OpenText World

OpenText at RSA: Detection and response from the bottom up

A unique approach to EDR at Enterprise Scale

It’s 2019, yet the fact still remains: attackers can compromise a network in a matter of minutes, but only a fraction of breaches are discovered as quickly. Most breaches – 68% according to the latest Verizon Data Breach Investigations Report (DBIR) – go undetected for months. The graphic below from the DBIR provides a sobering look at just how wide the gulf is

This means attackers are spending a great deal of time moving laterally through security environments, performing reconnaissance, escalating privileges with the objective of locating and ex-filtrating sensitive data.

Security, by its very nature, must be reactive. Security tools are based on what we see and learn about how attackers invade networks and endpoints. Most tools available today deliver endpoint detection and response (EDR) via a top-down approach focused on only the malware and files.

OpenText™ EnCase™ flips this on its head, offering a bottom-up approach to threat detection and response that leverages our forensic expertise and offers unobstructed insight into machines, data, and application interactions. OpenText built EnCase by starting at the bottom and reverse-engineering operating systems. This gives OpenText EnCase unhindered access to data, direct visibility into the movement of that data, and visibility into common hiding places for attackers. Forensic-level visibility is unique to EnCase and sets our solutions apart from other EDR tools.

Continuous monitoring and scale

So, if the goal is to detect compromises more quickly, how can that be done? Most EDR products offer some form of continuous monitoring – an always-on approach to collecting data for threat analysis. The benefit is obvious: with a real-time view of data, problems can be detected more quickly.

However, the draw backs of collecting all the data, all the time are equally obvious. Many common approaches to EDR build a full-scale replica of an organizations data. It’s easy to see how this may even be counter-productive at an enterprise scale of 100,000+ endpoints. Issues include:

  • Installation of oversized agents and/or multiple agents: Agents from some EDR vendors swell to as large as 2GB when continuously monitoring, which is too burdensome to be acceptable.
  • Unnecessary or excessive scanning: Is there really a threat model that requires continuously monitoring the marketing intern’s machine? Or does a scan per week do the trick?  What about a high-value server or CXO machine?
  • Over-collection of data: Security teams are looking for the proverbial needle in a haystack. Continuous monitoring approaches that make the haystack larger aren’t helping – there is just too much noise and irrelevant data.
  • Scalability: Every enterprise CISO must ask, “will this work on every machine I want it to, across entire enterprise, without breaking anything?” If the answer is no, then this is not a solution that can effectively scale in an enterprise environment.

Now, compare these traditional approaches to the continuous monitoring available in OpenText™ EnCase™ Endpoint Security that boasts:

  • A small agent footprint via the enhanced EnCase agent. The enhanced agent is actually a stripped-down version of EnCase that uses a unique set of plugins to run tasks on the endpoint.
  • Custom global scan frequency and segregation, depending on your needs
  • Customizable filters to ensure we only collect the right data
  • We use a pull instead of push methodology when collecting, avoiding a burden on systems and end user performance. When an anomaly is detected, the enhanced agent generates an event and makes a request of the EnCase Endpoint Security server. It’s then added to the task queue and the first available IR person will reach out to the endpoint and pull the needed data. This prohibits the server from being inundated with requests.

The result is a solution with comprehensive visibility across the entire network that is easy to setup, run and maintain, with a consistently light footprint.

What this means for detection

Continuous monitoring is the first step to detection and response. Once teams have access to the data, EnCase Endpoint Security detects threats through various means, including:

  • User-Behavior Analytics
  • Threat Intelligence
  • SIEM alerts that need response and TI via integrations
  • Rules & policies OOTB, but includes the ability to build your own rules as well
  • Telemetry

Because of our forensic heritage and unique understanding of data relationships, we are in a prime position to analyze the factors above to detect unknown threats that evade commodity endpoint products. We can safely correlate, validate, and data-enrich previously uncorrelated:

  • security events
  • data movement
  • system activities
  • data types

This approach primarily focuses on detecting new, advanced, and previously unknown threats and malware.

Helping Incident Responders respond

The key to effective response is prioritization. Security teams are overwhelmed with alerts, and alert fatigue is a serious issue. Anytime a new detection technology is added, more alerts are created.

To help deal with this, teams have a single-pane of glass view within EnCase for enterprise-wide response.  OpenText Encase correlates all security events & detections, whether it’s something that EnCase detected or if it’s an event that originated from your SIEM.  Tier 1 analysts can sort the data however they would like, with most teams validating the critical alerts first and sending those to the Tier 2 analysts and investigators, and then working their way back to less-critical events.

In an overly-simplified example, the alert below has a threat intelligence score of 100. Meaning, EnCase looked at known databases, ran the suspected malware through a sandbox, and performed other additional endpoint analysis, and quickly generated a threat score. Threat scoring allows security teams to more quickly identify which alerts are critical, which are false positives, and the triage remediation accordingly.

After prioritizing alerts that require response, IR teams can then:

  • Isolate/quarantine infected endpoints (if needed)
  • Kill malicious processes
  • Examine memory and the registry, and if needed reset the registry keys
  • Delete files that created malicious processes
  • Look for morphed iterations (entropy) of any advanced or polymorphic malware

In a recent product review and webinar, Jake Williams (@MalwareJake) had this to say about OpenText EnCase Endpoint Security: “The range of features is impressive, but the flexibility of use in those features is the absolute killer feature of the application. Throughout the design, it is obvious that the people writing EES perform incident response themselves on a regular basis.”

So how do you evolve from detection to prediction?

The sheer scale of enterprise networks makes each unique. Like a fingerprint, every enterprise network is the only one of its kind.

Out-of-the-box solutions can detect threats. But more effectively closing the compromise to detection gap takes a combination of intelligent and connected technology and people, a posture of predictive security integrating artificial intelligence and machine learning.

OpenText™ Magellan™ is a flexible AI platform that combines open-sourced machine learning with advanced analytics and enterprise-grade business intelligence, to acquire, merge, manage and analyze enterprise data. With Magellan, security teams can deploy security-specific algorithms in order to draw insights from previously uncorrelated events and behaviors.

OpenText Magellan learns about the enterprise environment, data and preferences over time. It self-optimizes for increasingly better performance, and when coupled with EnCase Endpoint Security, security teams can find insights from data that is seemingly unrelated (to the human eye) – unlocking a posture of predictive detection and response.

For teams not ready to leverage AI and machine learning for predictive insights, OpenText™ EnCase™ Advanced Detection, which is a new detection module for EnCase Endpoint Security, is also available. EnCase Advanced Detection can further enhance the detection capabilities available in EnCase, as well as provide agentless capabilities.

EnCase Advanced Detection delivers:

  • Threat intelligence
  • Emulated sandbox
  • Binary file analysis
  • Machine learning
  • Partial hashing
  • Memory analysis
  • Active breach detection
  • User entity behavioral analytics
  • Threat-scored forensic artifacts
  • MITRE ATT&CK implementations
  • Signs of exfiltration and C2

At RSA, the OpenText team will be showcasing the combined suite of security solutions. OpenText believes that a custom deployment of the right technology will unlock a posture of predictive security for the Enterprise.

Visit us in the Moscone North Hall at booth #6353 during RSA 2019 for a demo.

Learn more

Related Posts

Back to top button