Insights
Demystifying detection and response by Andrew Gogarty, Chief Security Evangelist There is a lot of hype around detection and response, largely driven by the fact that in 2020, the average time to detect and contain a breach was 280 days, according to IBM. Cyber crime continues to impact organisations and the time is takes to identify and respond to a threat is paramount to minimising any potential impact to operations or reputation. And this is where we need to leave the hype behind and focus on what organisations actually need: the ability to quickly detect a breach, identify its impact, and determine how it got in so swift, appropriate action can be taken to effectively respond and contain the breach. There is not a one size fits all solution to this. Some organisations have large cyber security teams, where others are limited on resource, or cyber security might be one of many shared priorities for smaller IT teams. Not wanting to buck the trend, the cyber security industry has rallied to address the problem with a number of approaches, each with their own acronyms, leaving organisations confused with which approach best suits their requirements and internal capabilities. Whichever route you choose to take, you need to focus on the desired outcome, which is how do we detect malicious activity and respond faster to minimise the impact to our organisation? How do we improve our detection and respond faster?
Better Detection •
• • • •
14
Bring together and correlate the alerts from our siloed security tools Leverage threat intelligence to hunt for zero day threats Monitor your security alerts 24x7 Ensure security tools are up-to-date and configured optimally Ensure focus on genuine threats instead of wasting time trawling through false positives
Faster Response • • •
Monitor your security alerts 24x7 Leverage automated response to genuine threats Have all the relevant data points to hand for a targeted response
Before exploring which option is most suited to help your organisation realise your desired outcome, let’s consider the options and how they fit with your environment.
EDR
Endpoint Detection and Response
XDR
Extended Detection and Response
MDR
Managed Detection and Response
SIEM
Security Incident & Event Monitoring
SOC
Security Operations Centre
EDR - Endpoint Detection and Response Ideally suited for: Organisations with an in-house security operations centre with threat hunting and incident response skills. Typically a new feature or add-on offered by traditional endpoint security vendors, or “next-gen” endpoint security vendors, EDR is designed to give better clarity and facilitate a faster detection and response to threats on endpoints for IT teams. It sometimes incorporates automation to isolate affected endpoints. In the event of a breach, the solution pulls together the relevant security logs and provides a graphical map of what endpoints have been impacted and what changes to the endpoint were made. This enables IT teams to quickly focus on impacted endpoints instead of wasting valuable time trying to manually search through logs to get an understanding of how to respond. Most EDR vendors also have the ability to support threat hunting, where you can leverage threat intelligence to search for threats that have not yet been identified by your endpoint security tool. For example, with WannaCry in 2017, many endpoint security vendors did not detect the payload when WannaCry was initially propagating. However, through threat intelligence, we knew about the attributes (or indicators of compromise) associated with WannaCry. Threat hunting empowers IT teams to search for such indicators of compromise in the EDR platform, which then provides information on which endpoints have IOCs associated with that threat. It enables a more proactive and faster response to endpoint threats to minimise any associated impact. Limitations of EDR: Only focused on endpoint security, the last line of defence. It will not help against account takeovers, perimeter breaches or other attacks beyond the endpoint. SECON CYBER
