Security is an ever-evolving industry. It’s a game of cat and mouse, really, or perhaps even more fitting - an arms race. The offense, malware creators, make their move and attack, and the defense counters with better anti-attack technology. It’s an often repeated pattern, so back and forth the pendulum swings.
The latest and greatest play on the defensive side of the arms race is Endpoint Detection and Response (EDR). EDR looks deep into your system and records and analyzes ALL activity. Network Intrusion Detection/Prevention Systems (IDS/IPS) and Security Information Event Managers (SIEM) have been using similar techniques for years now in that they record, correlate, and analyze. The difference is that EDR has a more focused dataset toward endpoints and different metadata. This allows for different types of correlations and different detection techniques.
In security, there is no silver bullet. Ask any security professional, and you’ll hear the same answer – cyber security is a layered approach. In terms of endpoint security, a good anti-malware program is a good starting point. That, followed up with vulnerability management, configuration management (OS hardening), and an application whitelisting service, is a great approach. However, it can be a nightmare to manage especially if you haven’t done it before. It will probably mean more staffing and thus more cost for your company. But, perhaps the more important questions is, what happens when an attacker gets by your defenses?
More often than not, typical defenses are failing us. A recent study shows that anti-malware has a failure rate of up to 70%. Your only defense at this point is to accept that breaches will happen. It’s not a matter of if; it’s a matter of when. EDR is very focused, goes beyond malware, and detects what other mechanisms can’t. It continuously monitors activity looking for Indicators and Patterns of Compromise (IoC/PoC). Beyond detection, EDR also offers response capabilities. Meaning, when you do get hit, you’ll then be able to see what damage has been done and be able to isolate and remove the threat without having to perform the wipe-and-reinstall maneuver (in most cases).
Having the tools needed to properly detect and respond to threats is certainly important; however, it’s only half the battle. Secondly, and perhaps more importantly, you have to know how to use the toolset. Unfortunately, these tools are only as powerful as the operator. Beyond learning the skillset of becoming a Security Analyst and Forensics Expert, you must also continuously stay on top of the current threat landscape. As new threats and techniques are unmasked, you must then apply said knowledge to hunt for threats inside your network. WatchPoint specializes in these techniques. Day in, day out, WatchPoint experts are living and breathing security. We know security. We also offer the ability to quickly and easily deploy the toolset by just downloading and installing a sensor. It really is that easy with WatchPoint. Go from average security to bleeding edge in minutes.