Best Practices for Endpoint Detection and Response

There are many elements that can complicate enterprise security efforts. From the increasing sophistication of cybercriminal strategies and activities to the wide range of components connected to the network, data protection and infrastructure security has become an uphill battle. Another key factor to consider here is the array of different endpoints connected to and communicating through the network. Previously, administrators needed only concern themselves with on-premise desktop computers. But with the rise of BYOD and enterprise mobility, endpoint protection and associated data security has become much more complex. What’s more, it’s not just endpoints that IT admins must worry about: Any device that connects and leverages the corporate network should be a part of detection and response strategies. Today, we take a closer look at detection and response, including from an endpoint perspective, and how organizations can utilize best practices to bridge internal gaps and better ensure that key assets and the overarching network are safeguarded.

What is endpoint detection and response? How does it work?

It’s important to begin with the basics. As Digital Guardian contributor Nate Lord explained, the concept of endpoint detection and response (EDR) first emerged in 2013 thanks to Gartner researcher Anton Chuvakin. He defined it as “the tools primarily focused on detecting and investigating suspicious activities (and traces of such) [and] other problems on hosts/endpoints.” In this way, detection and response centers around the ability to identify potential threats and activity that can point to possible intrusions or attacks, and responding to these problems or dangers. While different tools will work in their own unique ways – and include different features and capabilities – endpoint protection and response includes a few key processes:

  • Monitoring: The cornerstone of this process is continual monitoring of activities and events taking place within the network. This includes the integration and use of different endpoints, software platforms, hardware elements or digital environments.
  • Recording events: Events taking place within the network, through the array of different endpoints are recorded into a central database.
  • Analysis: The recorded events are then analyzed for potential threats and intelligence that can be leveraged to inform protection strategies. Analysis may also include or inform other processes like the investigation of detected threats, reporting and associated alerting.

“Not all endpoint detection and response tools work in precisely the same manner or offer the same spectrum of capabilities as others in the space,” Lord noted. “[B]ut all endpoint detection and response tools perform the same essential functions with the same purpose: to provide a means for continuous monitoring and analysis to more readily identify, detect and prevent advanced threats.”

Detection and response: Aligning with the NIST Cybersecurity Framework

It’s worth pointing out the commonalities between the essentials of an endpoint detection and response strategy and the NIST Cybersecurity Framework. The key processes involved with endpoint detection and response specifically align with certain critical functions within the NIST Cybersecurity Framework. The Framework includes five key functions: Identify, Protect, Detect, Respond and Recover. In this way, it can be beneficial to build detection and response planning around the particular functions and categories included in the NIST Cybersecurity Framework. To learn more about the Cybersecurity Framework and the ways in which it helps improve overall security, check out our series, including Part 3: Detect, and Part 4: Respond.

Endpoint detection and response is an important and multi-faceted process for today’s enterprises.

Considerations and best practices from the experts

In addition to aligning endpoint protection and response with the functions and categories of the NIST Cybersecurity Framework, there are a few other considerations and key practices that enterprises and their IT teams should implement with their endpoint detection and response strategy.

Focus on endpoints as well as users

David Schroth, managing director of Design Compliance and Security, told Digital Guardian one of the weakest links involved with endpoint protection and response processes isn’t necessarily the endpoints themselves, but the users leveraging them. Enterprises can implement a variety of protection, detection and response strategies, but these should be deployed upon a foundation of user education and awareness. “In today’s world, users are targeted by outsiders through the use of phishing, social engineering and other techniques that are designed to persuade a user to unlock the door to allow them to come in,” Schroth noted. “If the users are not aware of these threats, then they may actively work against any technology based solution that you implement to protect your endpoints.” It’s imperative to include user training and awareness education with an organization’s security posture. Users should be taught about the potential risks in the current threat environment and the possible impacts their actions can have on the business, it’s reputation and its customers.

Consider building upon EDR with root cause analysis

Trend Micro’s Steve Duncan recently sat down with Enterprise Security Group’s Jon Oltsik, who noted that there is currently considerable buzz surrounding not only endpoint detection, protection and response, but the ability to build on this with root cause analysis. In other words, not only do enterprises want tools to guard against and identify potential threats, but when a security event does take place, they want to understand how it happened and how they can prevent it in the future.

EDR requires the right resources: Part of a larger security posture

It’s also important for enterprises to understand that endpoint detection and response should not be undertaken as an ad hoc strategy, and should be incorporated into larger, overarching security considerations. Cybersecurity expert and consultant Joseph Steinberg noted that a failure to properly include endpoint security into the company’s main security program is a top error that many enterprises make. A contributing factor to this is the fact that a robust endpoint detection and response strategy can be particularly resource- and operationally-intensive, as Oltsik pointed out to Duncan, and it requires the right expertise and tools. “The downside of EDR is that it is operationally intensive,” Oltsik noted. “When you combine that with a global skills shortage in cybersecurity and the high level of skills needed to use the root cause tools, many customers can’t keep with EDR.”

Trend Micro is working to address this issue with its Managed Detection and Response, which includes constant monitoring, alerting and threat hunting, as well as endpoint event recording, network metadata recording and root cause analysis. This service is ideal for organizations that may not have the resources and capabilities internally to take on this critical process on their own.

To find out more about Managed Detection and Response, check out our datasheet and connect with the experts at Trend Micro today.

Read More HERE

0