response program.
This new emphasis builds on a mature base. Incident response has been an element of security programs since their inception, and most CISO’s understand how to handle an ongoing case or exploit incident. What might not have been as clear at the outset, but has now become critical, is the role that EDR capabilities play in assuring that incidents are detected, analyzed forensically, and responded to rapidly.
Keep a 360-degree view
Security teams need an EDR tool with 360-degree endpoint visibility to validate, analyze, scope and respond to incidents quickly and completely. Best-of-breed Endpoint Detection and Response (EDR) solutions empower organizations to tackle the most advanced forms of attack at the endpoint, whether from external actors or internal threats.
The increase in the frequency of attacks has accelerated the need for EDR solutions to provide artifact-level detail and full visibility. OpenText EnCase Endpoint Security produces more artifact-level detail on average when compared to many other similar technologies. Having 360° visibility into the attack reduces the risk of attackers going undetected.
Endpoint telemetry helps provide a more complete picture of an attack. Without it, security teams may lack awareness of when and how they are being compromised. Leading EDR solutions use telemetry detection to accelerate incident response by giving security teams the power to detect and act swiftly.
EnCase Endpoint Security is designed with automation and operational efficiencies that help incident responders find and triage security incidents faster allowing organizations to get back to a trusted state faster, reducing the risk of potential loss or damage.
Real-time detection of endpoint security threats
Security teams need to redefine their workflow from passive ‘alerting’ mode to proactive ‘threat hunting’, actively scanning for anomalies indicative of a security breach. It creates a baseline of endpoint activity used to detect anomalous behavior or recreate how a data breach occurred using historical intelligence.
However, security teams don’t always have the capacity to manually detect, respond and defend against the latest cyber threats in the time required. There can also be delays when EDR providers rely on collecting telemetry into a central location for interrogation as opposed to having an active agent on the Endpoint. Performing detections directly on the endpoint reduces the time it takes to identify a threat.
In the MITRE Engenuity’s ATT&CK R3 Evaluations, OpenText EnCase Endpoint Security recorded more than 99% of the detections in real-time. When a breach occurs and time is of the essence, EDR software must detect threats in real-time and present notifications in an easy-to-read interface for the fastest response.
Faster response to malicious activity
EDR tools accelerate response time, significantly reducing the risk of data loss and damage to systems. EnCase Endpoint Security, for instance, reduces triage time by up to 90%, helping incident response (IR) teams validate and assess the impact of malicious activity – even polymorphic or memory-resident malware. Organizations can realize even greater efficiencies by integrating EnCase Endpoint Security with third-party alerting technologies via RESTful APIs.
However, much is made of speed and how quickly security tools can run queries on certain endpoints. While speed is important, the depth of endpoint visibility enabled by your EDR solution is far more critical. An EDR solution should be able to see beyond the standard APIs and system logs of the OS and, ideally, reach inside email, the cloud, and on-premises repositories.
Most importantly, EDR should not trample over the forensic residue left on the endpoint by every user and application interaction, including those hidden in file systems and memory that OS vendors never intended you to view, instead they must preserve the forensic artifacts for root cause analysis.
For more information on OpenText EnCase Endpoint Security, click here.