Oct 26, 2017
EPP or EDR? Why you need both in your cybersecurity portfolioBy Ryan Kazanciyan
EDR tools – like the forensic analysis products that preceded them – adapt to many use cases where EPP falls short. Yet, an effective endpoint security strategy incorporates standalone EDR and EPP so that you can respond to the wide array of incidents common in any enterprise environment.
(Image: Macedo Media/Pixabay)
Today’s endpoint security market is crowded with Endpoint Protection Platform (EPP) solutions that do a bit of Endpoint Detection and Response (EDR), EDR solutions that do a bit of EPP and “legacy” anti-virus solutions jockeying to retain their foothold and keep up with new competitors. While 70% of organizations plan on increasing cybersecurity spending, with endpoint security being a focus area, the endless stream of newly publicized attacks, coupled with bold and aggressive promises from vendors, lead to uncertainty and frustration. These same factors also have inspired many security products that arguably make the wrong trade-offs in design and capability in order to garner initial appeal among the masses.
The race to simplify endpoint security – and to accommodate architectural limitations in many tools – has led to an over-reliance on forensic telemetry. Nearly all products in this space (including Tanium Threat Response) provide a client-side “black box” that continuously preserves OS-level events: process execution, network connection, file operations and so forth. This form of data can be invaluable for retroactively investigating attacks as well as for detecting and blocking unwanted activity.
However, endpoints also contain countless other artifacts, which fall outside the scope of such telemetry but remain critical to many common detection and response techniques. Consider the need to examine decentralized application logs (for example, those generated by web servers) for a specific pattern of attack, or to perform a broad search across large volumes of data, such as files at rest on disk. Effective EDR tools combine enterprise-wide access to historical telemetry with evidence about current states that are distributed across systems.
In practice, I’ve seen several common limitations in the EDR functionality delivered by tools primarily built for EPP. The first manifests when an EPP tool is deployed to a new environment or set of systems that have already been compromised. Endpoint telemetry, alerting and prevention-based workflows only help you with recurrent or new events. These tools don’t help with existing sources of evidence that might be natively preserved by the operating system and applications. You might need to search across OS event logs, artifacts like Prefetch records, or at-rest files created long ago. Absent this capability, you’re likely to mis-scope the extent of an incident.
The second example occurs when investigating endpoint activity that did not trigger a prevention or alerting rule. Many EPP tools focus on capturing the history and context around a detection event, with the tradeoff of retaining less verbose telemetry (or nothing at all) when all appears to be normal. This is particularly common for products that rely on centralizing all data in the cloud, as it has a direct impact on their operational costs. However, it can also inhibit your ability to adequately search for, or collect, endpoint data from systems that haven’t generated an alert – especially if you need to get answers at scale in minutes.
EDR tools have the flexibility to adapt to many use cases
EDR tools – like the forensic analysis products that preceded them – adapt to many use cases. A flexible endpoint security tool should help you respond to the wide array of incidents common in any enterprise environment. Consider the following scenarios:
- Employee misuse or termination cases – “What files did Jane copy to external drives over the past week?”
- Unintentional data leaks – “Someone got hold of a salary spreadsheet and has been passing it around. Find all the systems that have this file.”
- Application-layer attacks – “This Struts exploit leaves behind a distinctive event in web server logs. Find all systems that contain that entry.”
- Software supply chain attacks – “A text editor used by most of our engineers just got hit with a malicious update that no anti-malware products detect. Who was impacted and did any post-infection activity occur?”
- Troubleshooting – “The IT team suspects a third-party application is causing BSOD’s. Find all the systems with crash-dump artifacts and establish if there’s a correlation.”
Most EPP products weren’t built with the flexibility to address these types of incidents. They’re geared towards stopping specific categories of exploits, malicious binaries, or OS-layer post-compromise activity.
Narrowing the aperture on the data you collect and analyze can also leave you blind to emerging attack techniques, which prevention-focused tools cannot yet reliably block. Your first-tier responders might need to work with high-fidelity events, but your cyber incident response team (CIRT) and hunting team need to be able to search and analyze complete data from an endpoint – not only what’s flagged as suspicious. This allows them to baseline activity among sets of computers and users, uncover new types of anomalies and establish new detection mechanisms that can be automated going forward.
Intruders continue to evolve their tradecraft
The evolution of PowerShell-based attacks serves as a good example. Intruders have evolved their tradecraft from executing malicious scripts to various methods, including “one-liner” commands that pass script code in arguments, covert techniques that employ the PowerShell automation framework to avoid shelling and obfuscation to evade keyword-based detection. Application control bypasses leveraging .NET and other native code interpreters are another example of rapidly developing area of attack research in which EPP tools struggle to reliably keep pace. If your endpoint security strategy relies on black-box prevention rules geared to the lowest common denominator, you’ll constantly be a step behind new attack techniques.
Finally, any prevention-focused security solution is only as effective as its degree of coverage – and ability to maintain a healthy operational status and configuration – across an environment. Many organizations still struggle to ensure they’ve got their complete endpoint tool stack fully deployed on all systems. Tanium commonly finds an average of 20% of systems are not under proper management due to issues like missing or “broken” tooling.
Moreover, many organizations opt to “tune down” their anti-malware products to manage false positives. Prevention features thereby devolve into detection features producing alerts which are routinely ignored – and therefore lead to more blind spots. An effective endpoint security solution should provide the foundational visibility and control needed to maximize coverage and utilization of anti-malware products, as well as other controls like patches and “hardened” security settings.
The evolution of the EPP product sector from the broader EDR space is a natural consequence of continued efforts to automate and simplify security functions which formerly required advanced, specialist knowledge. However, its emergence does not eliminate many of the foundational endpoint security issues still plaguing most companies, nor does it displace or render obsolete many of the core use-cases that spawned the EDR market in the first place. As organizations continue to invest in endpoint technologies, they should strive to balance their portfolio with solutions that cover a broad range of security challenges and ultimately address the root cause of incidents that impact their business.
Got questions? We’ve got answers. Join the conversation today and connect with your peers and Tanium technical experts in our Tanium User Community.
About the Author: In his role as Tanium’s Chief Security Architect, Ryan Kazanciyan brings more than 14 years of experience in incident response, forensic analysis and penetration testing. Ryan oversees the design and roadmap for Tanium’s Threat Response offerings and leads the Tanium Endpoint Detection and Response (EDR) team. Prior to joining Tanium, Ryan oversaw investigation and remediation efforts at Mandiant, partnering with dozens of Fortune 500 organizations affected by targeted attacks. Ryan has trained hundreds of incident responders as an instructor for Black Hat and the FBI’s cyber squad. He is a contributing author for “Incident Response and Computer Forensics 3rd Edition” (McGraw-Hill, 2014). Ryan also works as a technical consultant for the television series “Mr. Robot”, where he collaborates with the writers and production team to design the hacks depicted in the show.