CS1907
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
endpoint detection and response<br />
GETTING TO GRIPS WITH ENDPOINT<br />
DETECTION AND RESPONSE<br />
KEITH MASKELL, HEAD OF CYBERSECURITY, TITAN DATA SOLUTIONS,<br />
TAKES A CLOSE-UP LOOK AT WHAT HE SEES AS AN IMPORTANT NEW<br />
CONCEPT IN DISTRIBUTION - EDR AND PACKAGED SOC SERVICES<br />
As companies of all sizes come to<br />
grips with the responsibilities<br />
defined by GDPR, as well as the everworsening<br />
threat landscape in IT security,<br />
the conversation inevitably moves to<br />
'EDR' - endpoint detection and response.<br />
No longer can antivirus protection be<br />
considered a sufficient solution on the<br />
endpoint - on workstations, servers, mobile<br />
devices. When a company realises it is time<br />
to be able to detect the IT security breaches<br />
which may happen at any time, regardless<br />
of the layers of defence implemented,<br />
then it is time for them to consider an<br />
EDR solution. For very many companies, of<br />
many different sizes, that time is right now.<br />
But the world of EDR is not simple to get<br />
to grips with. At the heart of the problem<br />
is the fact that EDR is often dealing with<br />
complicated technical situations which may<br />
be the work of very capable individuals<br />
who have possibly, so far, outwitted the<br />
network and endpoint defences that were<br />
put in place. An EDR solution typically<br />
gathers large amount of highly detailed<br />
event data from the monitored endpoints<br />
and uses analytic processes to extract<br />
combinations of events that, when taken<br />
together, are suspicious. Then the race<br />
is on, to determine whether this particular<br />
alert is really an attack, or perhaps else<br />
a 'false-positive'. No-one wants to be<br />
responsible for shutting down services<br />
or raising alarms, which may cause the<br />
business substantial cost, based on<br />
a false-positive alarm.<br />
ISSUES IN EDR MONITORING<br />
So, there are two tough requirements for<br />
EDR monitoring: firstly, having the right<br />
technical expertise available at the right<br />
time, to make the right decision based on<br />
the EDR alert, and secondly, having people<br />
with the courage to take responsibility for<br />
making the decision, within a suitable work<br />
process framework. Especially taking into<br />
account that this cover has to be on<br />
a 24/7/365 basis to be effective, this<br />
challenge is one step too far for the vast<br />
majority of companies to solve in-house.<br />
If these problems are not truly solved, then<br />
EDR is relegated from being a monitored<br />
alarm system that can help see off attacks,<br />
possibly before any real damage is done, to<br />
being a forensics tool that can help analyse<br />
what happened weeks or months ago,<br />
when an attack took place that was missed<br />
at the time. This is the difference between<br />
stopping the burglar before he can open<br />
the office safe and arriving after the event<br />
to take fingerprints.<br />
One potential solution is the use of<br />
managed services of an external,<br />
independent 'SOC' - security operations<br />
centre. Experts at the SOC can monitor<br />
your EDR system and alert you when<br />
potential breaches are detected.<br />
This may solve the monitoring problem,<br />
but there are three questions: how do you<br />
select the SOC, is it too expensive, and how<br />
do you manage incident response activity<br />
when an alert is received?<br />
www.computingsecurity.co.uk @CSMagAndAwards July/August 2019 computing security<br />
33