Just as network forensics tools (NFT), SIEM and DLP, Endpoint Threat Detection & Response Tools (ETDR) tools are not of the “deploy-and-forget” variety (far from it!). The tools require a set of operational processes to accomplish their detective and investigative missions as well as enable organization to “hunt” for intrusion traces and explore collected endpoint data.
Such essential processes likely include:
- Incident response (IR) process (duh!): detailed incident response process and not just a “strategic” (=short) plan is a must; it will likely involve both ETDR and NFT tools (as well as SIEM) and cover “large I” (such as major data theft) and “small i” incidents (such as a PC with malware – some “i” cases lead to the discovery of “I” cases, BTW). The ETDR part of the process will include things like current system state search and also past system state (historical) search.
- Alert or indicator triage process: SIEM, DLP, MPS (or whatever people call those systems) produce alerts that often need to be quickly validated using endpoint data; such alert validation – or triage – process executes much more frequently than true incident response process; occasionally, the ETDR tool itself will be configured to produce alerts that would also need to be validated using additional endpoint data.
- Ongoing indicator sweep process or incident discovery process: this process of periodically checking your systems for signs of compromise,infection and other badness is a manifestation of the proverbial “proactive IR” or “ongoing response”; to do it, periodically scan all systems for a list of known artifacts, derived from threat intelligence or other sources. It is very likely that to be truly effective this process should also include malware forensics and artifact extraction process in order to continue the expanding sweep based on found intrusion races until it no longer expands.
- Ad hoc indicator sweep process: more incident discovery than incident response, this process is related to the previous one, but starts from a shared indicator or derived from a shared artifact– a clue, name, etc. It then goes into the same expanding sweep based on found artifacts as the above process.
At the very top shelf, organization will engage in exploring collected endpoint data by means of free-form “badness hunting.” Such data exploration (similar to what is done with NFT) may be done via anomaly reports that highlight interesting outliers in collected system data, external threat data, shared intelligence data, etc, and then use them as “threads to pull” for additional searches.
Anything else you do with these tools? Anything else I missed?
Posts related to this research project:
- Endpoint Threat Indication & Response?
- Endpoint Visibility Tool Use Cases
- On Endpoint Sensing
- RSA 2013 and Endpoint Agent Re-Emergence
- A Quiet Assumption
- All posts tagged security incident response
- All posts tagged endpoint
Posts related to essential operational processes for other tools: