When it comes to security, prioritization is often the most used word. With an ever-increasing number of threats matched by an increasing number of respective security technologies, being secure is about clearly determining which security measures one needs the most.
There are various frameworks to fill this knowledge gap for decision makers. A good example is Gartner’s ‘Top 10 Security Projects for 2019’ which was recently released, listing ten security fields
representing the most pressing needs:
1. Privileged access management
2. CARTA – inspired vulnerability management
3. Detection and response
4. Cloud security posture management
5. Cloud security access broker
6. Business email compromise
7. Dark data discovery
8. Security incident response
9. Container security
10. Security rating services
• Cloud is rising: It is easy to see how this list reflects the changing IT infrastructure, with no less than four bullets (4,5,6,9) dedicated to various aspects of cloud security.
• Outsource incident response: conducting an incident response procedure with in-house resources only is not feasible for most to all organizations, and not economical even for those who can afford the budget, staff, skill and product stack.
• Proactive reduction of attack surface: the two are all about being proactive before anything happens. Vulnerable apps and privileged accounts have become the most critical attack surfaces. Maintaining security patch routines and closely monitoring privileged accounts can reduce or even eliminate exposure to most attacks.
• Endpoint protection matters: the ability to detect and respond to attacks on the endpoint remains a high priority project. Even in our era of increasing cloud penetration, the endpoint is still the stage for many attacks – ransomware, banking trojans and crypto-miners are just few of the most common examples.
In the next part of this post, we’ll focus on Detection and Response (project number 3), understand Gartner’s approach and challenge it by pointing out significant derived security gaps.
Detection and Response According to Gartner
Gartner breaks down Detection and Response as follows:
• Look to your current endpoint protection platform (EPP) vendor to provide endpoint detection and response (EDR) capabilities.
• Determine which capabilities to integrate with SIEM and SOAR capabilities.
• If the vendor claims to have AI or ML capabilities, test these thoroughly in a proof of concept (POC) to determine effectiveness.
While all three tips are of great interest, in this blog we’ll focus on the first one only.
Gartner: Detection and Response == Endpoint Detection and Response
Gartner identifies the ability to detect and respond to attackers that have successfully evaded the network\endpoint prevention layer with the Endpoint Detection and Response category. Implicitly, Gartner says that for such attacks, an agent on the endpoint would be more efficient than a network analytics or UEBA tool.
The reasoning here is rather clear – most of the advanced attacks today start by compromising an endpoint and expanding from there throughout the victim’s internal environment. It only makes sense that detection of such attacks should start at the exact point where the prevention layer failed. Moreover, in order to apply remediation on the endpoint, an agent is necessary. However, we believe that there are some inherent flaws in this argument – let’s explore them.
EDR Internals – Focus on File and Processes
The common thread to all EDRs is that they focus on files and processes, or more accurately malicious activity that manifests itself though anomalous file structure or process behavior and can therefore be detected by monitoring them.
From the EDR evolution perspective it makes total sense. In the same manner that NGAV evolved from the failures of traditional AV to block new malware, EDR evolved from the failure of NGAV to block 100% of this malware. And since AV and NGAV focus on files and processes, so does EDR.
The Three Ways Malicious Activity Reveals Itself
The problem is that process behavior is just part of how malicious activity manifests itself. In fact, it can be traced by anomalies in either process behavior, network traffic or user activity. Most forms of data exfiltration do not involve any unusual process behavior, nor does logging in to a critical server with a compromised user account.
The kind of attacks that require detection and response are the ones where the attackers compromise the first endpoint as a stepping stone to expand within the environment until reaching sensitive data. Doing that would typically entail reconnaissance, credential theft, lateral movement, data access and data exfiltration. Any of these stages can be fully achieved without the slightest process anomaly and therefore, are invisible to EDR.
The Cynet Way – Autonomous Security Platform
Cynet 360 was built to be an autonomous security platform, meaning that it integrates all the technologies that are required for breach protection. In the context of detection and response, Cynet includes EDR as a subset of its detection and response capabilities, but fully complements them with Network Analytics and User Behavior Analysis.
In that manner, Cynet is able to accurately detect malicious presence and activity, regardless of the attack vector it utilizes. Let’s illustrate it with the most common malicious activity of credential theft.
Credential Theft Detection with Process Behavior Monitoring
Let’s take credential theft as an example. Attackers can attempt to obtain these credentials by dumping the host’s memory, using Mimikatz, or other tools. This would entail a process anomaly, because the attacker’s process would access a memory location that is normally accessed only by a defined and known process. In this case, Cynet would catch it with its process and memory monitoring, and so probably would some of the EDR products.
Credential Theft Detection with Network Traffic Monitoring
But what if the attacker gained these credentials from the network traffic, using a Man in the Middle attack such as ARP spoofing or DNS responder? There is no malicious process here. While the typical EDR would see nothing, Cynet will detect it by monitoring the network traffic.
Credential Theft Detection with User Activity Monitoring
Similarly, let’s assume that the attacker has obtained the passwords from a poorly secured server and is now logging in to a critical resource, with an impersonated user account. Again, EDR would see nothing. However, Cynet, using its high-resolution user activity profiling, would pinpoint this anomalous activity and flag it as malicious.
Detection and Response Revisited
The credential theft example illustrates the limitations of standalone EDR in terms of covering potential attack surfaces. We agree 100% with Gartner that detection and response should be highly prioritized (one might argue that it should be even placed higher than third place). However, to adequately achieve this mission critical capability, one needs much more than merely EDR. Attackers would take advantage of any weak link, and if there is tight protection on the endpoint’s processes, they’ll shift efforts to the network traffic and user activity. Only with holistic threat visibility into all components of the internal environment can true detection and response be achieved.