1. Confidently report the state of security at any time
IT and security teams are often motivated by attack and defense statistics, but the most difficult question for most teams to answer is "are we safe now?" This is because most networks have significant blind spots, making it difficult for IT and security teams to see what is going on in their environments.
Lack of visibility is the main reason why organizations struggle to understand the scope and impact of attacks. This often manifests itself when an incident occurs, and the team assumes that they are safe because that incident has been detected. EDR provides additional insight that determines whether other machines were also affected. For example, if a suspiciously executable file is found on the network, it will be restored. However, it is possible that the analyst does not know if that executable file still exists elsewhere in the environment. With EDR, this information is readily available. By being able to view the other locations where threats exist, the security team can prioritize incidents for additional research and possible solutions.
Generating a clear picture of the overall security status of an organization also provides the advantage of being able to report on its compliance status. This information helps identify areas that may be vulnerable to attack. It also allows administrators to determine whether the scale of an attack has hit areas where sensitive data is housed. For example, if malware is detected that exfils data from the network, an analyst must determine whether the affected machines contain medical information that is subject to the GDPR (or BIO or NEN7510 etc.). An additional compliance benefit of innovative endpoint solutions is that it is also much easier to demonstrate that patient information is protected thanks to good visibility of the endpoint.
2. Detect attacks that have gone undetected
When it comes to cybersecurity, even the most advanced tools can be defeated with sufficient time and resources, making it difficult to really understand when attacks are taking place. Organizations often rely only on prevention to stay protected, and while prevention is critical, EDR provides an additional layer of detection capabilities to identify potentially undetected incidents.
Organizations can use EDR to detect attacks by searching for Indicators of Compromise (IOCs) – for example, IP addresses or URLs. This is a quick and easy way to search for attacks that may have been missed. For example, threat searches are often started after a third-party notification: a government agency (such as the NCSC-Cert) can inform an organization that there is suspicious activity in their network. The notification may be accompanied by a list of IOC's, which can be used as a starting point to determine what happened.
EDR solutions often provide a list of the main suspicious events so analysts know exactly what they should be investigating. Using machine learning, a list of the most suspicious events is presented, often ranked based on their threat score. This makes it easy for analysts to prioritize their workload and focus on key events.
Suspicious events also point to a common scenario in which analysts are asked to determine if something is truly malicious. This relates to activity that does not appear to be malicious enough to automatically classify as undesirable yet seems suspicious enough to warrant a deeper look or analysis. Many new code or scripts fall into a "gray area" where additional analysis is needed to confirm whether it is malicious, benign, or undesirable.
3. Respond more quickly to potential incidents
Once incidents are detected, IT and security teams typically try to address them as quickly as possible to reduce the risk of attack spread and mitigate potential damage. The most relevant question to be asked is how to get rid of each respective threat. On average, security and IT teams spend more than three hours on each incident. EDR can significantly accelerate this.
The first step an analyst could take during the incident response process is to stop the attack. An endpoint security including EDR is isolated on demand. This is an important step to prevent a threat from spreading further in the environment. Analysts often do this before doing research, buying time while determining the best course of action.
The research process can be slow and painful. This, of course, presupposes that an investigation is taking place at all. The response to incidents has traditionally depended heavily on highly trained human analysts. Most EDR tools also rely heavily on analysts to know which questions to ask and how to interpret the answers. With the new Endpoint Security including EDR, security teams of all levels can respond quickly to security incidents with guided investigations that provide proposed next steps as well as a clear visual representation of the attack and built-in expertise.
Guided incident response provides proposed next steps and on-demand endpoint isolation to resolve incidents quickly and safely. When an investigation is complete, analysts can respond with the click of a button. Quick response options include the ability to isolate endpoints for immediate recovery, clean and block files, and take forensic snapshots. If a file is accidentally blocked, it can be easily reversed.
4. Understand how an attack took place to prevent new attacks
Security analysts have recurring nightmares when they have suffered an attack: an executive shouted, "How did this happen?!" and they can only shrug their shoulders. Identifying and deleting malicious files solves the immediate problem, but it doesn't shed light on how it got there in the first place or what the attacker did before the attack was stopped.
"Threat cases" must identify all events that led to detection, making it easy to understand which files, processes, and registry keys have been touched by the malware to determine the impact of an attack. They provide a visual representation of the entire attack chain and provide accurate reporting on how the attack began and where the attacker went. More importantly, by understanding the cause of an attack, the IT team is much better at preventing future attacks.