2017 was a year of massive data breaches – organizations like Equifax, Uber, Deloitte, Forever 21, OneLogin, Verizon, and Arby’s all made headline news. Even with technological advancements and wide adoption of perimeter-based protection platforms, organizations continued to fall victim to cyber criminals.
That’s because while perimeter-based solutions are needed, they can never provide 100% protection from the most sophisticated forms of attacks. Moreover, as long as people are responsible for making critical security decisions, human error will often result in vulnerabilities. Some of the largest data breaches in 2017 were a direct result of unpatched applications, misconfigured cloud instances, and third-party breaches. So the combination of an evolving threat landscape with the poor execution of standard security best practices have led to increased data breaches.
Adopting a mindset of continuous compromise
So what’s needed to mitigate these known and unknown risks and reduce the likelihood of any given security incident becoming a full-blown data breach? One approach is to build an incident response team with a mindset of continuous compromise. An incident response team that is not only well-trained and equipped, but primed with an ‘already breached’ mentality would better promote continuous monitoring, proactive threat hunting, and regular penetration testing.
It’s accepting the fact that hidden threats are already in an organizations’ network; and the objective is to reduce the opportunities for adversaries while enabling analysts to identify these threats quickly. This ‘continuous compromise’ mentality coupled with incident response tools like Endpoint Detection and Response (EDR) solutions can mean the difference between suspicious activity and exfiltration of data.
Endpoints remain the constant
Gartner Research first defined the category of ‘Endpoint Threat Detection and Response’ (ETDR, later shortened to EDR) in a July 2013 blog. This classification was created to differentiate a security focus on hosts and endpoints versus the network, unknown threats versus signature-based malware, and response versus protection.
EDR tools would become the means by which incident responders could detect many forms of threats (both insider and outsider), contain and remediate cyber attacks, and mitigate security and regulatory risks. The importance of endpoint security stems from an evolving digital transformation whereby networks, compute, storage, and workflows are now increasingly virtualized, managed by third parties, or in the cloud. EDR addresses the one constant within every organization and still an incredibly vulnerable attack vector – the endpoint.
Today, the market largely accepts that traditional signature-based antivirus tools are no longer effective against advanced forms of attacks, including Advanced Persistent Threats (APTs) which are highly sophisticated and evasive attacks specially designed to bypass traditional antivirus products.
EDR tools, however, are designed to gather and store important artifacts and telemetry data such as system events, user communications, network activities, and indicators of compromise (IOCs), and then investigate anomalies with forensic and analytic capabilities. EDR solutions can complement traditional signature-based tools, integrate with Security Information and Event Management (SIEM) systems, or function as a standalone product.
Critical components to threat detection
There is no silver bullet to preventing data breaches, therefore EDR needs to be a vital component to every company’s cybersecurity defense. After the inevitable cyber-attack, having a team with the right continuous compromise mindset equipped with EDR will best position any organization to quickly detect and remediate the threat, while providing the means to address government-mandated notification requirements, alleviate third party vendor concerns, and answer board-level inquiries.
Having an EDR solution, like EnCase Endpoint Security, dramatically decreases the cost, complexity, and time of traditional root cause investigations, mitigates both known and unknown risks, and reduces the likelihood of your organization making headline news for a data breach.