Pt. 4: Cutting through the Next Generation Endpoint Noise

A Look at Response Including Investigation and Containment or Remediation

While detection is a critical capability of EDR solutions, the ability to investigate and respond is also important. Gartner indicates that after detection “the capability to enable a security analyst to investigate suspicious events to determine both the technical- and business-level impact is the most important consideration.” And ultimately, once you detect and investigate you want to be able to do something about the threat. This is the “R” in EDR.

#1 Investigation and threat hunting are not the same
A key point made by Gartner is that almost all solutions can help SOC first responders investigate, but not all solutions are well suited for threat hunting. Core capabilities required for basic investigation include the ability to quickly search endpoints for indicators of compromise, confidence-based threat scoring for alert prioritization, and intuitive exposure of relevant data for the analyst to review and make a decision. As Gartner points out, threat hunting requires the EDR solution to continuously record all endpoint state changes. Going back to our discussion on detection, in my opinion, many of the leading EDR solutions were built on a use case of investigation, including threat hunting. However, interestingly these solutions also lack native detection. Conversely, the majority of EDR solutions that incorporate native detection don’t have continuous recording capabilities. This is another area where our HawkEye solution stands out by offering both capabilities.

The ability to detect and investigate is critical but ultimately organizations need to be able to respond to threats before they do damage.  
 

#2 The lower case “r” in EDR

Gartner indicates that full remediation capabilities are currently nascent in the EDR space and this is the least mature function in the current crop of EDR tools. Quarantining is indicated to be the most common response. This is why at Hexis we often refer to EDR as EDr with lower case “r” representing the fact that many EDR solutions are weak on this front.

We believe a robust EDR solution should include a comprehensive set of countermeasures that can be flexibly deployed in a automated or machine-guided (information and course of action presented to the user but they click to invoke response) manner. We think this should be a key component of any EDR evaluation.

I’m happy to report that our automated response capabilities are one of the most mature functions in our HawkEye G solutions representing a key point of differentiation relative to other offerings.

#3 Reimaging is expensive and disruptive
Gartner points to the common practice of reimaging in most instances and the fact that this approach is expensive and disruptive. We couldn’t agree more! Again having the ability to deploy automated, non-invasive countermeasures that surgically remove threats without disrupting the end user is critical. Additionally, with reimaging being expensive and disruptive this equates to automated response having a positive ROI story.

- See more at: https://www.hexiscyber.com/news/hot-topics/pt-4-cutting-through-next-generation-endpoint-noise#sthash.OQrr1QnY.dpuf