My colleagues Doug Cahill, Kyle Prigmore and I recently completed a research project on next-generation endpoint security (login required). We determined that there are actually two distinct product categories within next-generation endpoint security: advanced prevention and advanced detection and response (aka EDR).While most firms seem to be gravitating toward advanced prevention, massive enterprise organizations tend to move in the opposite direction by evaluating, testing, and deploying EDR products. Why? These organizations have large cybersecurity teams with lots of experience, so they are willing to dedicate resources toward more complex projects. Furthermore, many of these enterprise organizations are already investing in security analytics by collecting, processing, and analyzing data from numerous disparate sources (i.e. network forensics, events/logs, threat intelligence, etc.). Endpoint forensic data is a natural extension of these cybersecurity analytics efforts.
ESG also found that highly-experienced cybersecurity analysts are extremely skeptical about every type of threat prevention technology. In their minds, effective threat prevention technologies are a short-term fix at best — a proverbial cybersecurity Band-Aid on the threat landscape bullet hole.
This thesis states that once any new threat prevention technology gains critical mass, prodigious hackers will find ways to circumvent them. Rather than place short-term bets on others, these cybersecurity professionals would rather double-down on cybersecurity analytics, bolster their ability to detect and respond to cyber-attacks, and use homegrown incident detection and response processes to build their own prevention controls along the way.
There are numerous EDR products available today including those from vendors like Carbon Black, CounterTack, Crowdstrike, Cybereason, Digital Guardian, Endgame, Guidance Software, and Hexis Cyber Solutions (now part of Watchguard). Other vendors monitor some aspects of endpoint behavior as well. So given all of the choices, what kinds of EDR capabilities are large organizations looking for? Based upon our research, ESG believes that the best products for advanced detection and response will offer:
- Strong data management models. Vendors like to debate each other in this area. Should EDR products sample endpoint data or collect everything that happens on every endpoint? Should the data remain local on the endpoints or migrate to a central analytics server? Enterprise CISOs respond to this question with just one word, “yes.” In other words, EDR products should offer a host of flexible data management options since all endpoints are not created equally. Large organizations may want to collect and analyze all of the forensic data associated with Active Directory servers but only sample what’s happening on endpoints in the call center. In EDR, data management options and flexibility trumps data management dogma every time.
- Massive scale. The enterprises we spoke with in our research project had tens or even hundreds of thousands of endpoints on their networks. Since sophisticated attacks tend to meander from one system to the next, large organizations need EDR products that can track activity across the whole enterprise enchilada requiring tremendous data management scale. EDR products designed for this type of environment tend have tiered architectures and distributed databases to accommodate these scalability requirements. The best products can also be used for “hunting” activities with ample performance to deliver answers to complex queries with acceptable response times.
- Built-in analytics. While SOC personnel and forensic investigators have their own methodologies and runbooks, they also want their EDR products to bring some supplemental intelligence to the party. This can be anything from cloud-based threat intelligence correlation, to machine learning, to statistical modelling. Anything that helps them reduce the signal to noise ratio is welcome.
- Open integration. Advanced detection and response tools on endpoints must fit gracefully into a broader cybersecurity analytics system including network forensics, malware analysis, SIEM tools, CMDBs, threat intelligence, etc. Many enterprises are doing further integration by weaving all of these individual components into integrated cybersecurity orchestration platforms (ICOPs) from vendors like Hexadite, IBM (Resilient Systems), Phantom Cyber, and ServiceNow. Given this integration focus, EDR products must come instrumented with open and documented APIs and reference architectures.
Finally, with EDR, it’s not all about products alone. Advanced detection and response vendors should expect extremely demanding and savvy customers as EDR projects are not for the faint of heart. Therefore, successful EDR vendors will supplement products with hands-on customer service and a willingness to customize their products for specialized requirements and use cases.