Pt. 3: Cutting through the Next Generation Endpoint Noise

A Look at the Detection Component of EDR

A key point Gartner makes in its Market Guide for Endpoint Detection and Response (EDR) report is that detecting sophisticated hidden threats is the most critical EDR capability. So with that in mind let’s talk about detection and EDR.

#1 Defining detection
The definition of detection is an interesting discussion. Simplistically, one can bucket detection into known and unknown approaches. Known is typically associated with traditional, signature-based detection. Unknown is associated with behavior-based approaches.

Gartner identifies two main detection techniques – known bad and algorithmic. Algorithmic is defined as “detecting unknown malware without comparing to a database of known bad artifacts but a computational method that would include characteristics of known good and bad.”

I think another way to look at detection is automated vs. manual detection. Automated detection involves a detection engine that is embedded in the security solution with a fundamental goal of the technology being able to detect threats. Manual detection involves searching for a defined indicator of compromise (IOC) and most often involves a human operator. Malware or threat hunting is a good example of this. The question here is if this is truly detection or is it more accurately investigation? I say it’s the latter.

#2 Most EDR solutions lack native detection
So based on the aforementioned discussion on detection, I would suggest that the majority of EDR solutions lack native detection. This makes sense given that many EDR solutions were built on the primary use case of investigation. Investigations can be reactive/post-breach (who is patient zero, scope of infection) or proactive like threat hunting. The common theme is that investigation requires some indicator of compromise or an attack artifact. Solutions that would fall in this category would be FireEye HX (Mandiant MIR as predecessor) and Carbon Black. If being able to detect sophisticated hidden threats is a critical capability of EDR solutions, I would contend that having native detection is therefore a critical capability. 

#3 Ideally, any detection solution will use a combination of these detection techniques (known and algorithmic) to improve accuracy
This is an important point that Gartner makes. Just detecting known threats is clearly not good enough. Additionally, behavior-based detection, which is required to detect unknown threats, is inherently noisy and prone to false positives. I would actually take this a step further and suggest that not only having multiple detection techniques is important, but having multiple detection vectors is critical as well. For example, given the nature of advanced threats just looking at the endpoint or the network is insufficient. You need to look at both.

This is a key area where I think our HawkEye G solution stands out among the EDR crowd. HawkEye G incorporates multiple detection vectors including anomaly/behavioral, signature (file, URL, IP), a community-source malware verification service, network communications (HawkEye G network sensor), and network sandboxing via our integrations with Palo Alto Networks’ WildFire solution and FireEye NX.

The concept of security integration is an important one as well. We are seeing more organizations looking to evolve to security architectures in which disparate security solutions are tightly integrated. This not only helps to improve detection, but also enables rapid, automated response. Therefore, while integrated capabilities are important, I also think buyers should be focused on how a solution integrates with its other security solutions.

#4 Big challenge for buyers is determining depth and accuracy of detection techniques 
This problem is typical in emerging technology areas. Similar to what has happened with network sandbox solutions over time I would expect to see third-party testing conducted on EDR solutions. In the meantime, I think the best thing an organization can do is to: (1) assess the problem(s) they are looking to solve; (2) identify a few solutions that solve the problem(s); and (3) put them to the test in a real world environment. While the crowded and noisy nature of the EDR market is a likely deterrent to buyers remember Gartner’s advice that doing something is better than doing nothing.

As mentioned earlier, the type of detection one is looking for is a critical component of the type of EDR solutions to evaluate. However, investigation and response capabilities are also critical. We’ll address these in the next blog.
 

- See more at: https://www.hexiscyber.com/news/hot-topics/pt-3-cutting-through-next-generation-endpoint-noise#sthash.JBjPsraN.dpuf