Protecting endpoints against evolving threats is challenging. Malware is getting more and more evasive. Endpoints are gaining in volume, disparity, and distance from your data center. Your legacy anti-virus (AV) is no longer up to the task.
Leaving legacy behind
Signature-based methodologies are outdated. Developed and iterated since the 1980s, this is the best-understood method for handling malicious file-based attacks. However, it’s also the least adaptable to the current threat landscape. Signature-based technologies operate by using the unique digital signature assigned to malicious files to identify and block known threats.
By dealing mainly with known threats, legacy AV has limitations:
- Poor efficacy
- Limited zero-day exploit prevention
- Little or no response capabilities
- Extended dwell times because of lack of visibility
A legacy, signature-based endpoint solution can work as a baseline, but more nimble and adaptive solutions are needed to detect potential threats in near real-time.
The challenges of endpoint security
When traditional anti-virus solutions fail to stop most modern attacks, then the answer lies in technologies using behavior-based and machine-learning detection. Next-gen AV (NGAV) solutions can analyze for suspicious behavior to discover an attack before it executes, which is much more effective in today’s security environment. Machine learning can analyze millions of data points using mathematical models to address malware and fileless attack methods.
So, problem solved, right? Just implement an NGAV solution and you’re good to go?
The endpoint security challenges facing IT teams include:
- Ineffective prevention from traditional AV solutions
- Escalating complexity with too many endpoint security agents and consoles
- Slow endpoint performance because of agent fatigue from too many agents
- Security teams wanting more visibility and response capabilities, but adding more agents isn’t the answer (see above)
- Escalating costs that are a byproduct of managing multiple infrastructures requiring upgrades, deployments and training
- Lack of qualified security pros resulting in teams without the right skills, and teams that spend excessive time ramping up junior team members
But while challenges for endpoint security have been mounting, so have available solutions. Endpoint detection and response (EDR) solutions offer continuous monitoring and response to threats, and it is a market that has matured over the last several years. These solutions offer capabilities designed to offset some of the challenges listed above, most notably the visibility and control that security teams want to better detect and respond to both traditional and more sophisticated threats. EDR solutions can also help IT teams maximize their staff resources and effectiveness.
Pairing EDR and NGAV is an appropriate endpoint security strategy. But with so many vendors touting improved efficacy, detection of lateral movement and fileless malware detection, how do you evaluate the true capabilities of available solutions? What about assessing your organization’s capabilities to help drive your security decisions?
Self-guided endpoint security evaluation
One method for doing a self-guided evaluation is to use the resources provided online by MITRE ATT&CK. ATT&CK stands for adversarial tactics, techniques, and common knowledge. Developed by MITRE as the byproduct of an in-house research project, ATT&CK offers a framework that organizations can use to benchmark and enhance their endpoint security posture. These real-world attack methods can be mapped to your security controls and tested during an evaluation.
It should be noted that it can be difficult to create attack methods that will accurately and effectively test MITRE ATT&CK and any other tests included in your evaluation criteria. In support of our clients, Sirius can provide redacted testing results from past evaluations to augment self-guided, threat-based testing as part of an evaluation. For clients with an active NGAV or EDR project, we can send detailed, summarized results that include the vendors under consideration.
Evaluation using the Sirius Technology Enablement Center (TEC)
For a more hands-on approach, Sirius offers clients a consultative, structured approach to NGAV and EDR evaluations utilizing our TEC located in the Chicago area. Our proven methodologies provide our clients with valuable data to make informed decisions.
This is an ideal way for clients to see firsthand how various technologies perform in an emulated real-world environment. Our approach is vendor-neutral, and our TEC is one of the leading technology integration and design labs in North America. Proofs of concept, bake-offs and demonstrations are easily accommodated.
Our approach to NGAV and EDR testing consists of three phases:
- Develop client requirements and align with the testing methodology
- Execute lab testing using a variety of fileless and file-based attack methods that are mapped to the ATT&CK framework
- Deliver detailed results and an executive summary to the client
There are a lot of unknown variables affecting cybersecurity, but an understanding of the efficacy of your endpoint security measures doesn’t have to be one of them. Whether choosing a self-guided evaluation method or securing the services of an IT security specialist like Sirius, you can be proactive in your approach to your endpoint security.
If you’d like to know more about how Sirius can help you alleviate NGAV and EDR solution gaps, reduce the time involved in choosing the right solution, and improve your endpoint security posture, contact us today.