Vibin Shaju, VP Solutions Engineering EMEA at Trellix, discusses the importance of operating with the most ideal endpoint security platform and how to establish it effectively.
Nowadays everybody wants to talk about how cybersecurity is a detection and mitigation game rather than one of protection. While these arguments have undeniable merit, signature-based protection is not as ‘dead’ as some would have us believe. Antivirus has become a quaint notion amid SIEM, IAM, CASB and other new kids on the block. But while these newer technologies are powerful and vital to our modern cybersecurity ecosystem, we ignore legacy endpoint detection and response (EDR) at our peril. As you read this, it is still in service and to great effect in thousands of organisations across the Middle East, filtering out the known threats that make up a substantial proportion of those we face every day. Its ability to do this job in real time reduces the resource burden on more advanced engines (those that go beyond signatures), much as the advanced engines alleviate the stress on human teams. Not surprisingly, according to Trellix’s recent Mind of the CISO research, 60% of organisations across the UAE and Saudi Arabia say EDR is a part of their cybersecurity infrastructure.
Paradox of choice
Having established the EDR solution as a critical component of the security stack, we must confront a problem, one that did not exist at the turn of the millennium: too many vendors. Back in 2001, say, only a handful of antivirus specialists existed. Today, it’s dozens. And while having options is always beneficial, when each vendor claims to have the silver bullet, selection becomes problematic.
Word of mouth and comparison tests are certainly valid criteria in some respects. But a better approach is to think of the specification and selection of EDR as you would any other procurement decision. Consider your unique business model and use cases before sitting down with a single vendor. This approach trumps all the global analyses and test results in the world.
For example, a vendor could rate highly on cloud and multitenancy, but what if that is not applicable for your business? By all means, read analyst reports, but read them in full, right down to the fine print. And when you find a vendor that covers your use case, be sure to ask yourself if the solution in question is a core offering. Does it account for a considerable part of the vendor’s total revenue? If the answer to these questions is ‘yes’, then it is more likely that they are strong in this area and a good fit for your enterprise.
Of particular importance in the Middle East is whether the vendor has a local presence and what form that presence takes. Is it through a VAD or SI? How long has this vendor or its channel partner been in operation locally? Is there a managed service ecosystem in place?
When it comes to EDR, vendors must also demonstrate strong R&D credentials. The ability to detect issues early is entirely predicated on intelligence and without a strong research arm this becomes impossible. Procurement teams should quiz vendors on their collaboration with law enforcement agencies and intelligence organisations. They should also ascertain what level of access they, the customer, will have to raw research and intelligence feeds after the EDR solution is deployed.
The solution
After determining the service commitments of the vendor, it is time to consider their wares. And when doing so, we should think modularly. First, the basics. Make sure prevention sensors are included that can prevent known malicious files in real time through signature-matching, access-protection policies, exploit-prevention content, memory protection, file reputation and others. Moving into more advanced territory, we must look for the presence of advanced inspection techniques that employ AI, sandboxing, script analysis and more to improve knowledge over time. Such lessons must be shared with other sensors so that the EDR ecosystem can respond as a single organism to a threat when it is encountered again. All of this should be automated and rapid.
The core of EDR, defence, should provide the means for the SOC to act strategically. Advanced defence sensors must gather, summarise and visualise evidence and present it in an adequately visual format. AI and the cloud play important roles in this part of the process.
Also part and parcel of the ideal endpoint security platform is forensics. Sensors must provide incident-response teams with the right information in real time to allow them to constantly analyse attack behaviours in the form of tactics, techniques and procedures (TTPs). This can occur in a scheduled or automated style. Forensics is how we improve our security posture; post-event analysis is impossible without it, so information gathering must be comprehensive.
Intelligence feeds
All these sensors are ineffective on their own. Their telemetry must be complemented by strong threat intelligence. Threat landscapes are so treacherous because of their constant evolution. Gathered data and intel feeds about outside incidents can come together to help security teams keep up with the changes. For a business that straddles physical, virtual and cloud environments, the ideal solution will provide a hybrid deployment and management architecture. Any good vendor will be able to adapt to your business model.
It is also worth mentioning that the use of multiple vendors will compromise your ability to share intelligence across the security ecosystem. Each sensor described here often becomes a single solution in the market and, when deployed, becomes a silo. By unifying them with a single purpose and a data-sharing approach, we essentially reinvent EDR for the hybrid era.
If you have been keeping up with developments in the cybersecurity industry, you may be wondering why I have mentioned XDR only once, in passing. In fact, EDR is just one branch of XDR, which is an extensive platform that unites many branches of cybersecurity, including network, email and cloud. When procuring an endpoint platform, look for an open architecture that enables bidirectional integration with an XDR platform.
Remember, EDR is not the end of the story, merely a vital part of it that should not be ignored simply because our security conversation has evolved.
Click below to share this article
