Blog Listing

Monday, 06 March 2017 08:57

Paeonia-blog-endpoint-detection-and-response-threat-hunting ENDPOINT DETECTION & RESPONSE - THE BENEFITS OF A PROACTIVE THREAT HUNTING APPROACH

Written by
Rate this item
(0 votes)

In a previous part of our Endpoint Detection & Response (EDR) series, you have learned how to reduce the time it takes to detect a cyber attack. Now it's time to get down to business: In this article, we'll explain why organisations can't just be reactive when scanning, hunting, and analysing security incidents.

Forensic approaches to both investigation and analysis are critical to an effective endpoint security strategy and are as important as detection, remediation and prevention. In fact, don't wait for an incident to happen before you start searching - search proactively! A proactive search begins with the assumption that an intrusion is underway which hasn’t been detected yet.

However, many organizations still take a reactive approach, wasting valuable time. This means they act from an alert-centric perspective and investigate incidents when they are detected by detection systems. In terms of Endpoint Detection & Response, this typically means that alerts are only triggered when known IOCs (Indicators of Compromise) or suspicious behaviour is detected.

EDR means finding and extinguishing the glowing match in the (data) forest

Not all investigations start from alerts, however. For example, if you suspect that an employee has carried out fraudulent actions and you, therefore, need to search a particular timeframe. Or you may need to search for specific artefacts, such as when malware passes by your email scanning devices or when a confidential document is suddenly passed around in a freely accessible manner. Or you want to proactively search for anomalies.

No matter the starting point in the investigative workflow, you need a way to drill down into results and systems of interest and explore a timeline of events. This is the only way to get a comprehensive picture of what exactly happened - and at best to deduce what could happen next. Security analysts also have to deal with a huge amount of data that is continuously generated by systems during normal operation. Enriching additional information can help to distinguish between "good" and "bad" events and further refine your understanding of the incident.

Once your analysts have found the initial event, they need to close the gaps in the event chain with the available information and at the same time secure evidence for later in-depth analysis. However, a cyber attack usually does not end with the first malware infection and the intrusion into the network. The attacker will try to penetrate further into the network and steal access or other sensitive data in order to gain access to the network as a supposed user.

What does that mean for you? From here on, the cross-system investigation becomes a hunt. Your team of analysts must team up with the threat hunting team to thoroughly analyze the incident and ensure that the full extent is detected and no additional damage can be done. You must also be able to block the malicious activities. And that's where an effective EDR solution comes in. It must be able to perform actions and adapt and enforce security policies!

How does Tanium help with investigation and forensic analysis?

Tanium's EDR solution provides a detailed overview of a cyber attack in a matter of seconds, from any device, regardless of the size of the corporate network. This makes it possible to determine faster than with other solutions available on the market where an attack took place, how the malware spread or the attacker moved through the network, which end devices are affected and how to react. Tanium continuously records forensic telemetry data to help you analyze incidents. But the EDR platform goes far beyond capturing log data at the endpoint. It combines access to historical data with the ability to query the current system status and stored data - regardless of the size of the corporate network and at an enormous speed. This also includes real-time access to comprehensive sources of evidence such as indexes of all files on the hard disk, native operating system artefacts and the complete contents of the volatile memory. Finally, Tanium provides the ability to repeat a search to experiment with different solutions and compare data in real time without the need for post-processing. This can be the case, for example, if you collect and group persistence mechanisms from all systems on your network. This allows your analysts to detect outliers or malicious activities more quickly.


EDR-as-a-Service? Only available from Paeonia!

We offer you Tanium's leading EDR solution exclusively as a service from our ISO 27001 certified Cyber Defence Center - and that starting at 300 endpoints instead of the current 5,000! Interested? We will be happy to show you how you can use EDR-as-a-Service in your company and revolutionize your endpoint detection & response.

Read 336 times Last modified on Wednesday, 22 May 2019 12:04

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

About Paeonia

Expert for innovative network solutions and comprehensive cyber security.

Get A Security To Secure Your business.

Get In Touch

Address: 40 Veslets Street, 1000 Sofia BG.

Phone: +359 87 790 8676

Fax: +359 87 790 8676



Join Our Community

Sign up to receive email for the latest information.