Endpoint Detection and Response - A Guide

By @NileshGavali, CISSP,SecurityPlus

Introduction

Today’s organizations face huge challenges securing and protecting servers, networks, and digital assets. This goes double for mobile users, as they — and their laptops, tablets, and other devices. Also, more organizations are moving IT workloads to the cloud, leveraging hosted and SaaS models. With an expanded definition of endpoints that includes any connected device, physical or virtual, it’s good that cybersecurity solutions are available to help IT security organizations cope. Such solutions offer protection, monitoring, and support to secure business‐critical assets and quickly respond to a breach.

Endpoint security refers generally to a well‐described and understood method to protect an organization’s data and network as accessed with end‐user, connected devices. However, traditional endpoint security solutions can’t keep up with conventional endpoints, let alone all the new “things” coming online in today’s networks.

This guide focuses on how to deploy and manage security for many kinds of endpoints. It also digs into how endpoints and security incidents are detected, identified, monitored, and handled, including effective response and remediation. It even discusses the key role of automation in detecting and responding to threats and managing risk.

What’s an “Endpoint,” Really?

An endpoint is any connected device used to access an organization’s data and network. Traditionally, IT pros interpreted this as “anything with a CPU and a keyboard.” That definition is now expanding to include “things” (IoT, IIoT and OT), as new devices — even sensors — further increase the attack surface for businesses and organizations. Platforms considered infrastructure in the past now qualify as endpoints and are subject to exploitable vulnerabilities. Thus, we need to expand our definition of an endpoint to include servers, mobile devices, kiosks, POS, HVAC, medical gear, industrial systems, cameras and, yes, even cars. With more systems — physical or virtual, on‐premises or in the cloud — accessing organizational data and networks, the definition will be stretched even further.

Requirements for EDR

Endpoint Detection and Response (EDR) systems demand at least four types of capability. The first item is the detection part; other items comprise the response part.

Systems must -

  • Be able to detect malicious activity/security incidents as they occur.
  • Contain the incident at the endpoint.
  • Support investigation of the incident.
  • Provide mechanisms to remediate affected endpoints.

In broader terms, EDR can go beyond detecting incidents and responding to them. Advanced EDR systems can help reduce the overall attack surface (to whatever extent intelligence and technology allow), limit the impact of an attack, and use intelligence and observation to predict when and how attacks might occur.

Protecting Endpoints

Discover, Inventory, Monitor, and Protect

Securing endpoints begins with their discovery. You can’t protect what you don’t know about! And with the proliferation of all kinds of endpoints and applications, it is important to quickly detect any shadow IT or rogue endpoint instance on your network. An EDR system continuously scans the entire extended network across the organization to detect any new endpoint asset (hardware, software, or operating system).

The next step in the endpoint intake process is to take inventory of that device. Which versions of firmware, OS, and software is it running? Security analysts can then classify it automatically based on a known set of attributes and scan it for vulnerabilities. Is it patched and up to date? The endpoint configuration and version information are logged and recorded along with all known vulnerabilities, scored for their severity.

All endpoints are monitored, which means at least two things: One, it means their current configuration — firmware, OS, software, patches, security posture, and so on — is continuously checked. Also, the system is monitored for any changes, policy violations, and unauthorized file changes.

The second aspect of monitoring is to observe what endpoints are doing. Monitoring makes sure that any system or file change and access is detected and analyzed for unauthorized or malicious access or intent. This kind of monitoring can be understood as “keeping an eye out for suspicious, untoward, or malicious behavior.”

All endpoints must also be protected. To some extent, this requirement is addressed by managing device configurations so that updates and patches are kept current, and by making sure that any “drift” from baseline “safe” configuration or any policy violation is immediately flagged and analyzed for unwanted, unauthorized, or malicious incidents.

EDR systems can use small, lightweight programs called agents that run on each endpoint in the form of an application, an app, or even a kernel‐level add‐in on devices that may not support applications or apps directly. An agent provides deep and real‐time monitoring, analysis, and response. In some cases, a remote or agent‐less approach is used for discovery and less intrusive monitoring and response when an agent is not feasible, acceptable, or requires longer deployment cycles.

Detection and Response:

EDR system monitors endpoint state changes so it can correlate those changes with system events and application logs. Such changes can include installed software, files on an endpoint, the Registry, user privileges and account information, user behavior, running processes, and open ports or communications activity.

