by Liviu Arsene, Global Cybersecurity Analyst, Bitdefender
In a fast-changing landscape where large cyber attacks make the news virtually every month, companies have started shifting their security defense paradigm towards gaining more visibility into the way attacks occur, and how they become targets. Building shields to simply safeguard IT infrastructures is no longer enough, especially when protection fails and a breach occurs. And breaches will occur sooner rather than later.
As a result, companies’ security spending has already started migrating from prevention-only approaches to focus more on detection and response. Traditional cybersecurity features, like ENDPOINT protection platforms (EPP), firewalls, app security, and intrusion prevention systems, which focus on prevention, are constantly being improved by active defense mechanisms, such as endpoint detection and response (EDR) tools, to provide relevant, accurate reports into security operations and analytics.
Endpoint detection and response solutions will not only help CISOs protect their infrastructure against sophisticated cyber threats, facilitate early detection and gather intelligence, but also bring visibility into stealthy attacks, enabling rapid containment.
In addition to the improved detection and response approaches to prolific security incidents, EDR tools also address the shortage of cybersecurity professionals. Most information security professionals admit they have too few workers to address current threats, while the number of cyber threats rises to new records each year.
More specifically, endpoint detection and response tools best fit resource-strapped businesses with lean IT teams that operate without a coordinating hub for cybersecurity activities, also known as a Security Operation Center or SOC. It’s a common situation many companies must deal with. Even though SOCs are increasingly common, almost half of organizations don’t have one, creating many security challenges, including slower identification of intrusions, ad-hoc or no processes following a security breach, inability to efficiently protect the most valuable assets from advanced attacks, and delayed isolation of corrupted infrastructures. Detection and response capabilities allow these companies to easily and immediately detect the attack and react to minimize the impact on its network, brand reputation, and customers.
EDR’s role in the advanced threat landscape
As cybercriminals and threat developers shift to sophisticated and more complex threats, such as unknown malware or file-less attacks, to evade traditional solutions, companies have started adding layers of protection that back up the standard EPPs. However, even if stacking multiple solutions like EDR brings stronger security, CISOs still face trouble managing multiple platforms, chasing false alerts and increasing security teams while keeping costs down.
A Bitdefender survey of large companies in the US and Europe shows that most CISOs have difficulties in deploying and maintaining complicated endpoint security architectures. Seventy-two percent of information security professionals admitted that their IT team experienced agent and alert fatigue, and 34 percent of US respondents said their budget could not accommodate infrastructure expansion.
While some companies have started taking steps to defend against advanced attacks by developing SOCs – many still have no internal structure to deal with modern threats. With no SOCs in place, CISOs complain about different security flaws. Sixty-four percent of Americans in companies with no SOC said monitoring activities are one of their toughest challenges.
On top of that, in terms of manpower and time consuming, managing EDR tools is described as difficult or very difficult by half of IT execs. Fifteen percent of US CISOs said it is very difficult deploying these technologies. Some security professionals who use both protection and detection and response-based security feel they are too noisy. In fact, Bitdefender research uncovered of all endpoint alerts triggered by monitoring and response technologies handled by American security teams, 49 percent are false alarms.
CISOs are running with tired legs
Companies that use an EDR solution have acknowledged that a cyber attack can occur at any time, and protection platforms can only address 99 percent of the threats in the wild. EDR tools focus on the last one percent of threats, allowing for much greater fidelity in incident investigations. On average, 82 percent of security professionals in Europe and the US say that reaction time is a key differentiator in mitigating cyber attacks. Across the globe, CISOs’ point out that time is of the essence when isolating the incident to prevent spreading (68%), identifying how the breach occurs (55%), and evaluating losses and the impact of the breach (51%), mainly. Delayed response to a cyber incident can also make it harder to accurately identify the initial time of the attack and assess the timeframe (30%), understand the motivation for the cyber attack (19%), or improve the incident response plan for future attempts (17%).
As a result, the second main important driver for enhancing the company’s cybersecurity posture is also speed-related: faster detection and response capabilities are mentioned by almost half of those surveyed, immediately below improving data protection (51%). EDR tools that don’t have priority or severity-based alert filtering mechanisms can slow the detection and response process of real threats, as it may send IT and security staff on investigation paths that either lead nowhere or are trivial. EDR alerts should not be about the sheer number of triggered alerts, but about intelligent, reliable, and meaningful alerts with a high probability of pointing to a real threat. Traditional EDR tools may seem like a security enabler, but without dedicated and staffed SOC teams, they may either hinder the organization’s security capabilities or make no significant contribution to the overall security posture.
Timely detection of data breaches directly affects organizations in a positive way, as incident response procedures can be immediately triggered to contain, mitigate, and prevent full-blown security incidents that could otherwise financially affect the organization. Zeroing in on potential security breaches as they occur makes a world of difference between business continuity and irreparable financial or reputational damages.
Otherwise, damages caused by a data breach can scale over time the longer a breach is present in an organization’s infrastructure. Failure to detect a breach as it occurs may lead to full infrastructure compromise, irreversible data loss, and financial repercussions from which some companies may never recover. With attacks becoming more sophisticated, advanced, and pervasive, companies are left vulnerable by the traditional set-and-forget security model; where organizations and business acquire but don’t continuously manage security tools or update incident response plans. The true power of an effective security posture lies in a layered security defense, augmented by next-generation detection and response tools that accurately nail potential data breaches as they occur. Perhaps the biggest damage organizations cannot afford is a lack of the right security tools.
When considering EDR solutions, Bitdefender security specialists strongly advise enterprise CISOs to consider the importance and value of an integrated prevent-detect- investigate-respond-evolve approach to endpoint security:
- Prevent: block all known bad and a high percentage of unknown bad at pre-execution layer itself, without saturating the EDR analytics engine with unnecessary incident alerts
- Detect: supported by built-in intelligence from threat protection engines and analysis of a stream of behavioral events from an endpoint event recorder
- Investigate: aided by contextually relevant information on the class of threat that is detected (via the built-in intelligence), the reason of detection (via threat analytics), and ultimate verdict (via an integrated sandbox).
- Respond: via a single pane of glass incident response interface that enables tactical remedial actions immediately and widely across the enterprise.
- Evolve: enables the feedback loop from current detection to future prevention via in-place policy tuning and fortification.
The survey, conducted in February-March 2018 by Censuswide for Bitdefender, included 1,050 IT security purchase professionals from large enterprises with 1,000+ PCs and data centers, based in the US and Europe.
About the Author
Liviu Arsene, Global Cybersecurity Analyst, Bitdefender
Liviu Arsene is a Global Cybersecurity Analyst for Bitdefender, with a strong background in security. He has been closely working and interfacing with cross-company development teams, as his past Product Manager role involved understanding Bitdefender’s technology stack.
Reporting on global trends and developments in computer security, he’s focusing on malware outbreaks and security incidents while coordinating with technical and research departments. Liviu can be reached online at firstname.lastname@example.org and at our company website https://businessinsights.bitdefender.com/author/liviu-arsene.