Most organizations have no idea what’s happening on their endpoints. We often hear this referred to as “endpoint blindness,” and it’s one of the most common challenges for security teams. Organizations have hundreds or thousands of laptops, workstations, and servers in their environment, but have no idea what’s actually happening on them.
With the increased sophistication and frequency of today’s attacks, endpoint visibility is an even bigger need. Antivirus and blacklisting are no longer effective at preventing threats, and organizations can’t conclusively determine if malicious activity has occurred. Security teams “don’t know what they don’t know”—and that’s a scary place to be.
Common Concerns We Hear from Security Teams Include:
- I’m blind to threats that might already be dwelling on my endpoints
- I have no idea what my users are doing (whether inside or outside of the network)
- I hope my prevention tooling is doing good enough, but I have no way of knowing or estimating
- An attacker could already be in my network and it would be very difficult for me to identify
- If we get breached, I’ll be starting from ground zero when I need to do an investigation
Can EDR Solve Endpoint Visibility Concerns?
Many businesses look to Endpoint Detection and Response (EDR) to provide endpoint visibility. In fact, Gartner lists endpoint visibility as one of the top 3 business cases that security teams build to show the value of an EDR investment.
Depth of visibility is one of the central components of an EDR solution and can be challenging to objectively assess. If you’re evaluating EDR products, assess each EDR product against these 7 pieces of telemetry:
||Process starts, process stops, cross process injections, complete command line, and user context.
||Directionality, source and destination IP address, domain name, bytes transferred, connection duration, full packet capture (PCAP), and application-layer data.
||File type, name, size and hash for each created or modified file.
||Keys and values for each created or modified registry path. Some tools store data pre- and post-event for rollback or comparison.
||Header and metadata structures, to include digital signature information. Some solutions capture complete copies of binary files for further analysis.
|Memory content and structures
||Inspection or capture of memory contents, and profiling of memory access attempts.
||User, group and domain information associated with each process.
Endpoint Visibility: Points to Discuss With EDR Vendors
The only way to truly understand the visibility provided by an EDR product is to see the data for yourself. Don’t hesitate to ask vendors to provide sample data exports and screenshots that prove what data is collected. Additional topics to discuss with potential EDR vendors include:
Are tools provided to explore current and historical endpoint data collected by the solution?
EDR solutions with true endpoint visibility should allow you to “wind back the clock” and see exactly what happened on the endpoint at a specific date. Ensure the solution’s query system and language are intuitive and not overly complex. Also, make sure you understand how long historical data is retained by default and what configuration options exist.
Where is the endpoint data stored?
The agent should upload all recorded information to a server. Heavy usage of local storage on the endpoint results in two downsides. First, the data cannot be used for centralized threat detection. Second, the longer activity records reside on an endpoint, the more susceptible that data is to tampering by the attacker you are trying to detect.
Can all collected endpoint data be retrieved via an API?
An often-overlooked benefit of the visibility an EDR solution provides is your ability to answer security questions such as “what software in my organization is unpatched?” or IT questions such as “how many users actually use Microsoft Publisher?” The ability to query the raw data and develop your own reports is essential to increasing your return on investment.
Visibility is just one component of EDR. Download the EDR Buyer’s Guide and get a full framework for evaluating EDR products.
How to Achieve True Endpoint Visibility
Visibility into endpoint activity helps, but it’s just the first step. When you take that step, you go from knowing nothing about your endpoints to knowing everything about them in one day. The most likely consequence is that you’ll immediately be overwhelmed with an immense amount of data. To truly address your endpoint blindness, you need to be able to sift through all the data, distinguish alerts and activity from potential threats, and quickly respond to confirmed threats.
There’s a big difference between “visibility” and “actionable information.” Take it from one of our customers at Denver Health, a premier healthcare institution. The hospital’s security team implemented Carbon Black Response, a leading EDR product, to gain better visibility and defend against evolving threats. However, the team quickly realized that they didn’t have the resources or time to keep up with the massive volume of data and distinguish between EDR alerts and actual threats.
Read the case study to learn how Red Canary helps Denver Health cut through the noise and pinpoint threats that require action.
“I was managing the solution on my own for about 6 months and I was struggling in my efforts to be effective with EDR and handle all of the other day-to-day operations. Having Red Canary step in has made tremendous time-saving improvements for my team as well as simplified the triage and problem-solving efforts.” —Aaron Post, Security Analyst, Denver Health
Red Canary supports customers by comprehensively monitoring everything happening on an organization’s endpoints and accurately detecting suspicious/malicious activity. We like to say we are the “easy button” solution for endpoint blindness and EDR.
Learn more about what’s included in Managed Endpoint Detection and Response to see if Red Canary’s managed solution is right for your organization.