A good EDR system uses multiple methods of detection to identify threats on endpoints-

IOC detection: This method identifies changes in the system state and compares it to internal IOC (Indicator of Compromise). Sometimes it may be necessary to send the state changes or a suspect file to a threat intelligence service for analysis and evaluation.

Anomaly detection: Changes to a system from a known good base configuration can also help to identify threats.

Behavior detection: Identifying bad, odd, or illicit behavior on a system can indicate a threat. Logging such events helps with threat identification and may identify the time when an incident occurred or began.

Policy violations: System changes (for example, scheduled maintenance or upgrades, new software installs, new users, or account changes) outside approved configuration windows may indicate a threat actor at work.

Threat Intelligence

Truly understanding the scope, depth, and breadth of the threat landscape requires understanding and respecting its features and layout. This requires accurate and insightful threat intelligence.

Threat intelligence provides data that you did not already have (such as reputation scoring, attack tools, threat actors, and so on). It provides data (or analysis of that data) that helps you make more and better decisions about defence and helps you figure out what else to look for, or what proactive measures to take.

Making best use of threat intelligence

  • Automate what you can: Automated attacks need automated defences.
  • Save analyst resources for subtle, complex data that helps you pinpoint threats that are most likely to affect your organization negatively.

Threat intelligence is widely available from many commercial and community sources — for example, Cisco, Check Point, Palo Alto Networks, CrowdStrike, and ThreatStream, among many others. Every organization needs to decide which threat intelligence services are most suitable for it, based on criteria such as origin, freshness, speed and scale, relevance, accuracy, confidence, completeness, and consumability.

Advanced EDR systems integrate with multiple independent threat intelligence services and support concurrent feeds for automated threat detection and validation. Because threat intelligence drives EDR (and much of enterprise security defenses), these decisions are vitally important. Intelligence feeds should be an important part of the conversation with any prospective EDR system vendor.

Real‐Time Response

Real‐time response means an ability to detect and respond to threats as they appear. An ideal response is fast enough to prevent any threat from establishing itself on organizational networks or having an impact on organizational assets.

The best EDR systems work with threat intelligence to stay current with the threat landscape in real‐time, and to apply best‐practice responses when a threat is recognized. For high‐risk threats, this means sending up red flags and taking automatic action where possible and feasible. Red flags are important for a variety of reasons, including establishing the time when a threat occurred, marking endpoints that may be affected, and enabling monitoring of follow‐on changes to build a threat footprint that can be used to drive future intelligence and prevent repeat occurrences.

The best response is one where automated remediation can be applied in timely fashion. This is the goal toward which all EDR systems must strive. When several things have happened — data that describes the threat has been collected, the business and technical impact has been identified, and context data has been gathered — remediation can get underway. Such remediation, which can be automated or manual, may involve the endpoint in repair routines, rollbacks, de‐installation and cleanup of rogue software, and blocking access to IP addresses or resources.

Numerous threat intelligence exchanges facilitate response automation, so enterprises must develop processes that make it possible to implement automated responses whenever possible. Responding to less straightforward threats requires a bit more work.

Security Policy and Endpoints

security policy states clearly what must be done to protect digital information. A properly crafted policy states in writing what to do, so that how it gets done can be established, and then measured or audited. Security policy also protects people in an organization, recognizing that decisions or actions in situations where information is at risk also involves personal liability to corporate officers involved.

The areas that a security policy is meant to address are clearly spelled out in the SANS document; this alone makes it worth reading:

  • Risk assessments
  • Password policies
  • Administrator responsibilities
  • User responsibilities
  • Email policies
  • Internet policies
  • Disaster recovery
  • Intrusion detection

All in all, a well‐constructed security policy lays out the blueprint for implementing and practicing security within an organization. Any violation of these policies should be monitored and prioritized for analysis and response because these can be the mechanism that makes early detection of an impending or ongoing breach possible!

Baselining Endpoints

Good EDR implementation requires that we quickly identify new endpoints as they appear on an organization’s networks. Such systems generally make an inventory of what’s installed on each endpoint device including some or all of the following: firmware, operating system, applications, and communication software, along with the versions and updates or patches applied to these various components.

Baselining is a key concept in cybersecurity. It refers to establishing a detailed sense of what’s “normal” and “safe” for systems and devices to ensure a secure environment. This notion of what’s “normal” can be essential when monitoring systems, because it provides something against which to compare current state, configuration, and activity, and often allows threats to be detected by inference even when no direct evidence or means of recognition is available or known.

