Endpoint Advanced Protection Buyer’s Guide: Top 10 Questions for Detection and ResponseBy Mike Rothman
There are plenty of obvious questions you could ask each endpoint security vendor. But they don’t really help you understand the nuances of their approach, so we decided to distill the selection criteria down to a few key points. We will provide both the questions and the reasons behind them.
Q1: Where do you draw the line between prevention and EDR?
The clear trend is towards an integrated advanced endpoint protection capability addressing prevention, detection, response, and hunting. That said, it may not be the right answer for any specific organization, depending on the adversaries they face and the sophistication & capabilities of their internal team. As discussed under selection criteria for Prevention, simple EDR (EDR-lite) is already bundled into a few advanced prevention products, accelerating this integration and emphasizing the importance of deciding whether the organization needs separate tools for prevention and detection/response/hunting.
Q2: How does your product track a campaign, as opposed to just looking for attacks on single endpoints?
Modern attacks rarely focus on just one endpoint – they tend to compromise multiple devices as the adversary advances towards their objective. To detect and respond to such modern attacks, analysis needs to look not merely at what’s happening on a single endpoint, but also at how that endpoint is interacting with the rest of the environment – looking for broader indications of reconnaissance, lateral movement, and exfiltration.
Q3: Is detection based on machine learning? Does your analysis leverage the cloud? How do your machine learning models handle false positives?
Advanced analytics are not the only way to detect attacks, but they are certainly among the key techniques. This question addresses the vendor’s approach to machine learning, digs into where they perform analysis, and gets at the breadth of the data they use to train ML models. Finally, you want the vendor to pass a sniff test on false positives. If any vendor claims they don’t have false positives, run away fast.
Q4: Does your endpoint agent work in user or kernel mode? What kind of a performance impact does your agent have on devices?
The answer is typically ‘both’ because certain activities that cannot be monitored or prevented purely from user space or kernel mode. For monitoring and EDR, it’s possible to stay within user mode, but that limits automated remediation capability because some attacks need to be dealt with at the kernel level. Of course, with many agents already in use on typical endpoints, when considering adding another for EDR you will want to understand the performance characteristics of the new agent.
Q5: Do we need “Full DVR”, or is collecting endpoint metadata sufficient?
This question should reveal the vendor’s response religion – some believe comprehensive detection and/or response can work using only metadata from granular endpoint telemetry, while others insist that a full capture of all endpoint activity is necessary to effectively respond and to hunt for malicious activity. The truth is somewhere in the middle, depending on your key use case. Detection-centric environments can run well on metadata, but if response/hunting is your driving EDR function, access to full devie telemetry is more important because attackers tend to cover their tracks using self-deleting files and other techniques to obfuscate their activities.
Keep in mind that the EDR architecture is a major factor here, as central analysis of metadata can provide excellent detection, with full telemetry stored temporarily on each device in case it is needed for response.
Q6: How is threat intelligence integrated into your agent?
This anser should be about more than getting patterns for the latest indicators of compromise and patterns for attacks involving multiple devices. Integrated threat intel provides the ability to search historical telemetry for attacks you didn’t recognize as attacks at the time (retrospective search). You should also be able to share intelligence with a community of similar organizations, and be able to integrate first-party intel from your vendor with third-party intel from threat intelligence vendors when appropriate. Additionally, the able to send unrecognized files to a network sandbox makes the system more effective and enables quicker recognition of emerging attacks.
Q7: How does your product support searching endpoint telemetry for our SOC analysts? Can potentially compromised devices be polled in real time? What about searching through endpoint telemetry history?
Search is king for EDR tools, so spend some time with the vendor to understand their search interface and how it can be used to drill down into specific devices or pivot to other devices, to understand which devices an attacker has impacted. You’ll also want to see their search responsiveness, especially with data from potentially hundreds of thousands of endpoints in the system. This is another opportunity to delve into retrospective search capabilities – key for finding malicious activity, especially when you don’t recognize it as bad when it occurs. Also consider the tradeoffs between retention of telemetry and the cost of storing it, because being able to search a longer history window makes both retrospective search and hunting more effective.
Q8: Once I get an alert, does the product provide a structured response process? What kind of automation is possible with your product? What about case management?
As we have discussed throughout this series, the security skills gap makes it critical to streamline the validation and response processes for less sophisticated analysts. The more structured a tool can make the user experience, the more it can help junior analysts be more productive, faster. That said, you also want to make sure the tool isn’t so structured that analysts have no flexibility to follow their instincts and investigate the attack a different way.
Q9: My staff aren’t security ninjas, but I would like to proactively look for attackers. How does your product accelerate a hunt, especially for unsophisticated analysts?
Given sufficiently capable search and visualization of endpoint activity, advanced threat hunters can leverage an EDR tool for hunting. Again, you’ll want to learn how the tool can make your less experienced folks more productive and enable them to find suspicious activity, drill down into devices, and pivot to other devices; and ultimately document an attack as a case.
Q10: How does your product integrate with other enterprise security solutions, including advanced prevention agents and traditional EDR?
If a vendor offers a full advanced prevention capability in addition to EDR, use this question to figure out whether prevention and EDR use a common agent, and their level of management integration. Prevention and detection/response are co-dependent, so you would like to see a common agent and significant integration between tools from vendors who offer both, so you don’t need to load more device agentry than needed, and to make management of prevention and EDR efficient.
Given the other security controls you have in place, it would be nice to understand how alerts and telemetry from the EDR system can be sent to and received from other monitors and controls. Our objective is to ensure you understand not just how the tool impacts the daily activity of the endpoint team, but also the SOC and other teams, including network and security operations. Adjacent tools which are obvious integration candidates include SIEM, incident response & case management tools, and network-based controls. Ideally you will get out-of-the-box integrations with these tools and open APIs – both to accelerate deployment and to ensure you don’t have to maintain custom integrations forever.
Next up in our Buyer’s Guide is guidance on the Proof of Concept (PoC) process for both prevention and detection/response. We will start posting that after the holiday.