Network security data has long been the lifeblood of threat detection, but to achieve optimum visibility, supporting data from endpoints is just as important.
This post outlines why endpoint telemetry is now fundamental to reducing the time taken to identify and remediate security incidents.
1. It helps to minimise visibility blind spots
The aggregation and analysis of network-based data remains vital to threat detection. However, without endpoint telemetry to provide broader visibility across the IT estate, there is a significant risk that some types of malicious behaviour can go unseen.
Digital transformation, including widespread cloud adoption and mass remote working, is exacerbating the risk of blind spots by dissolving the network perimeter and creating a larger surface to monitor.
Without endpoint telemetry to help paint a more complete picture, security teams may lack awareness of when and how key assets are compromised. There is a real danger that breaches won’t be discovered until after an attacker has gained a foothold.
Since the start of the COVID-19 pandemic, the Redscan team has witnessed a huge increase in attacks against endpoint devices. Phishing campaigns, abuse of VPN and RDP services, and websites initiating drive-by downloads are all pressing risks which call for more extensive visibility of users and their devices.
2. It helps to detect adversary behaviours sooner
Adversaries are constantly evolving their range of approaches to evade detection. Endpoint telemetry helps security teams to enhance threat detection coverage – the range of adversarial techniques that are observable – and identify malicious activity earlier in the cyber kill chain.
Powershell abuse and process injection (techniques used to trigger fileless malware attacks) are just two in a growing list of TTPs which can only be identified by the use of endpoint telemetry. Fileless malware is a serious risk to organisations and the top critical threat to endpoints in 2020.
Minimising attacker dwell time is imperative given the serious damage that attackers can inflict in a very short period. Critical vulnerabilities such as Zerologon mean that ransomware attacks are able to achieve full domain-wide encryption in a matter of hours.
3. It provides greater context
In isolation, network-based detections often lack the necessary detail needed to make fast, resolute decisions. This is the reason that security teams can struggle to determine conclusively whether an organisation is genuinely under attack and why alert fatigue remains such a big problem. Analysts are forced to review hundreds of disparate alerts because they lack the situational awareness to know whether any are linked to the same incident.
Armed with supplementary data from endpoints, security teams can more reliably determine whether activity is malicious or benign, conduct forensic investigations to understand the full scope and kill chain of attacks and respond more quickly and effectively.
4. It can help detect unknown threats
Given the speed of attacker innovation, threat detection shouldn’t just be concerned with the detection of known threats. Identification of unknown attackers using new tactics, techniques and procedures (TTPs) is also important for minimising risk.
Proactive detection of emerging threats is referred to as threat hunting, a process which requires a wide range of current and historical data to yield results.
Telemetry from endpoints is crucial to threat hunting, providing the information that hunters need to study and hypothesise about current threat behaviours as well as informing the creation of detection rules and watch lists to identify new ones.
How to obtain the right endpoint telemetry
To achieve the level of endpoint visibility required to detect and respond to the latest threats, organisations increasingly need to look beyond traditional endpoint security solutions in favour of Next Generation Anti-virus (NGAV) and Endpoint Detection and Response (EDR) tools.
By collecting raw telemetry relating to processes, file modifications, registry changes and network connections, and using advanced behavioural analytics to examine events in near real-time, NGAV and EDR technologies provide deep visibility across devices. But the benefits don’t stop there. Many of the latest solution also help to accelerate incident response by giving security teams the power to ban hashes, terminate processes and isolate infected endpoints.
However, realising the value of endpoint telemetry isn’t simply about installing the right tool and capturing every piece of information available. To obtain the best outcomes, it’s important to have a clear understanding of the right data to analyse, an ability to enrich it, and also a capacity to respond swiftly and effectively when malicious activity is detected.
ThreatDetect™ Managed Detection and Response
ThreatDetect™ from Redscan is an outcome-focused Managed Detection and Response service that helps organisations to achieve comprehensive threat coverage and visibility across networks, endpoint and cloud environments. Combining experienced security professionals, a turnkey technology stack and curated threat intelligence from in-house and external sources, the service accelerates the time it takes to detect as well as respond to latest attacks.
CyberOps™, Redscan’s threat management platform, is central to the delivery of ThreatDetect and comprises hundreds of high-fidelity use cases rules (mapped to MITRE ATT&CK) and automated incident response playbooks to identify, contain and disrupt threats as swiftly as possible.