Gartner Blog Network

The Best Starting Technology for Detection?

by Anton Chuvakin  |  March 6, 2018  |  3 Comments

We talked about starter detection and response processes, now what about the tools? Namely, tools that help you start your detection and response capability. Here, some “experts” will shout ‘screw the tools! “security is a process, not a product”’

Sadly, among the least mature organizations [at which this research is aimed!], the opposite perception is firmly in place: “security is a box, what do you mean by ‘process’… huh?” [BTW, I am not joking here – some of you reacted to my utterly depressing post with “WTF, the reality is much worse and Anton is an optimist” :-)]

In fact, I learned a fascinating concept last week: that of a “natural process.” In plain English, it is the shit you do when you have no set and/or documented process for accomplishing your goal. Example: a “natural process” for DFIR is panic, scream, turn off computers, polish your resume, then go on eBay to buy new mice because the old ones are “hacked”…

Now, a warning, before you read the below, think “STARTING”, “BEGINNER”, “LOW MATURITY” and often also “SEVERELY BUDGET CONSTRAINED.” Note this does not mean SMB, necessarily, but often does.

OK, so what are the choices?

  • LOGS: A SIEM of some sort, perhaps a log management tool with decent alerting (as Gartner says here). Notably, SIEM is ***NOT*** at all an obvious choice here, but log analysis of some sort probably is (also see debate below that post), due to its breadth and flexibility of covered use cases.
  • TRAFFIC: A network detection tool of some sort (we can debate NIDS vs NTA later); it may be something that is a module in your UTM or a firewall, or a good old IDS. Note that perhaps it is useful to differentiate between detection on the perimeter vs inside the perimeter.
  • ENDPOINT: not a common starter tech choice for detection (but very much so for incident response). Still, we expect that as EPP and EDR merge together, it will be more popular. Or, perhaps, OSSEC HIDS suffices for some? [here is a fun debate on this topic, but admittedly NOT between or for the beginners, because APT :-)]

What is obviously missing? Ah, glad you asked!

  • MSSP / MDR with whatever technology they bring (typically, logs, but nowadays often a combination of logs + traffic, and occasionally logs + endpoint via EDR) [note that it is often advisable to combine an MSSP with your own log management, such as for IR and troubleshooting]. Note that our existing guidance favors this approach quite a bit.

Anything else? Some “spork-style” tool that combines several/all of the above? Or, perhaps, our thinking is too constrained by the above categories?

Blog posts related to this project:

Category: incident-response  monitoring  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on The Best Starting Technology for Detection?

  1. Richard Rushing says:

    Awesome post and agree, Do something is better than nothing, I think there is 2 overlays that go along, if your not doing a MSSP

    internal staff knowledge

    Some things like window event logs, domain reputation, OSINT, etc..

    if you have a small security-savvy staff you can handle a SIEM if not focus somewhere else.

    FTE for upkeep is another
    Do you have enough sysadmin to support the tools for upgrades and management and storage upkeep as well.

    My vote is endpoint, historically its harder having to touch so many devices verse touch a few network points. But many of the new solutions support cloud, client management, multiple OS, and nice dashboards and workflow, make these the easiest today

    • Richard, thanks a lot for this comment. Indeed, we of course plan to cover the 3rd (rather, the 1st) leg of the stool re: personnel to start off the effort. For sure, internal staff knowledge would matter for the program initiation, and I’ve been saving it for last since it is the trickiest. Re: OSINT – not sure, while I love it, it feels a poor fit for a true STARTER program…

      Re: endpoint vs network – thanks for the vote, but I don’t think we have a chance of determining the truth here, agent hatred is strong BUT also so many devices aren’t really on the monitored networks, so it feels at times a LOSE/LOSE story :-(

  2. […] reading my previous post, a few of you have wisely pointed out: … but detection of WHAT? How can you talk about the best […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.