InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
In a previous article about Endpoint Detection & Response (EDR) we already explained you, how this ingenious technology works and which advantages EDR offers you. In the next three parts, you'll learn more about how organizations can reduce the time and resources required to detect, analyse, and resolve security incidents, regardless of their scale. In part one, we explore the detection phase of the process and review how the Tanium platform can be used to gain more control and flexibility in detection, investigation and remediation.
The successful defence against cyber attacks does not only depend on reliable identification. At least as important is the speed at which the attack is responded to. The time it takes to detect, investigate, and ultimately remediate or resolve a security incident is seen by most organizations as a key metric for measuring success. Historically, we have witnessed organizations fail to reduce the time required to close the loop in one or more of these areas. It often takes valuable minutes - or hours, days, if not weeks - between an attack and its detection. This time span can have devastating consequences for businesses, making the difference between a small security issue and cross-network compromise. But what can you do to shorten this time and respond faster to an attack?
To quickly detect a cyber attack, you need timely and extensive access to forensic artefacts and data on the target systems, as well as a good strategy for what you are looking for. This area is covered by applicable threat intelligence. We don't primarily speak of IP addresses, checksums or similar, but of behavioural indicators. These do not (only) describe malware used by the attacker, but also the attacker's behaviour when moving through the network using Windows tools.
Traditionally, the data is collected at a central location and all analysis steps are performed there. This can be tedious and considerably prolong the time between attack and detection - or, in the worst case, completely prevent detection. For reasons of scalability alone, the better solution is to perform the analysis directly at the endpoint. This allows the endpoint to be continuously monitored and only the data related to the detection or explicitly requested by analysts can be obtained. This is the big advantage of Endpoint Detection & Response (EDR)! As a positive side effect, no extensive, central data acquisition infrastructure is required. Similarly, with EDR technology, the network is not additionally burdened by log transfers to a central location.
If the whole thing went a little too fast for you: Our EDR specialist Mathias Fuchs, Head of Investigation & Intelligence at InfoGuard, explains in a short and compact video how EDR works, which advantages it offers and why no company should do without it.
Detection should not solely rely on static intelligence to fire off alerts that are then investigated further. There is a danger that analysts will not correctly assess alarms if the information provided is not optimally prepared and thus used to the full. A proper detection strategy should look to squeeze everything possible of value out of the threat intelligence you receive.
The development of static indicators or the integration of these indicators from a feed tends to be the easiest way to utilize threat intelligence. In most cases, this requires minimal modification of the intelligence as long as the tools you use allow the data to be quickly integrated into your current processes. Most Indicators of Compromise (IOCs) fall into the category of static indicators. Although indicator values may change over time, most are designed to detect static threats such as a specific host or network-based indicators. Moving from static to dynamic indicators takes time and expertise. If possible, check the IOCs you currently use and try to translate those into Indicators of Attack (IOAs).
In short, the magic word for effective EDR is "speed". Especially companies with distributed locations and a large number of endpoints are often overwhelmed by the flood of events from their security tools. The tools are usually organized like silos and offer only a limited view. Thus it can take days until it is clear where attacks took place, how the malware spread and which systems are affected. This is exactly where Tanium's solution comes in. The platform provides a detailed overview of the status of all end devices within a maximum of 15 seconds - completely independent of the size of the corporate network. Tanium's platform is based on the new approach of being able to query endpoints in the company in a matter of seconds. The integration of this unprecedented speed and scalability reduces the time to discovery enormously. Incorporating the real-time detection capabilities provided by the high fidelity/low impact detection engine with the scale and speed of the Tanium platform means new and possibly time-sensitive intelligence becomes actionable in that same seconds-based timescale, across the largest enterprises. Once applied, intelligence is immediately being evaluated and delivering information back to the people who need it.
In order to use all possibilities of detection, different methods and techniques have to be used. The Tanium platform uses several techniques to achieve real-time alerting, including:
These are then applied against available artefacts, including live files and memory or historical information regarding the file, DNS, process, registry, and security events. While traditional IOCs are good for comparing known threats (patterns that match), Tanium Signals are behaviour-based rules built to assist in identifying IOAs. IOAs are one of the more difficult indicator types to standardize. This type of intelligence allows you to compare behavioural patterns across several data domains, such as a file created by a process, suspicious process ancestries, or file-based artefact discovery.
The combination of these mechanisms gives you maximum visibility into suspicious activity within your infrastructure. Tanium thus helps to transform tedious EDR activities into a fast and “easy” detection and response. Sounds good, doesn't it? That goes through for example:
InfoGuard offers you Tanium's solution exclusively as a service - and that from 300 endpoints instead of the current 5,000! This means that SMEs will also benefit from this brilliant technology in the future. Our EDR-as-a-Service is offered by experienced experts in the ISO 27001 certified Cyber Defence Center in Baar.
Interested? We would be happy to tell you more about our EDR-as-a-Service and show you how Tanium can be used in your company.
*In cooperation with Tanium