Now that we have a name [ETDR], let’s talk deployment strategies. On what systems in your organization do you want to deploy the tools that simplify your security incident response activities?
It is simple, really: if you want the best breadth/depth of investigation and useful detection, the answer is ALL SYSTEMS. Why?
Well, what systems do your want to investigate the most? Ha-ha, a trick question it was: you want to investigate the systems that the attackers touched.
Will the attackers provide you with a list of targets in advance? Not likely. And if you have 10,000 servers and workstations, trying to figure out what to cover with ETDR tools is very hard. Given that most of the tools we are talking about are passive and do not not block anything (a HUGE advantage for gaining acceptance for mass deployment, BTW!), your chance for wide-scale deployment actually goes up.
Now, due to platform support limitations as well as the dreaded “BYOD-saurus” monster, you will not be able to hit 100.00% of all your systems. That is fine – hopefully you also deployed the NFT to enable network-level capture and analysis during your incident response as well as ongoing network security monitoring. Also, you likely have log collection and analysis (SIEM) already in place.
In any case, the fallacy (well, maybe not really ”fallacy”, but, say, limitations) of “protect critical systems” thinking has been well established. Organizations that used to think that their desktops are “not critical” were rudely awaken with both wide-spread compromises (originating at desktops) and with smart attackers targeting the workstations of key employees (both CEO *and* his assistant, by the way) in order to then get to so-called “critical servers” (in other cases, the data the attackers were looking for was picked up straight from the workstation, without the need to compromise any hardened servers). Finally, you might still want to work harder to “protect critical systems”, but it goes without saying that you’d need to “investigate COMPROMISED systems” rather than the critical ones…
The next question related to deployment is: for tools that poll the endpoints for data (as opposed to collect the data in near real-time), how often should you poll? This question applies to polling in preparation for future incident investigations as well as polling while doing a periodic indicator sweep.
Posts related to this research project: