Gartner Blog Network

Essential Processes Around Endpoint Threat Detection & Response Tools

by Anton Chuvakin  |  July 31, 2013  |  Comments Off on Essential Processes Around Endpoint Threat Detection & Response Tools

Just as network forensics tools (NFT), SIEM and DLP, Endpoint Threat Detection & Response Tools (ETDR) tools are not of the “deploy-and-forget” variety (far from it!). The tools require a set of operational processes to accomplish their detective and investigative missions as well as enable organization to “hunt” for intrusion traces and explore collected endpoint data.

Such essential processes likely include:

  1. Incident response (IR) process (duh!): detailed incident response process and not just a “strategic” (=short) plan is a must; it will likely involve both ETDR and NFT tools (as well as SIEM) and cover “large I” (such as major data theft) and “small i” incidents (such as a PC with malware – some “i” cases lead to the discovery of “I” cases, BTW). The ETDR part of the process will include things like current system state search and also past system state (historical) search.
  2. Alert or indicator triage process: SIEM, DLP, MPS (or whatever people call those systems) produce alerts that often need to be quickly validated using endpoint data; such alert validation – or triage – process executes much more frequently than true incident response process; occasionally, the ETDR tool itself will be configured to produce alerts that would also need to be validated using additional endpoint data.
  3. Ongoing indicator sweep process or incident discovery process: this process of periodically checking your systems for signs of compromise,infection and other badness is a manifestation of the proverbial “proactive IR” or “ongoing response”; to do it, periodically scan all systems for a list of known artifacts, derived from threat intelligence or other sources. It is very likely that to be truly effective this process should also include malware forensics and artifact extraction process in order to continue the expanding sweep based on found intrusion races until it no longer expands.
  4. Ad hoc indicator sweep process: more incident discovery than incident response, this process is related to the previous one, but starts from a shared indicator or derived from a shared artifact– a clue, name, etc. It then goes into the same expanding sweep based on found artifacts as the above process.

At the very top shelf, organization will engage in exploring collected endpoint data by means of free-form “badness hunting.” Such data exploration (similar to what is done with NFT) may be done via anomaly reports that highlight interesting outliers in collected system data, external threat data, shared intelligence data, etc, and then use them as “threads to pull” for additional searches.

Anything else you do with these tools? Anything else I missed?

Posts related to this research project:

Posts related to essential operational processes for other tools:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: analytics  collective  endpoint  incident-response  malware  monitoring  security  sharing  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.