I’ve known Cybereason CSO, Sam Curry for years, so it was a pleasure to lure him to ESG’s virtual studio for a SOAPA video. In part 1 of our 2-part series, Sam and I discuss:
- Why EDR? Sam describes how, unlike SIEM, EDR is designed for one specific purpose – finding the bad guys. The best EDR solutions identify signals in all the noise, alert humans about malicious activities, and make it easy for them to take action.
- EDR as part of SOAPA. While EDR monitors endpoints, SOAPA brings in telemetry from other sources, analyzes the data, and makes the data actionable. So, SOAPA takes the best aspects of EDR and supplements them.
- EDR for “low and slow” attack detection. One of the knocks on EDR is that it looks at cybersecurity incidents on an endpoint-by endpoint basis, thus missing APTs that slowly follow a kill chain attack pattern. Sam disputes this assertion, proclaiming that a good EDR system acts as a behavioral tracker and system of record that uses advanced analytics to stitch attacks together as they progress. The keys are data quality, analytics, and making the data intuitive and actionable.
- SOAPA integration. SOAPA covers a lot of security technology domains so I ask Sam how Cybereason customers start building an architecture. Demonstrating his role as a CSO, Sam turns this question around to a business goal, insisting that users should focus on the results they want to achieve and then work backward to technology integration. Sam reminds the audience that the goals are coordinating humans and improving processes, not technology integration alone.
I really think that Sam Curry could address cybersecurity issues in his sleep. Stay tuned for Part 2 of our SOAPA video.