edr and network analytics€¦ · beyond the v 4 strengths prevention: • zero-day malware •...
TRANSCRIPT
BEYOND THE AV 2
ADVANCED THREAT PROTECTION BEYOND THE AV: THE SECURITY GAPS NO ONE WILL TELL YOU ABOUT IN EPP\EDR AND NETWORK ANALYTICS
WHITE PAPER
BEYOND THE AV 3
In 2019, it is common knowledge that the standard signature-based AV + Firewall security stack doesn’t provide sufficient protection from the rapidly evolving threat landscape that poses risk concerns to organizations of all sizes and verticals.
While large enterprises can cover their attack surfaces with various complementing products, aggregate and correlate them in a SIEM and employ a staff of skilled SOC analysts, mid-sized organizations have to address critical cyber risks with significantly less resources at their disposal.
In practice, the typical mid-sized organization would make to a single ‘advanced security’ investment, leading to the inevitable question – what choice can yield this investment the highest return.
In this paper, we have summarized the two main approaches security decision-makers in mid-sized organizations face (The Endpoint Approach and the Network Analytics approach),and challenge them with a new alternative that goes beyond them to provide the mid-sized organization with full advanced threat protection.
ENDPOINT PROTECTION (EPP) / ENDPOINT DETECTION AND RESPONSE (EDR)
Prominent vendors:AV vendors that enable EDR\EPP upgrade: Symantec, McAfee, Trend Micro, Kaspersky, Sophos, Microsoft
Native EDR\EPP: Crowdstrike, Cylance, SentinelOne, Cybereason, Palo Alto Networks
DescriptionThis approach enhances the existing endpoint protection from mere signature-based AV, to an Endpoint Protection Platform (EPP) that includes non-signature prevention capabilities, as well as Endpoint Detection and Response (EDR) to advanced threats that were able to bypass the prevention layer.
The logic of this approach is that in most to all attacks, both initial compromise and many post-compromise malicious activities involve running processes taking place on the endpoint. Therefore, monitoring process execution is the default route to prevent and detect threats.
FOREWORD
THE ENDPOINT APPROACH:
BEYOND THE AV 4
Strengths
Prevention:
• Zero-day malware
• Memory corruption exploits
• Documents weaponized with malicious Macros.
Detection:
• Post-compromise malicious activity that is reflected in anomalous process behavior.
• Detection of known hacking tools (Mimikatz, Powersploit, Empire, etc.)
• Alert Investigation Context: wide context for alert investigation – process tree, network connection, logged in users and threat intelligence enrichment.
• AV Replacement: EPP\EDR include AV core capabilities as a subset of their overall offering, eliminating the need to operate and maintain two separate products.
Weaknesses:
• Only Endpoint: No visibility into post-compromise activity that doesn’t involve process anomalies (i.e. internal threat, user anomalies and network-based attacks).
• Insufficient Context: Many attacks involve utilization of legitimate tools (Powershell, WMI, etc.). In many cases, process behavior doesn’t provide sufficient context to determine if such a process is malicious or benign, resulting in either a high rate of false positives or overlooked attacks.
• Limited Remediation: Remediation capabilities are limited to the endpoint and typically include only isolate\opening a remote shell and uploading a script.
• Operation: Making sense out of alerts requires a staffed and skilled security team beyond the reach of the common mid-sized organization.
• Deployment: In many cases, the endpoint agent can degrade performance or clash with existing software, slowing down deployment, which causes security gaps.
EPP\EDR provide significant value in enhancing prevention capabilities. However, detection of post-compromise activity is lacking because their detection mechanisms are narrowed to process anomalies on the endpoint, missing a large portion of attack vectors that can be detected only through monitoring network traffic or user behavior. Alert operation requires the manual effort of a skilled security team, and remediation is limited to endpoint/process only.
BEYOND THE AV 5
NETWORK ANALYTICS
Prominent vendorsDarktrace, Vectra Networks, Microsoft Azure Advanced Threat Protection, Palo Alto Network IDS, AlienVault
DescriptionNetwork analytic tools detect malicious presence or activity by dissecting network traffic. This makes network analytic tools reactive by nature. These tools have minimal to zero prevention capabilities and are oriented to discovering post-compromise activities.
Network analytic tools leverage the host and user metadata that is enclosed in network packets to form a behavioral baseline of users’ activities, hosts’ interaction and network communications. Additionally, these tools utilize known network traffic signatures of concrete malicious activity (such as exploits or identity attacks), to detect these as well.
Strengths• Malicious authentication through anomalous user behavior
• Identity attacks via analysis of DC authentication traffic
• Network-based reconnaissance activities
• Mass automated network propagation (WannaCry style)
• Login attempts that deviate from standard user and network behavior patterns
• Network-based identity attacks (SMB relays, DNS responder, ARP spoofing, etc.)
