{"id":16810,"date":"2018-10-24T13:00:53","date_gmt":"2018-10-24T13:00:53","guid":{"rendered":"https:\/\/blog.trendmicro.com\/?p=542173"},"modified":"2018-10-24T13:00:53","modified_gmt":"2018-10-24T13:00:53","slug":"best-practices-for-endpoint-detection-and-response","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/best-practices-for-endpoint-detection-and-response\/","title":{"rendered":"Best Practices for Endpoint Detection and Response"},"content":{"rendered":"

\"\"\/<\/p>\n

There are many elements that can complicate\u00a0enterprise security efforts. From the increasing sophistication of cybercriminal strategies and activities to the wide range of components connected to the network, data protection and infrastructure security has become an uphill battle. Another key factor to consider here is the array of different endpoints connected to and communicating through the network. Previously, administrators needed only concern themselves with on-premise desktop computers. But with the rise of BYOD and enterprise mobility, endpoint protection and associated data security has become much more complex. What\u2019s more, it\u2019s not just endpoints that IT admins must worry about: Any device that connects and leverages the corporate network should be a part of detection and response strategies. Today, we take a closer look at detection and response, including from an endpoint perspective, and how organizations can utilize best practices to bridge internal gaps and better ensure that key assets and the overarching network are safeguarded.<\/p>\n

What is endpoint detection and response? How does it work?<\/strong><\/h3>\n

It\u2019s important to begin with the basics. As Digital Guardian contributor Nate Lord explained, the concept of endpoint detection and response<\/a> (EDR) first emerged in 2013 thanks to Gartner researcher Anton Chuvakin. He defined it as \u201cthe tools primarily focused on detecting and investigating suspicious activities (and traces of such) [and] other problems on hosts\/endpoints.\u201d In this way, detection and response centers around the ability to identify potential threats and activity that can point to possible intrusions or attacks, and responding to these problems or dangers. While different tools will work in their own unique ways \u2013 and include different features and capabilities \u2013 endpoint protection and response includes a few key processes:<\/p>\n\n\n\n\n
\n\n
    \n
  • Monitoring:<\/strong> The cornerstone of this process is continual monitoring of activities and events taking place within the network. This includes the integration and use of different endpoints, software platforms, hardware elements or digital environments.<\/li>\n
  • Recording events:<\/strong> Events taking place within the\u00a0network, through the array of different endpoints are recorded into a central database.<\/li>\n
  • Analysis:<\/strong> The recorded events are then analyzed for potential threats and intelligence that can be leveraged to inform protection strategies. Analysis may also include or inform other processes like the investigation of detected threats, reporting and associated alerting.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
\n\n<\/tr>\n<\/tbody>\n<\/table>\n

\u201cNot all endpoint detection and response tools work in precisely the same manner or offer the same spectrum of capabilities as others in the space,\u201d Lord noted. \u201c[B]ut all endpoint detection and response tools perform the same essential functions with the same purpose: to provide a means for continuous monitoring and analysis to more readily identify, detect and prevent advanced threats.\u201d<\/p>\n

Detection and response: Aligning with the NIST Cybersecurity Framework<\/strong><\/h3>\n

It\u2019s worth pointing out the commonalities between the essentials of an endpoint detection and response strategy and the NIST Cybersecurity Framework. The key processes involved with endpoint detection and response specifically align with certain critical functions within the NIST Cybersecurity Framework. The Framework includes five key functions: Identify, Protect, Detect, Respond and Recover. In this way, it can be beneficial to build detection and response planning around the particular functions and categories included in the NIST Cybersecurity Framework. To learn more about the Cybersecurity Framework and the ways in which it helps improve overall security, check out our series<\/a>, including Part 3: Detect<\/a>, and Part 4: Respond<\/a>. \"\"<\/p>\n

Endpoint detection and response is an important and multi-faceted process for today\u2019s enterprises.<\/em><\/p>\n

Considerations and best practices from the experts<\/strong><\/h3>\n

In addition to aligning endpoint protection and response with the functions and categories of the NIST Cybersecurity Framework, there are a few other considerations and key practices that enterprises and their IT teams should implement with their endpoint detection and response strategy.<\/p>\n

Focus on endpoints as well as users<\/strong><\/h3>\n

David Schroth, managing director of Design Compliance and Security, told Digital Guardian one of the weakest links involved with endpoint protection and response processes isn\u2019t necessarily the endpoints themselves, but the users leveraging them<\/a>. Enterprises can implement a variety of protection, detection and response strategies, but these should be deployed upon a foundation of user education and awareness. \u201cIn today\u2019s world, users are targeted by outsiders through the use of phishing, social engineering and other techniques that are designed to persuade a user to unlock the door to allow them to come in,\u201d Schroth noted. \u201cIf the users are not aware of these threats, then they may actively work against any technology based solution that you implement to protect your endpoints.\u201d It\u2019s imperative to include user training and awareness education with an organization\u2019s security posture. Users should be taught about the potential risks in the current threat environment and the possible impacts their actions can have on the business, it\u2019s reputation and its customers.<\/p>\n

Consider building upon EDR with root cause analysis<\/strong><\/h3>\n

Trend Micro\u2019s Steve Duncan recently sat down with Enterprise Security Group\u2019s Jon Oltsik, who noted that there is currently considerable buzz<\/a> surrounding not only endpoint detection, protection and response, but the ability to build on this with root cause analysis. In other words, not only do enterprises want tools to guard against and identify potential threats, but when a security event does take place, they want to understand how it happened and how they can prevent it in the future.<\/p>\n