On Endpoint Sensing

Would you deploy another agent-based tool on all your desktops and servers in order to gain visibility on what is *really* happening on those endpoints?

The tools I am talking about here can:

• Collect endpoint data such as running processes (including those with no file on disk), handles, DLLs, network connections, open ports, loaded drivers, Windows services, users, select files, registry entries, routing and ARP table entries, browser history – and A LOT more.
• Centralize the data (by either periodic polling or near-real-time collection or distributed data access) and make it available for fast, indexed searching (such as for IOCs or other clues)
• Post-process (analyze) the data to identify anomalies such as rare processes, unusual connections, and other higher-level patterns by using baselining or other means
• Provide an interactive data exploration interface that allows one to explore the data and hunt for indicators .
• Sometimes, also alert based on freshly collected patterns such as new process, connection, account, etc or based on “anomaly score” of the observed activity.

But before you scream in fear “Nooooo! Not another agent that just collects data!” … THINK!

It is 10PM … do you REALLY know what your endpoints are doing? After all, a reported 2-3% of them are compromised/infected at any given time…

Logs via SIEM (cannot see the events and details not logged), network forensics (cannot see local activities and those not on your network), endpoint DLP (can only see data movement), EPP/AV (can only see some malware) only go so far in giving you environment visibility. At some point you realize that a lot of investigative and monitoring tasks would go much easier with that extra level of endpoint visibility. We also seem to be seeing reduced resistance to such agent deployments (presumably following the logic of “would you like our agent or …ahem… a Chinese agent on your system?”)

So, would you trade large-scale agent deployment/management headaches for another level of visibility? The answer often hinges on this:

Would you know what to do with all the new data? Do you clearly understand how it will help you detect and investigate incidents?

If your answer is a firm “YES! and YES!”, then it is likely that you will soon be on the market for such technology.

Finally, let me share a little secret on how to find money to get such a tool? Assume you will have an incident soon (a very easy assumption to make, I assure you). Would you rather investigate it by hiring experts for 4 weeks (4 x 40) at $600/hr (for a total of almost $100k) or would you rather investigate it yourself or with minimal (say 8 hours) help from said pricy experts? The difference may well cover the tool – and that is based on ONE incident…

P.S. Still don’t want that new agent? In this case, you do have another choice. Threaten your EPP (aka “anti-virus”) vendor that you will replace their wares with those of another vendor – that also gives you endpoint visibility. In fact, why aren’t more EPP /AV vendors doing it? One investor in the emerging endpoint monitoring start-up explained it by invoking BDS…. It is very likely that enlightened EPP vendors will soon start using their agent tools for additional endpoint sensing, while the dumb ones will continue to insist that EPPs “prevents malware problems.”

P.P.S. This space/segment has really no accepted name: vendors call them “endpoint intelligence”, “endpoint analytics”, “host investigations”,”compromise assessment”, etc. Got a name you like? The name “endpoint forensics” is typically reserved to a much more in-depth analysis of an individual system and likely won’t be used for this.

Related posts:

• RSA 2013 and Endpoint Agent Re-Emergence
• A Quiet Assumption
• All posts tagged security incident response