Because of a critical lack of skilled security resources and because of an overload of potential cyberattack related events, efficient operations and accurate analysis are top of mind for savvy security teams everywhere. Those same security teams know that an Endpoint Detection and Response (EDR) system is a powerful toolset to secure their business. But efficiency and accuracy are never guaranteed simply by implementing EDR. To get more from your EDR, you need to get as close to efficiency and accuracy as is possible using today's tools — and to do that, you first must identify which pieces of your EDR processes and related procedures are blocking these achievements.
Typically, we find that prospective clients require the ability to understand the threat risk of each file their EDR discovers. Without that capability built into their UI, they waste precious response time with inefficiencies. Additionally, relying solely on cloud-sourced file reputation services hasn't provided them with the accuracy demanded by their privacy commitments. Their blockers, then, are the tools and services that either slow them down or let attacks slip through, or both.
So, what can you do to get more out of your current EDR process, using tools that already exist? Here are four recommended actions.
4 Ways to Optimize Your EDR
1. Add automation via integration
Most security teams run upwards of 45 security solutions and technologies, adding complexity. A strong platform should allow for integration into your existing security tools via a broad set of APIs. Specifically, if you're looking toward response efficiency, having automatic results displayed within your EDR will reduce time spent switching between tools.
2. Add visibility via integration
Visibility seems to be a massive sticking point for organizations trying to achieve greater accuracy and efficiency. After all, how can you possibly understand and react to threats without the threat intelligence you need, particularly at the file level? With the right integrations, you can create and test YARA rules that define new malware — that is, malware with no AV signature. These rules can be exported to EDR solutions, such that your detection capabilities can be continually upgraded to find the latest threats.
You may think that EDRs already have visibility. But can you tell whether each file has been detected in the past, and when? Understanding which files are known good and known bad — and when the malicious files were first recognized as such — is critical to the decision around where your greatest risks lie. For instance, while you may spend time concerned primarily with zero days, it's possible the vast majority of malicious files were discovered years ago.
An ideal integration would allow you to see exactly when each malicious file was first seen and apply advanced search and retro-hunting utilities for greater insights, such that you can correctly prioritize threats. If you were to run across a threat which had not been seen until you saw it, the ideal platform would add on-premises file scanning and investigation resources for additional visibility. Even better: you could use a service that notifies you of database updates for files, so that any newly discovered samples will become immediately apparent.
The reality is that your efficiency can easily be impeded by lack of visibility. A platform that integrates with your EDR to help you discover and qualify more known-bad files and understand when those files were first identified can keep you on track. File-level intelligence enables you to extract more value from your current EDR process.
3. Add static analysis for context and accuracy
There will always be files on your endpoints that have previously never been identified by AV scanners or those crowd-sourced cloud reputation services. But even with a platform that offers comprehensive coverage, there still tend to be unknown files hidden among known samples.
Comprehensive coverage is required. That's why grabbing the samples and analyzing them based on file types, where they exist, and what they are (and more) still makes sense. Coverage from reputation services alone is simply not enough to provide the context and accuracy required for true security — in process and in sentiment.
With an advanced automated static analysis engine, you can successfully decompose almost any file or object in order to surface hidden malware. Ideally, the provider of that engine will have amassed billions of samples — samples that are not just AV engine or dynamic analysis results but are also reverse engineered and constantly curated. This sample database can provide you with the context and accuracy required to gain added value from your EDR process.
How does static analysis add context? It produces unique data about file structure and behavior. Does this Word document make network connections? Does this harmless-looking PDF run shell scripts? Is this update properly signed by the vendor? Results can be obtained in milliseconds, without tying up expensive time and resources in sandboxing. By delivering file intelligence services like this directly into your SOC products, the right platform and APIs will significantly reduce risk while promoting the key achievements discussed in this post: efficiency and accuracy.
4. Add Controls to Ensure privacy
With the advent of GDPR and constant news of privacy failures among influential enterprises, data protection and privacy have emerged as a board-level issue for every company. Any platform you select to integrate with your EDR must include built-in privacy and access controls. Extensive privacy controls, such as user-defined policies for actions such as hash or data uploads, and file-sharing, as minimum requirements. Importantly, every integration — especially with your EDR — also needs to be secure, private and GDPR compliant. Additional privacy controls mitigate risk and save time later, helping you gain new efficiencies and confidence in your EDR.
Enhance the Value
For customers who are looking to enhance the capabilities of their EDR deployments, ReversingLabs Titanium Platform fills the file / malware visibility gap by providing accurate information on known malware often missed by other security tools, as well as unknown risky files discovered on the endpoint based on observed patterns and behaviors. With immediate access to this file-level threat intelligence, analysts have the information they need to make quick decisions on containment and response actions.
Read more on Expose Hidden Malware in EDRs