My paper on endpoint threat detection and response tools and practices (“Endpoint Threat Detection and Response Tools and Practices”) just published [Gartner GTP subscription required]
Summary: Increased complexity and frequency of attacks elevate the need for enterprise-scale incident response, APT investigations and a rapid forensic process. Endpoint threat detection and response tools help organizations speedily investigate security incidents and detect malicious activities.
Endpoint threat detection and response (ETDR) tools enable an organization to achieve comprehensive endpoint visibility, simplify security incident response and detect malicious activities. They are also useful for validating network security alerts that are produced by malware protection systems (MPSs), security information and event management (SIEM) tools, and other devices. For organizations with mature security functions, ETDR tools have become extremely valuable, but proper use of the tools is process- and skill-heavy. Organizations that are willing to put in the effort will find benefit in using the tools.
A few fun quotes:
- “ETDR tools enable organizations to rapidly investigate large numbers of endpoints (both servers and workstations) in the course of ongoing incident response, and they detect incidents by enabling the analysts to quickly review and analyze traces of malicious activities across the endpoints.”
- “ETDR tools collect detailed endpoint data, such as running processes, network connection, select files and registry settings, and then create a searchable data store for review by security operations center (SOC) analysts or incident responders.”
- “Traditional computer forensics tools allow organizations to perform a deep analysis of a single machine in order to reveal key facts about the incident to the high standards required for legal scrutiny. However, today’s incident response requirements call for a completely different type of tool — one that can be used to review specific traces across large numbers of systems quickly in order to triage and investigate incidents before the damage is done.”
- “Organizations deploying these tools should subscribe to security threat intelligence feeds containing endpoint data such as hashes, filenames, and other host indicators and engineer processes for automated verification of received indicators on all endpoints.”
- “Evolve from a postincident use to incident discovery by periodic or continuous indicator sweeps and anomaly detection over collected data. Extract site-specific indicators from incident response occurrences, and feed the indicators back into the tools.”
Posts related to this research project:
- Endpoint Threat Detection & Response Deployment Architecture
- Essential Processes Around Endpoint Threat Detection & Response Tools
- Named: Endpoint Threat Detection & Response
- Endpoint Threat Indication & Response?
- Endpoint Visibility Tool Use Cases
- On Endpoint Sensing
- RSA 2013 and Endpoint Agent Re-Emergence
- A Quiet Assumption
- All posts tagged endpoint
Recent paper publication announcements:
- Our Security Data Sharing Paper Publishes
- Our Network Forensics Paper Publishes
- My Second DLP Paper Publishes
- My First DLP Paper Publishes
- My Gartner research published so far
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.