Dec 20, 2017
EDR Matters: How to Reduce Time-to-DetectBy Tyler Oliver & Ben Crocker
This is the first in our three-part EDR Matters blog series. In this series, Tyler Oliver, Tanium’s Director of Endpoint Detection and Response in EMEA and Ben Crocker, senior director EMEA technical account management, share their personal views on how organizations can reduce time and resource requirements in the areas of detection, investigation and remediation of security incidents regardless of scale. In part one, we explore the detection phase of the process and review how the Tanium platform can be used to gain more control and flexibility in detection, investigation and remediation.
(Image: Geralt / Pixabay)
The time it takes to detect, investigate and ultimately remediate or resolve a security incident is seen by most organizations as a key metric for measuring success. Historically, we have witnessed organizations fail to reduce the time required to close the loop in one or more of these areas.
In this blog series, we share our personal views on how organizations can reduce time and resource requirements in the areas of detection, investigation and remediation of security incidents regardless of scale. We also briefly review how the Tanium platform can be used to gain more control and flexibility in the detection, investigation and remediation process. It should be noted that, while our blog series is focused on endpoint investigations, we always recommend a well-developed defense which includes other tools and techniques outside of the endpoint. This includes the detection phase of the process.
As we’ve seen time and again, organizations that are breached tend to see a large gap between an incident occurring and a detection, either internal or external, being surfaced. In any incident, this “dwell time” can quickly become the difference between a small security problem and a enterprise-wide compromise. This delay may subsequently require extensive personnel and technology resources to resolve. There are several things you and your organization can do to help reduce this “dwell time” and create an in-depth detection program.
Measuring an effective detection capability
Developing a robust and effective detection capability requires you to focus on the datasets available for comparison as well as the intelligence surrounding the threats you may face. The goal? To decrease the time required to detect threats in your organization. This is certainly easier said than done. To be truly effective, you need several data points which can be difficult to collect, as well as the ability to compare these data sets with intelligence which can also be difficult to obtain.
When it comes to endpoint detection of threats, the dataset for comparison is contained in what data can be parsed or gleaned from operating systems, file systems and hardware artifacts. You can gain visibility into these artifacts by deploying an Endpoint Detection and Response (EDR) solution that allows for quick parsing or querying of the available data. Once you are able to quickly query the data, you are left with the task of rapidly applying the intelligence.
In a traditional model, the intelligence is applied by collecting the data back to a central analysis point. This can be laborious and time-consuming, ultimately resulting in a longer “dwell time.” The faster approach is to apply the intelligence directly at the endpoint. The endpoint can then be constantly monitored and only provide data related to detections. A residual effect of this is a reduction in the need for large, long-term data collection infrastructure or increased network bandwidth for data streaming.
Utilizing threat intelligence in multiple forms
Detection should not solely rely on static intelligence to fire off alerts that are then investigated further. Doing so can cause analysts to downplay alerts and under-utilizes the intelligence provided. A proper detection strategy should look to squeeze everything possible of value out of the threat intelligence you receive.
Developing static indicators, or ingesting those indicators from a feed, tends to be the easiest way to utilize intelligence. In most cases, this requires minimal modification of the intelligence as long as the tools you use allow the data to be quickly integrated into your current processes. Most Indicators of Compromise (IOCs) fall into the category of static indicators. Although the indicator values may change over time, most are designed to detect static threats such as a given host or network-based indicator. Evolving your static indicators into more robust dynamic indicators does require some processes and expertise. If possible, review the IOCs you are currently using and attempt to translate those into Indicators of Attack (IOAs).
Tanium’s approach to detection
Speed. The Tanium platform is built around the capability to contact and interrogate endpoints throughout your enterprise in seconds. Incorporating this unprecedented speed and scale in an enterprise-wide detection capability reduces the time to productivity for intelligence which, in turn, reduces the time to detection or “dwell time.” Incorporating the real-time detection capabilities provided by the high fidelity/low impact detection engine with the scale and speed of the Tanium platform means new and possibly time-sensitive intelligence becomes actionable in that same seconds-based timescale, across the largest enterprises. Once applied, intelligence is immediately being evaluated and delivering information back to the people who need it.
Breadth and depth of data
In order to achieve the best possible detection capabilities, a solution needs to apply different methods and utilize a variety of techniques. Tanium’s platform utilizes multiple building blocks to achieve near-real-time alerting, including:
- Structured intelligence
- File and memory analysis
- Behavior-based detection
These are then applied against available artifacts, including live files and memory or historical information regarding file, DNS, process, registry and security events. While traditional IOCs are good for comparing known threats (patterns that match), Tanium Signals are behavior-based rules built to assist in identifying IOAs. IOAs are one of the more difficult indicator types to standardize. This type of intelligence allows you to compare behavioral patterns across several data domains, such as file creation by a process, suspicious process ancestries, or file-based artifact discovery.
Combining these mechanisms ensures the best possible insight into suspicious activities in an infrastructure. A well-built platform should help you turn your EDR activities from a laborious process into what we like to call “Easy” Detection and Response by enabling you to:
- Automatically ingest multiple intelligence sources.
- Automatically apply intelligence to the endpoint.
- Automatically have real-time alerting.
- Perform root cause analysis at scale.
- Respond as required.
As mentioned above, the time between a potential breach and the detection of any malicious activity can be measured in weeks or months. This dwell time represents a window of uncertainty – “assume breach” mentality and “continuous EDR activities” are the working practice. Tanium’s features include:
- A layered approach to intelligence and alerts, which provides a more robust detection barrier;
- The ability to address all adversarial lifecycle stages and gain early actionable information; and
- A broad range of associated data, which is available to correlate and validate events.
Tanium delivers a broad set of capabilities to hunt, detect, investigate, contain and remediate threats and vulnerabilities with unparalleled speed and scalability. Analysts and practitioners can take an initial lead, quickly search, filter and visualize forensic data to pivot and perform an investigation.
About the Authors: Tyler Oliver is Tanium’s director of Endpoint Detection and Response in EMEA, and Ben Crocker is senior director EMEA technical account management.