Marrying Endpoint Prevention, Detection, and Response

Cybersecurity isn’t just about playing malware Whac-a-Mole

Tweet

Preventing thousands of malware infections and other threats from compromising your network is only part of the challenge. There is another aspect of protection that is more strategic. Companies must proactively seek out threats on their client devices rather than simply waiting for them to begin causing destruction. They must shine a light on them and act quickly to stamp them out across their infrastructure before they have the chance to inflict harm. The truly effective security team uses a blended prevention, detection, and response approach.

Your prevention technology may be world class, but occasionally, you’re going to hear about a threat that you’d like to investigate proactively. You might get a notice from your local CERT or security vendor warning you about an emerging threat, or a user will report something suspicious about their machine, such as slow performance.

In situations like these, you’ll want to go on the offensive, looking for the threat across all of your devices, or investigating a specific machine. A truly mature cybersecurity strategy will let you build a more complete, end-to-end overview of what’s happening on your endpoints.

This is where endpoint detection and response (EDR) comes in. It’s an important part any company’s cybersecurity ecosystem, enabling them to set up an investigative workflow. Just like prevention software, though, not all EDR software is equal.

EDR software will only be as good as the endpoint threat detection it is designed to support. Most EDR technology is built to fill in the gaps left by traditional antivirus products that rely on signature matching or heuristic analysis to detect and prevent threats, which lets through exploits that they haven’t yet seen or can’t distinguish. This means the EDR technology must account for a wide variety of threat vectors missed by the AV, causing the products to become bulky, complex, and difficult to maintain over time.

Cylance’s new EDR solution, CylanceOPTICS™, works in conjunction with its CylancePROTECT® predictive, preventative cybersecurity agent, which stops attacks using advanced artificial intelligence and purpose built prevention techniques rather than signature scanning.

While most EDR products gather an ocean of data for analysis, placing the burden of threat identification on an already-strained security staff, CylanceOPTICS focuses on gathering only security-relevant data as endpoints change. By collecting data when processes, scheduled tasks, files, firewall settings, users, registry, removable media, and attached devices change, CylanceOPTICS optimizes data collection, making investigations more efficient for analysts.

In addition to proactively collecting security relevant data based on system changes, CylanceOPTICS automatically gathers root cause analysis data when CylancePROTECT detects and blocks an active attack. This data can then be used by security analysts to determine how the threat entered the environment, enabling analysts to take corrective actions to minimize, or eliminate, the attack surface that was exploited.

Additionally, unlike many EDR products that store aggregated data in the cloud or on an on-site server, CylanceOPTICS collects and stores data on each individual endpoint. The stored data is sent to its cloud-based dashboard when a CylancePROTECT event occurs or in response to searches initiated by the analyst. For all this, the Cylance® footprint on the endpoint is relatively small, consuming no more than 1GB of disk space while storing, on average, 10-15 days of endpoint activity.

Storing the data on the endpoint provides analysts with valuable security, performance, and cost benefits. By not continuously streaming all endpoint data to the cloud or requiring new hardware to be deployed on-site, bandwidth usage is reduced and keeps the overall cost of ownership low. By avoiding blindly sending all endpoint data to the cloud, security and privacy concerns are reduced as well.

CylanceOPTICS uses the collected data to empower security teams to hunt for threats, querying endpoints in a granular way. CylanceOPTICS focuses on simple, digestible analysis that doesn’t require highly-paid, hard-to-find senior cybersecurity analysts to execute.

A CylanceOPTICS feature called InstaQuery enables analysts to search for artifacts like executables, sending the query to the endpoint agents and letting them do the work to return their results. That eliminates the burden on the analysts’ back-end infrastructure, which is a problem you may find with other centralized on-site EDR products.

The querying system is nimble, letting analysts search for a range of artifacts beyond executables as well, such as Office documents. It presents visualized results so that they can quickly digest and drill down through large result sets across thousands of endpoints.

When analysts find a threat, they can use CylanceOPTICS to drill down to see how the threat has interacted with a specific machine. CylanceOPTICS’ root cause analysis feature builds a visual story line of the threat’s history on a specific device, showing the sequence of events that led to the suspicious artifact reaching the endpoint as well as any activity that may have taken place since it arrived.

Here’s where you get to see which files were dropped onto a device and where. If a piece of malware, for example, tries to obfuscate itself or calls out to a command and control server, CylanceOPTICS’ analysis will pick it up. Analysts can then export these results for reporting purposes or to feed into other security tools.

CylanceOPTICS isn’t just a monitoring tool, though. In addition to threat detection and monitoring, it folds fast integration response into the mix using the lightweight CylancePROTECT agent on each endpoint for targeted remediation and mitigation. In addition to downloading and quarantining a file, analysts can lock down a machine for a configurable period, disabling the machine’s ability to communicate, and subsequently cause harm to other machines on the network. That’s a useful way to stop threats spreading through the network and affecting other users.

Moreover, analysts can use the results of their analysis to create new security polices. These can then be pushed out to machines, which immediately protects them from these threats. And of course, as the Cylance community discovers and documents new threats, this all informs the CylancePROTECT AI statistical model, which updates endpoints globally to mitigate infection.

Security analysts do not have time to move between different interfaces and switch mindsets when investigating security incidents. This is why Cylance puts its prevention, detection, and response capabilities into a single integrated dashboard. This enables analysts to detect, document, and remediate a threat from start to finish using a single point of control.

As threats continue to flourish and zero-days grow, cybersecurity teams need all the help they can get to protect an increasingly mobile user base against attack. By combining lightweight, predictive prevention with AI driven detection and response on your devices, you reduce your attack surface, mitigate hidden threats, and decrease the chance of a widespread compromise.