The perpetrator was a master of disguise, outfitting himself as an employee to bypass the extensive preventive security controls and flee with the contents of the vault. Fortunately, the building was equipped with strong detection security measures, and the burglar—unaware of the location of a laser tripwire—soon set off a silent alarm. A handful of the best-equipped and most experienced officers swarmed the building just minutes later, tracing the subject to a large storage area where they found him frantically digging through the large box of documents and cramming a few in his backpack.
While the other officers stood in the hallway at the ready, one began walking toward the perp, shouting “It’s all over, buddy. This is the end of the road.” The criminal, fear-stricken, turned to run. As he began to make his way toward a freight entrance, he was dumbfounded to hear only his own footsteps reverberating off the walls. He chanced a look back at the officer, who had not moved. “You thought you could run, but we found you! You’re under arrest!” the officer shouted, still not moving a muscle. Knowing something had to be going on, the criminal took this opportunity to hurriedly backtrack to the box and grab his ill-gotten loot. He looked back at the officer, who was still frozen in place.
The criminal looked incredulously at the officer, laughed and shook his head. Feeling no threat, he slowly shuffled out with his giant box of classified documents into the night.
The “R” Is There For A Reason
What is true in the world of police is also true in the world of cybersecurity: Detection means nothing without response. And not any response, but the right response.
EDR marketing materials focus heavily on their ability to detect the largest number of the newest threats in the least amount of time. But without a broad and well-developed set of response mechanisms in place, even the best detection abilities are of little use. Unlike, say, a legacy anti-virus product, EDR isn’t a “set it and forget it” technology—you can’t just put it on your network and call it a day. Your ability to adequately respond to threats is going to depend on two factors. While having capable analysts at the helm is vital, not limiting them with inadequate tools is an equally important part of safeguarding your enterprise.
Response Options Must Be Extensive
What if our officer instead had access to a full range of response capabilities? Criminals are unpredictable, and it’s impossible to know ahead of time whether “Put your hands up!” will be sufficient, or whether you’ll need to call for backup, use a stun gun or give chase. The ability to determine the best response isn’t enough if you don’t have access to that response method.
So it goes in cybersecurity. The EDR market is sharply divided in terms of response capabilities, and the ability—or inability—to adequately respond should be a purchasing consideration. Any decent EDR will yield the necessary context and present it in a way that allows you to easily and quickly assess the situation. A good EDR will put a panoply of response capabilities at your fingertips. Should you kill the process? Restart the machine? Quarantine the box? The amount of flexibility offered can affect how quickly you’re able to handle the threat.
Ideally, according to a SANS Institute report, your EDR should have at least the following response options:
– Terminate running processes
– Prevent processes from executing based on name, path, argument, parent, publisher or hash
– Block specific processes from communicating on the network,
– Block processes from communicating with specific host names or IP addresses
– Uninstall Services
– Edit registry keys and values
– Shut down or reboot an endpoint
– Log users off an endpoint
– Delete files and directories
But what do you do when the specific response you need isn’t available out of the box? In this case, you need to be able to program your own script to perform a custom action or response. Many EDRs lack the technology to make this possible, but it’s an important thing to look for—just because your business needs don’t require it now, doesn’t mean it won’t in the future.
EDR: Excessively Delayed Reaction?
What if our officer can chase a suspect, but only in baby steps? What if he or she can call for backup, but it takes them 45 minutes to arrive?
Having every response ever conceived still isn’t enough if they cannot contain threats in time.
With attackers moving from initial compromise to action on objectives with increasing quickness, the old way of “reassign the ticket to IT” no longer cuts it—by the time IT notices the ticket, the attacker may already have gone.
It’s important to have at your disposal the best response. But when you don’t yet know what something is, your best response may not be your first response. In other words, sometimes you’re going to want to be able to quarantine the affected device(s) while you investigate and scope in order to limit the threat’s impact.
The ability for the EDR to integrate with existing workflows, rather than dictating those workflows, can also make a big difference. A lot of people look at MTTD (Mean Time To Detection)—but that’s only part of the story. A better indicator of an EDR’s effectiveness is MTTR (Mean Time To Response). According to SANS Institute analyst Jake Williams, enterprises that have orchestrated actions between detection and response have MTTR metrics that are both more favorable and more reliable.
There’s no shortage of EDR solutions on the market, at all levels of speed and capability. It’s worth making sure that yours offers as much in terms of response as it does in detection—remember, when you choose an EDR, you’re partnering with the technology that will serve and protect your enterprise. When the chips are down, are you going to have an EDR that can identify, track and eliminate a threat in time to prevent massive devastation?
In a future blog, we’ll explain how detection and response should work in parallel with prevention to safeguard your enterprise.
Want to learn more about what to look for—and watch out for—in an EDR? Click here to read “Why Traditional EDR Is Not Working—and What To Do About It.”