Stack vs. Stack - Why Prevention Matters

I have been seeing lately where people in varying roles in cyber seem to be under the impression that Microsoft is a security company. Worse yet, the same voices are loudly proclaiming that Microsoft plus an EDR is “all you need” to keep your environment safe. Don’t get me wrong, we support everyone having an opinion, but we prefer those opinions be backed up with some form of relevant data.

The above description would normally not be an issue and ordinarily would just be additional noise, but when that noise starts to pick up traction and those in positions to implement security within organizations falsely believe the narrative, things can go sideways extremely quickly.

Before we go further, we should discuss what we are comparing and some baselines about differences in implementation. We are comparing a security product (designed to keep the nasties off your system) which is paired with an EDR (Endpoint Detection and Response) application designed to notify you of actions leveraged in an environment which your security solution missed (or did it?)

Stack #1

·? Channel leading EDR + Microsoft Defender

Stack #2

· LimaCharlie + Deep Instinct

Why is 微软 in this discussion? As mentioned above there is a narrative that Defender is “good enough” and it’s included with most licensing packages organizations are already paying for, so it’s a cost-savings within environments. Are those cost savings when paired with an EDR going to provide adequate protection? We will use data from different engagements we have been involved with to highlight the differences between the stacks and attempt to paint the picture around successes vs. shortcomings of the stacks.

The obvious difference between the stacks is Defender vs. Deep Instinct. Aside from starting with a D they could not be more different in design, functionality, and overall capability. The most important piece of this is anti-tampering, which is completely different levels. Anti-tampering is designed to prevent modifications to the settings or configuration of the security product, most importantly to prevent the ability to disable said security.

Windows Defender can be disabled via several different methods:

· PowerShell leveraging Set-MpPreference

o?? This can be done with LOLBAS/LOLBIN files which bypass Defender with “valid” certs which then launch their payloads to impair defenses

· Leveraging sc or net commands to alter settings/disable services

The ability to leverage Microsoft’s own commands against their own security solution is egregious and leaves you in a precarious situation as it would slip straight through.

?

Compare that to Deep Instinct which can be disabled in the following method

· Disable via a console protected with login/password and 2FA

That’s it, that is the only way you can disable Deep Instinct. There are no hidden commands, no hooks to leverage to bypass and you cannot use LOLBAS/LOLBIN to interact with Deep Instinct.

I know, I know…not really a fair comparison having Tom Brady’s Patriots play a high school team, but we are just providing the factual data about the solutions in question.

Next up we compare EDR capabilities, for the sake of full disclosure this will include MAED+EDR services as that is how our EDR is made available. We should preface this as EDR being fantastic and a great addition to a stack…if the rest of the stack is of equal capabilities and synergizes well.

Both EDR solutions in question do specifically what they say they will, they detect and respond to threats on machines, however in most cases it will not remediate. It also will not prevent before an item is detonated (that’s the detection part, it’s not designed to be preventative). The difference is the level of homework being assigned to the end customer.

What I mean by homework is Channel leading EDR sends out e-mails outlining items found in the environment with “next steps” which mostly seem comprised of “you need to take this action on the machine”, meaning the questionable object is still on the machine and could be leveraged.

The solution which BLOKWORX uses is capable of detection and response portion but has other features which have been built in-house to make quality of life improvements. The quality-of-life improvements help monitor a completely independent endpoint solution (no reliance on the Windows registry or built-in services) to ensure the agent is healthy, ability to fix broken agents without the need to put hands on the machine, and even ability to collect performance data (procmon) also without placing hands physically on the machine.

How does Defender compare straight up against Deep Instinct? Fortunately, we know how it stacks up because Deep Instinct had the product tested by a third-party company (Unit 221B) and their baseline machine was a fully updated/patched version of Windows 10 with Defender to mimic a “real life scenario” if an enterprise was under attack.

The test was the following –

· 100 diverse samples of malware.

· 65 had detections by other vendors

· File could not be corrupt

· File size under 1MB (to ensure file was not ignored based on size limitations)

The results were embarrassing as Deep Instinct prevented the file from even being extracted in 68 of the 100 files. The remaining 32 files were prevented on attempted execution.

Defender was able to prevent 5 files and 95 were not prevented or terminated by Defender.

When detonating the files, it was seen that Deep Instinct generated 2,647 less security events than the Defender only machine. Meaning 2,647 events not needing addressing and not remaining present on the machine until remediation.

Full breakdown of the test –

·???System A – Windows 10 without Deep Instinct

o??Windows Defender automatically deleted 5 files

o??Windows Defender automatically prevented 0 attacks on attempted execution

o??6,677 security events logged on the machine

·???System B – Windows 10 Pro with Deep Instinct

o??Deep Instinct automatically deleted 68 files

o??Deep Instinct automatically prevented 32 attacks upon attempted execution

o??4,030 security events logged

100% of unknown attacks were prevented, 96.4% of customized attacks created by Unit 221B were prevented with a total efficacy of 99.78%.

You might be asking why there is no third-party assessment of Defender available like this and we don’t have an answer for that. We can say that Defender’s efficacy against threats in environments is tested daily (if not more), mostly on an involuntary basis with the “report” being felt by those compromised. A real-world example would be the night of writing this, BLOKWORX did efficacy testing with a machine running Defender and a machine running Deep Instinct.

The test was Defender with all settings enabled (Real-Time protection, Cloud based detection, Tamper protection) and Deep Instinct using BLOKWORX MAED standard policy. The test was running powershell designed to pull components into memory and compile/execute a payload (AgentTesla) which is a RAT (remote access trojan) allowing access to the device quietly.

Defender let it run straight through, did not pick up on it and did not alert to it. The EDR on the system also had no idea the file(s) existed on the machine nor that a trojan was actively running on the device. The same item running on the Deep Instinct machine yielded preventions when the files were completed with compiling and attempted to write to the machine, successfully preventing a foothold which has built in persistence.

In summary we cannot in any way suggest that Defender + Channel leading EDR is anywhere near the level of security you receive with Deep Instinct and LimaCharlie, they operate in completely different realms – One is prevention based and one is detection based. Are cost savings really going to be justifiable in the event of a critical incident? I would think not, generally we consider those kinds of incidents as “resume generating events” and we are proud our stack prevents those events.

This is what sets BLOKWORX apart from the rest of the providers out there. We validate our products (pre and post) to ensure they remain at the level we expect for our customers.