My paper on endpoint threat detection and response tools and practices (“Endpoint Threat Detection and Response Tools and Practices”) just published [Gartner GTP subscription required]
Summary: Increased complexity and frequency of attacks elevate the need for enterprise-scale incident response, APT investigations and a rapid forensic process. Endpoint threat detection and response tools help organizations speedily investigate security incidents and detect malicious activities.
Endpoint threat detection and response (ETDR) tools enable an organization to achieve comprehensive endpoint visibility, simplify security incident response and detect malicious activities. They are also useful for validating network security alerts that are produced by malware protection systems (MPSs), security information and event management (SIEM) tools, and other devices. For organizations with mature security functions, ETDR tools have become extremely valuable, but proper use of the tools is process- and skill-heavy. Organizations that are willing to put in the effort will find benefit in using the tools.
A few fun quotes:
- “ETDR tools enable organizations to rapidly investigate large numbers of endpoints (both servers and workstations) in the course of ongoing incident response, and they detect incidents by enabling the analysts to quickly review and analyze traces of malicious activities across the endpoints.”
- “ETDR tools collect detailed endpoint data, such as running processes, network connection, select files and registry settings, and then create a searchable data store for review by security operations center (SOC) analysts or incident responders.”
- “Traditional computer forensics tools allow organizations to perform a deep analysis of a single machine in order to reveal key facts about the incident to the high standards required for legal scrutiny. However, today’s incident response requirements call for a completely different type of tool — one that can be used to review specific traces across large numbers of systems quickly in order to triage and investigate incidents before the damage is done.”
- “Organizations deploying these tools should subscribe to security threat intelligence feeds containing endpoint data such as hashes, filenames, and other host indicators and engineer processes for automated verification of received indicators on all endpoints.”
- “Evolve from a postincident use to incident discovery by periodic or continuous indicator sweeps and anomaly detection over collected data. Extract site-specific indicators from incident response occurrences, and feed the indicators back into the tools.”
Posts related to this research project:
- Endpoint Threat Detection & Response Deployment Architecture
- Essential Processes Around Endpoint Threat Detection & Response Tools
- Named: Endpoint Threat Detection & Response
- Endpoint Threat Indication & Response?
- Endpoint Visibility Tool Use Cases
- On Endpoint Sensing
- RSA 2013 and Endpoint Agent Re-Emergence
- A Quiet Assumption
- All posts tagged endpoint
Recent paper publication announcements: