“The most damaging phrase in the language is 'We've always done it this way'.”
Rear Admiral Grace Murray Hopper
- Have you always done endpoint security the same way?
- Are there gaps in your defenses today that you need to address?
- This article discusses these gaps and invites you to an online seminar that will show how these can be addressed with Endpoint Detection and Response solutions.
Rear Admiral Grace Hopper was an innovator. She overcame many obstacles in her career and certainly was not afraid to challenge conventional wisdom. At the time of her retirement at 79, she was the oldest commissioned officer on active duty in the United States Navy. Grace was instrumental in the development of the first English-based programming languages such as COBOL. She invented the term “debugging” after a moth got into an early computer. Rear Admiral Grace did not always do things the same way.
Endpoint protection platform or Endpoint Detection and Response?
Have you always done endpoint security the same way? Are there perhaps gaps in your defenses today that you should consider addressing?
Today’s Endpoint protection (EPP) solutions from top security vendors stop more malware and more diverse threat types than ever before. Artificial intelligence, machine learning and adaptive heuristics go far beyond the static and easily circumvented “virus definition files” of the past.
Pre-execution detection, on-execution blocking, and even post-execution termination are now common capabilities of top EPP products. There are fewer false-positive alerts, faster and more accurate detections and better explanations concerning what was detected and why. But EPP as a product category has fundamental limitations that every security leader should bear in mind. When everything is on the line for your business, you can’t lose sight of what goes unseen by endpoint protection tools.
Where Endpoint Protection Comes Up Short
Breach prevention via detection and blocking at the very start of every attack would seem to be the ideal state that any InfoSec team would want to achieve, but history dating back to the first computer viruses in the mid-1980s proves that this is an elusive goal. Prevention has never been 100% and “perfect security” will realistically never be achieved. Fileless attacks and browser exploits offer no files to block and many advanced multi-stage, multi-vector attacks simply unfold in a way that makes them exceptionally difficult if not impossible to prevent. Many of these attacks can only be detected in-progress or after the fact. Specifically, EPP limitations include:
Too Little, too late
EPP detection may occur but only after the malware has already achieved partial or total success and the target machine has been compromised with only one aspect of the attack blocked.
Many alerts may be generated by EPP with no obvious common threads to tie them together. Analysts can’t see complete incidents or chains of related events.
Something’s Wrong. Now What?
Malware may have been blocked by EPP, but analysts don’t know the extent of the breach, whether it exists on other machines or if anything else needs to be cleaned up.
EDR is no longer a luxury—it is now a necessity.
Endpoint protection is necessary for compliance and for deflecting routine malware and commodity threats, but it is far from sufficient to defend against advanced, sophisticated, or targeted attacks. If you have significant intellectual property, customer, or financial data at risk, EDR is no longer a luxury—it is now a necessity.
Insufficient protection against advanced threats.
On its own, endpoint protection offers insufficient protection against advanced threats. Sophisticated attacks often begin with benign or normal activity indicators—open a document, establish a remote connection, download a resource from the Internet, etc.—but then exhibit suspicious or malicious behavior only later.
Lack of alert triage and response capabilities.
Endpoint protection generates many alerts, but it doesn’t see every element of every attack. Although each alert represents a real threat that was blocked by EPP, there may be follow-up actions required to investigate and take corrective actions beyond deleting the identified malicious files across the enterprise. Where do you start?
Slow response to breaches once discovered.
EPP provides few attack early warning signs and generates little distinction between “malicious” and “benign” assessments with few details about the threat assessment. A user may notice a misbehaving computer, or a network engineer may see unusual traffic patterns or data spikes, but no details are offered regarding causation.
Inability to identify root causes and prevent attack recurrence.
OK, so your EPP solution blocked something. Don’t celebrate quite yet. Can you be certain that the entire attack was prevented or just a single aspect of it? Did the rest of the attack evade detection and succeed? What was the entry point? Where did it come from? How do we close off that path, so the attack doesn’t happen again?
No visibility on techniques, tactics, and procedures (TTPs) or indicators of compromise (IOCs) being used across the organization.
Was this a one-time event or is it systemic across many victim machines within the enterprise? Has the same or similar attack occurred multiple times already? Is the attack still taking place on other machines within the organization? Can you take a single indicator of attack or compromise and search for it systemwide?
No advice on proactively improving security posture.
How can you improve on your security posture and harden your defenses against future intrusions? Can you identify operating system misconfigurations, application vulnerabilities and human behavioral factors that add risk to your organization? Once identified, can you measure and track progress against improvement metrics?
Join our online seminar on March 2nd 2021. We’ll answer these questions, and you’ll find out why you need EDR in your defensive stack.
Close your key security gaps and level up your defenses with Bitdefender EDR.