Category Archives: managed detection and response;

XDR Is The Best Remedy As Attackers Increasingly Seek To Evade EDR

Real enterprises are messy places. One messy reality is that enterprises don’t manage all their endpoints. A smart colleague turned me onto using the % of endpoints and servers managed as a prime security metric.

On one end of the spectrum are places like universities that maybe manage 10% of the endpoints on their network. On the other end are places like some large banking and R&D companies that can manage about 98 or 99%. A financial services company that was spending millions of dollars on getting from 96% to achieving 98%, using the very good reasoning that they were “cutting their biggest security problem in half” rather than “2%, meh.” So even the very best enterprises can have unmanaged endpoints that can be more easily exploited than ones with a security agent deployed on them. A lot of the advanced security we’ve been delivering on the last few years has been focused on this problem.

EDR is an example of how stealthy or evasive attackers can be better uncovered than with traditional endpoint protection. EDR is great for endpoints they are on. Ian Lee of NTUC gives a killer example of uncovering stealthy attacks using EDR and MDR here.

But most of EDR’s capabilities are for endpoints they are on: ones they manage. Sure there’s some herd-immunity with EDR that the greater number of managed endpoints the harder it is for an attacker to move laterally or deeper. But more capable, patient, and stealthy attackers are getting better at being evasive, knowing that EDR may be or is deployed. Mark Nunnikhoven does a great job in this post talking about lateral movement.

EDR can only go so far on its own to help spot attacks that are exceptionally low and slow, and/or using unmanaged endpoints. Endpoint security needs to step outside the endpoint silo to keep step with advanced attackers. An attack using many hops could see movement between managed endpoints, IoT, email, network components, containers and cloud-based servers over the course of many months. The delivery and reconnaissance could involve multiple protocols, emails, payloads, files, and credentials. Pulling together the tenuous and ephemeral threads of such an intentional attack needs more modern tools, rather than hoping we stumble on a supply of highly advanced threat hunters.

Pulling together deep security information from across your enterprise is what is needed to face off against such advanced and intentionally evasive attacks. XDR is intended to be that security data lake of deeper enterprise infrastructure and security information than we’ve previously gathered in a single addressable pool and designed to be useful for threat hunters and analysts. In these posts here and here we talk about what XDR is and how it brings in more sources, such as network data.

In the game of measure-countermeasure that is cybersecurity today and tomorrow, XDR is the next evolutionary step in dealing with more evasive threats.

The post XDR Is The Best Remedy As Attackers Increasingly Seek To Evade EDR appeared first on .

Customer Perspective: Catching the thief lurking in the shadows with EDR and MDR

A guest blog by Ian Loe, Senior Vice President, Cybersecurity, NTUC Enterprise Co-operative Limited

News flash: aided by time, persistence and smarts, advanced cybersecurity felons are leapfrogging traditional security systems to compromise confidential data. Realising this, we at NTUC Enterprise have been looking into new security technologies that help address these rising concerns. One of the key areas we have identified is how to better protect our endpoints and increase our visibility into what goes on within these devices.

Visibility, sharpened

With over 20,000 endpoints across PCs and IoT devices under the group to secure, and the potential to grow to 30,000 in the near future, we realise that incident detection and response is becoming critical. With so much at stake, we need a solution that provides constant surveillance – like a CCTV camera – to identify suspicious activities undertaken by a criminal.

Enter endpoint detection and response (EDR) technologies that can record and store queries, behaviors, and events on the endpoints. Picture this: a CCTV camera has the ability to capture movement across every corner and point of entry of a building. If someone surreptitiously breaks the lock of a door, disables the security alarm, or trespasses on commercial property, security personnel will get alerted by footage on these surveillance cameras.

Now let’s put that in the context of EDR. IT teams are able to go beyond just indicators of compromise and achieve high visibility into the nitty-gritty that’s going on. EDR also helps them to understand the multitude of different threats and attack types, allowing teams to correlate information and respond in a timely and effective manner.

For instance, EDR can help teams pinpoint how many devices in the organisation are using a particular piece of vulnerable software, or have accessed a bad domain. EDR stores these events in its memory repository and can identify the exact starting point of a criminal’s footprint to reconstruct the whole attack.

Swiftly detecting and removing a threat from an endpoint, or isolating an endpoint in a large network, can potentially thwart a large-scale infection down the line. This is what has drawn me to EDR in the beginning. By working with Trend Micro, my team can now understand the source, impact, and spread of advanced threats.

But technology is only part of the answer to the overarching situation.

Where are the cybersecurity personnel?

In the cyber world, detection and response is a set of processes that requires specialized skills and years of experience to handle. I think we can all agree on the fact that there is only one predictable thing about a cybersecurity professional’s day – its unpredictability.

Most of us in our field never have the same day twice, having to put on the hats of both defender and attacker. No security offering is complete without skilled intelligence to support it. In fact, an ESG survey reveals that 83 percent of organisations agree that using EDR effectively demands advanced security analytics skills. A lack of qualified candidates to fill these positions means that even if an organisation could justify the full-time staff, it is difficult to find them.

Put simply, the abundance of vulnerable businesses along with a lack of skilled cybersecurity personnel translates to more open doors for attackers to slip through – easily.

Managed detection and response (MDR) then comes into the picture to help organisations like ours ease the skills gap by providing 24/7 alert monitoring and threat-hunting capabilities from experienced cybersecurity professionals – powered by big data and AI technologies to detect anomalies faster.

For an organisation the size of NTUC Enterprise, the imperative is to achieve an effective security control posture, ensure compliance, and close known security gaps. By offloading the task to Trend Micro’s skilled MDR team, my team is able to focus on security projects that are important for the business and overcome staffing challenges.

For instance, I’m able to create custom alerts for significant assets within my environment when malicious or suspicious activity happens. Monitoring would be done via a follow-the-sun model within the region and in the US regardless of time zones, increasing responsiveness and reducing delays.

I’m also powered with insights from endpoint data that serves as the basis for root cause analysis – illuminating the path where the threat originally entered the endpoint (e.g. email, web, USB, application), and how it was executed.

Data – the brains behind visibility

By the end of the day, organisations want more visibility into every nook and cranny of their IT infrastructure. And what enriches visibility? Data. The industry is decidedly moving towards XDR, a form of data-powered defense that provides omnipresent, nuanced visibility into attacks.

We are more likely to be a victim of a cyber crime than any other criminal offence – let’s be prepared!

The post Customer Perspective: Catching the thief lurking in the shadows with EDR and MDR appeared first on .