• Operational: non-intrusive, with no agent on the endpoint and no interference with actual network traffic
Weaknesses• Prevention: No prevention capabilities, meaning that multiple attacks
bypass the AV layer. This means zero protection from ransomware. Prevention of malicious activity on the host level.
• Remediation: As a pure detection tool, there are no remediation capabilities.
• Accurate Threat Detection, regardless of the applied AI algorithm, has high false-positive rate.
• Environment coverage: Network analytic tools rely on SPAN port as well as data feeds. As a result, any non-trivial network topology (geographically dispersed or multi-forest) creates difficulties in deployment and coverage.
• Operation: Making sense out of alerts requires a staffed and skilled security team beyond the reach of the common mid-sized organization.
THE NETWORK APPROACH:
Network analytics tools provide high value in detecting pure network-based threats such as various data exfiltration vectors and certain identity attacks. However, their lack of prevention capabilities makes them a risky gamble as a single advanced security solution.
Additionally, the lack of remediation capabilities would require vast manual effort to efficiently respond to live attacks.
BEYOND THE AV 6
We can say roughly that each approach has strengths and weaknesses in terms of both threat coverage and the provided route from detected threat to validated recovery.
To a certain degree these approaches complement each other. Full discussion on the pros and cons entailed in piecing together several products is beyond the scope of this paper, since we focus on organizations that typically choose to make a single advanced security investment only. Thus, it is easily seen that both EDR\EPP and network analytics approaches fail to deliver the advanced threat protection mid-sized organizations seek.
INTERIM SUMMARY
BEYOND THE AV 7
CYNET
Total Environment VisibilityAn organization’s attack surface is much wider than its endpoints. Cynet continuously monitors all users’ logging in and out, internal and external traffic, and process execution on hosts to provide real-time contextual visibility into the entire environment’s activities.
360° Prevention and DetectionCynet continuously builds and natively integrates the full-scope of technologies to prevent and detect attack vectors that target users, files, the network and hosts: AV, NGAV, EDR, network analytics, UEBA and deception, building a robust security protection stack across all attack stages.
DeceptionAdvanced attackers can evade detection. To confront this, Cynet enables its users to plant decoy files, credentials and network connections across their environment, luring such attackers to reveal their presence by attempting to use or access these decoys.
Automated RemediationCynet provides the widest set available of remediation actions for compromised hosts and users, malicious files and network communication. Cynet is shipped with pre-built remediations, making it the only solution with the ability to block attacks at multiple post-compromise stages such as privilege escalation, credential theft, lateral movement and others.
Context-based Alert OperationIn the case of malicious activity without a matching pre-built remediation, Cynet provides the full user, file, network and host context for rapid insight into the attack’s impact and scope. The resolving process concludes with manually applying a remediation action on the compromised entity that can be saved as policy to automate response in future occurrences.
CyOps 24X7 Security ExpertiseCynet complements its automated threat protection technology with integrated security services at no additional costs. CyOps is a 24/7 team of threat analysts and security researchers that proactively hunts for threats among Cynet’s customers, as well as responds to customer escalations, assisting with file analysis, incident response and deep investigations.
Easy Deployment & MaintenanceCynet is based on server-agent architecture. The server can be either on-prem, IaaS or hybrid, per customer preference, and either a dissolvable executable or a light-weight agent that rapidly deploys 50Ks hosts a single day.
A THIRD APPROACH:
Cynet is designed from the ground-up to address the needs of the mid-sized organization in a single platform. As such, Cynet maps its protected environments to host, file, user and network entities, and natively integrates prevention and detection technologies that cover attack vectors which target them, avoiding the partial threat coverage inherent to EDR\EPP and network analytic tools. To further enhance its threat protection capabilities, Cynet also provides a Deception layer to lure defense-evading attackers to reveal their presence.
BEYOND THE AV 8
COMPARISON TABLE
CYNET EDR\EPP
(e.g Crowdstrike)
NETWORK ANALYTICS(e.g DarkTrace)
IT HYGIENE Vulnerability assessment
Asset management
App blacklisting
PREVENTION AV replacement
Malware
Exploits
Macro
Powershell
DETECTION Hacking tools signatures
Process behavior
Network traffic behavior
User behavior
REMEDIATION Host Partial (isolate\run command)
File\process
User
Network
SECURITY SERVICES
Suspicious file analysis
Incident response
Attack investigation report
AUTOMATED THREAT DISCOVERY & MITIGATION
To learn more about Cynet’s approach, visit: www.cynet.com