Gartner Blog Network


My Paper on Endpoint Tools Publishes

by Anton Chuvakin  |  September 26, 2013  |  5 Comments

My paper on endpoint threat detection and response tools and practices (“Endpoint Threat Detection and Response Tools and Practices”) just published [Gartner GTP subscription required]

Summary: Increased complexity and frequency of attacks elevate the need for enterprise-scale incident response, APT investigations and a rapid forensic process. Endpoint threat detection and response tools help organizations speedily investigate security incidents and detect malicious activities.

Bottom Line:

Endpoint threat detection and response (ETDR) tools enable an organization to achieve comprehensive endpoint visibility, simplify security incident response and detect malicious activities. They are also useful for validating network security alerts that are produced by malware protection systems (MPSs), security information and event management (SIEM) tools, and other devices. For organizations with mature security functions, ETDR tools have become extremely valuable, but proper use of the tools is process- and skill-heavy. Organizations that are willing to put in the effort will find benefit in using the tools.

A few fun quotes:

  • “ETDR tools enable organizations to rapidly investigate large numbers of endpoints (both servers and workstations) in the course of ongoing incident response, and they detect incidents by enabling the analysts to quickly review and analyze traces of malicious activities across the endpoints.”
  • “ETDR tools collect detailed endpoint data, such as running processes, network connection, select files and registry settings, and then create a searchable data store for review by security operations center (SOC) analysts or incident responders.”
  • “Traditional computer forensics tools allow organizations to perform a deep analysis of a single machine in order to reveal key facts about the incident to the high standards required for legal scrutiny. However, today’s incident response requirements call for a completely different type of tool — one that can be used to review specific traces across large numbers of systems quickly in order to triage and investigate incidents before the damage is done.”
  • “Organizations deploying these tools should subscribe to security threat intelligence feeds containing endpoint data such as hashes, filenames, and other host indicators and engineer processes for automated verification of received indicators on all endpoints.”
  • “Evolve from a postincident use to incident discovery by periodic or continuous indicator sweeps and anomaly detection over collected data. Extract site-specific indicators from incident response occurrences, and feed the indicators back into the tools.”

Enjoy!

Posts related to this research project:

Recent paper publication announcements:

Category: analytics  endpoint  incident-response  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on My Paper on Endpoint Tools Publishes


  1. […] ← My Paper on Endpoint Tools Publishes […]

  2. Moe says:

    Hello Anton, just wondering why solutions such as HB Gary’s are not included in this paper.

  3. An excellent question indeed. Mantech is in fact mentioned in my other on IR that just went up, I thought long and hard about adding / not adding Responder Pro to this paper and decided against it (at the last moment). My motivation was that their tools seems better suited for in-depth analysis (malware forensics) and less for broad sweeps like the tools that I mostly deal with. If my decision has been wrong, I will probably add them when updating this paper next year.

  4. Eric Schurr says:

    Anton,
    excellent report. very comprehensive, balanced, and accurate. I hope folks take the time to read and digest it. It will help them deal with advanced threats.

  5. Eric, thanks A LOT for the praise. This report took a lot of work to write!!



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.