Baselining endpoints establishes a point of reference for subsequent monitoring and management. Like everything else in the security world, baselines must change when what’s “normal” changes. Thus, it’s best to think of a baseline as a snapshot of the ideal or desired state of an endpoint, which must be refreshed whenever changes are made by intent or design (adding or updating the OS or software, applying patches or fixes, adding or changing network services or configuration, and so forth and so on).

A list of tasks you should complete before you can choose and deploy an EDR system:

  • Formulating a security policy. EDR works in the context of a complete enterprise security policy. Without a delineation of the risk assessments, administrator responsibilities, Internet, and intrusion detection policies, you won’t know what you’re trying to protect or how best to protect it.
  • Doing things right. EDR is part of a comprehensive security focus that includes assessing, securing, and monitoring all endpoints. These activities take place in the context of a security policy with procedures for its enactment, governance, and compliance, if called for. EDR is a critical part of your security infrastructure, but not its be‐all and end‐all.
  • Discovering and profiling endpoints. An EDR system must either include this ability or integrate tightly with monitoring tools to identify and profile any new endpoints that join the network. Asset categorization and risk assessment then informs an EDR security analyst on the risk posture of those assets to help select an appropriate policy for hardening, monitoring, and protecting them against current and emerging threats.
  • Using secure configurations for protection. Risk assessments guide how endpoints should be hardened and protected. These assessments help minimize the attack surface and reduce risk. EDR works best in conjunction with security controls that establish, maintain, and protect secure configurations for endpoints. Often this means including or working with a Security Configuration Management (SCM) system to define configurations, and then using EDR and other security tools to look for telltale unauthorized or anomalous changes to them. Also, configuration policy tests can help in predicting points of failure in endpoints that might otherwise be exploited in an attack.
  • Deploying integrated threat intelligence. Threat intelligence is essential for EDR to successfully deliver on its promise to reduce the detection, analysis, response, and remediation gaps. Thus, it is vital to research and identify the most suitable threat intelligence service feeds. You may decide to select one or several commercial or community intelligence services. You may even decide to augment them with on‐demand, cloud‐based, sandbox malware analysis service. The EDR system that you select must support integration and automation for the threat intelligence services needed to protect your organization against current and emerging threats.
  • Developing and cultivating user security awareness. users must be informed — preferably at regular intervals — about security fundamentals, safe computing, and security issues related to their job roles and responsibilities. To support effective EDR, users need to understand how to take responsibility for their own security and behaviour. This helps reduce insider threats of the accidental or misinformed variety.
  • Establishing management support and team collaboration. For an EDR (or any security program) to succeed, it is crucial to establish organizational leadership support. Also, for EDR to be effective in real life, it requires continuous alignment and collaboration across the security and IT operations teams. Look for an EDR system that delivers the integration and automation necessary to help those teams collaborate in real‐time. This will reduce misalignments and minimize manual sharing of time-sensitive information. This is critical when teams are scrambling to detect, analyze, and respond to an actual security breach!

Choosing an EDR Solution

Of the many factors and items that should be in that list, the following are among the most important:

  • Accommodates all your endpoints. The candidate provides deep visibility into endpoint security, activity, communication, and configuration, as well as detailed monitoring of critical files and objects for all endpoint types.
  • Supports response automation. The candidate integrates with various threat intelligence services. It provides mechanisms that enable manual and automatic responses to recognized or demonstrated threats.
  • Works with other elements of security infrastructure. The candidate integrates with threat intelligence, security configuration management tools, security information and event management solutions, log management, file integrity and change monitoring systems, vulnerability and risk management, and so on.
  • Minimizes risks to your organization, and understands (or can apply) your business context.
  • Provides or includes adequate support for installation, setup, and breakin of the solution. This is likely to be a cost‐plus item, and should be budgeted accordingly.
  • The cost of purchase and deployment, plus all recurring costs, fits within your security budget. 

EDR is a never‐ending journey because of the sheer volume of ever‐changing threats with which organizations must contend. Some studies show that anywhere from hundreds of thousands to a million or more new threats manifest each day. This massive volume of threats requires constant vigilance and automation around endpoint state, configuration, and behavior. Reducing security risks requires attention to threat intelligence and correlating that information with careful attention to key files, objects, and configuration settings.

That’s why EDR involves a constant, ongoing round of activity. For threats that have already been detected, responses must be formulated and enacted. Once enacted, this information feeds into the prevention cycle to keep similar threats from recurring. In addition, there’s a constant need to stay alert for signs of new threats, and to make sure detection is working as it should be, starting the whole cycle over again. 

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform