These days it appears the concept of a single point solution that protects your endpoints and your network is a dead dream. AV software is being replaced by more complex detection software, while whitelists and IOCs only do a fraction of the work. Keeping the bad stuff out at the perimeter has been replaced by the concept of quickly detecting and responding.
To adequately defend your networks you need something better with the ability to detect what has never before been detected, and you need to have continuous monitoring, hunting of malware, the ability to share contextual information, and be able to analyze malware when it is caught using forensics software.
But how do you keep from creating a Rube Goldberg in your enterprise?
Doing this yourself would be the equivalent of buying a new car in pieces and expecting to assemble the entire vehicle yourself, from the crankshaft up to the moon-roof. This is where you need to partner with the right firm, and the right kind of firm to succeed—more on this later in the article.
Good integration means using SIEM as well as using EDR and Network Security techniques in ensemble. And in addition to the ability to remediate after the fact, one needs to be able to sandbox suspected applications, users and sites. Considering the complexity of modern cyber-attacks, especially those performed by well-organized and well-funded adversaries, a successful defense requires a holistic approach.When properly executed, the integration results in a finished puzzle, each tool representing a piece, which in turn enables the IR team to accurately complete the picture.
Today’s Security Operations Centers often utilize SIEMs as their “single pane of glass” for incident response, and it is important that data from the endpoints is accessible and actionable in them. The endpoints also need to integrate with other security telemetry such as threat source services, reputation lists, intrusion prevention and detection systems, anti-virus, and firewalls.
Sandboxing is a necessary component of the solution. Any non-validated code from vendors or other outside organizations can be executed to look for malicious behavior. Once codes become suspect, they are then disallowed at the network level. For this to work effectively, there needs to be solid communication between the sandbox tool, the EDR system and the network security servers.
EDR and Network Monitoring capabilities need to speak to each other and share data. This gets even more critical as enterprise network admins deal with BYOD and the Internet of Things. Bringing network Security Analytics together with Endpoint Detection and Response allows security professionals to view incidents on the network and the endpoint real time.
When this integration is done effectively, operators are able to detect and analyze threats, quickly quarantine endpoints, surgically remove files and update or re-image any infected endpoints. For example, identified attack artifacts can be used to enhance perimeter defense tools and prevent further attack spread. When a process running from a file with a known bad hash connects to a remote server, artifacts of the connection (such as remote server name, IP address and port numbers) can be used to block further infection by modifying firewall rules or port mirroring the connection for deeper packet inspection.
In another example, malware detected by the network monitoring tool can be sent to the content analysis system which would then query the EDR system to determine if the malware had reached any endpoints. A report would them be generated which would outline which endpoints are impacted and provide embedded links to remediate. Security Analysts investigating the breach would then be able to pivot into the analytics engine for a holistic network view. This new malware would also be uploaded to the intelligence network such that subsequent attacks can be stopped by the security/gateway server.
Lightening the Incident Responders’ Load
Integration also improves the responders’ efficiency. For example, resolving incidents by utilizing information from threat intelligence sources allows lower skilled personnel (usually Tier 1) to make educated decisions and alleviate the load that would otherwise fall into the IR team’s lap. Suppose the analyst has noticed execution of a file with a strange name. It would require further investigation to find out if the resulting running process is malicious or not, or if the file itself is malware or not. However, threat intelligence sources may be able to instantly determine the maliciousness of the file by reporting that the file hash matches a known bad hash.
Choose a Trusted Partner
There are many experienced companies out there that can do anything from advising you in your quest, to implementing a complete solution, to even managing that solution in a MSSP environment. Don’t try to do this yourself. The complexity can be overcome with the right partnership and it doesn’t have to cost your company’s yearly profits to implement. Choosing the right partner and working with them to determine the appropriate solution can save you an immense amount of headache and, worse yet, a costly breach.
Happy Holidays from your CounterTack Team!!