Blog post

My Paper on Endpoint Tools Publishes

By Anton Chuvakin | September 26, 2013 | 4 Comments

securityincident responseendpointanalytics

My paper on endpoint threat detection and response tools and practices (“Endpoint Threat Detection and Response Tools and Practices”) just published [Gartner GTP subscription required]

Summary: Increased complexity and frequency of attacks elevate the need for enterprise-scale incident response, APT investigations and a rapid forensic process. Endpoint threat detection and response tools help organizations speedily investigate security incidents and detect malicious activities.

Bottom Line:

Endpoint threat detection and response (ETDR) tools enable an organization to achieve comprehensive endpoint visibility, simplify security incident response and detect malicious activities. They are also useful for validating network security alerts that are produced by malware protection systems (MPSs), security information and event management (SIEM) tools, and other devices. For organizations with mature security functions, ETDR tools have become extremely valuable, but proper use of the tools is process- and skill-heavy. Organizations that are willing to put in the effort will find benefit in using the tools.

A few fun quotes:

  • “ETDR tools enable organizations to rapidly investigate large numbers of endpoints (both servers and workstations) in the course of ongoing incident response, and they detect incidents by enabling the analysts to quickly review and analyze traces of malicious activities across the endpoints.”
  • “ETDR tools collect detailed endpoint data, such as running processes, network connection, select files and registry settings, and then create a searchable data store for review by security operations center (SOC) analysts or incident responders.”
  • “Traditional computer forensics tools allow organizations to perform a deep analysis of a single machine in order to reveal key facts about the incident to the high standards required for legal scrutiny. However, today’s incident response requirements call for a completely different type of tool — one that can be used to review specific traces across large numbers of systems quickly in order to triage and investigate incidents before the damage is done.”
  • “Organizations deploying these tools should subscribe to security threat intelligence feeds containing endpoint data such as hashes, filenames, and other host indicators and engineer processes for automated verification of received indicators on all endpoints.”
  • “Evolve from a postincident use to incident discovery by periodic or continuous indicator sweeps and anomaly detection over collected data. Extract site-specific indicators from incident response occurrences, and feed the indicators back into the tools.”

Enjoy!

Posts related to this research project:

Recent paper publication announcements:

Comments are closed

4 Comments

  • Moe says:

    Hello Anton, just wondering why solutions such as HB Gary’s are not included in this paper.

  • An excellent question indeed. Mantech is in fact mentioned in my other on IR that just went up, I thought long and hard about adding / not adding Responder Pro to this paper and decided against it (at the last moment). My motivation was that their tools seems better suited for in-depth analysis (malware forensics) and less for broad sweeps like the tools that I mostly deal with. If my decision has been wrong, I will probably add them when updating this paper next year.

  • Eric Schurr says:

    Anton,
    excellent report. very comprehensive, balanced, and accurate. I hope folks take the time to read and digest it. It will help them deal with advanced threats.

  • Eric, thanks A LOT for the praise. This report took a lot of work to write!!