Cyber security. It’s not always about hunting down the bad guys and gals. Sometimes you just gotta get things done, but getting things done is hard. There are many, many vendors in the EDR/EPP space that have a well-founded reputation for being hard to implement without services, and for being too time consuming to run.
Our June release here at Endgame, version 3.10, brings a renewed focus on getting things done efficiently, accurately, and fast.
Adversarial Behavior Whitelisting
For the past couple of years, many EDR customers end up with buyer’s remorse. They realize that once professional services have packed up and gone home, they can’t use it. Much of this is because most vendors like to stick to that old black box secrecy approach.
Much has been said about ATT&CK matrix coverage, for example, and what it means to have a strong alignment with ATT&CK. Vendors want to focus on big numbers like 100% coverage of this, or 100% prevention of that. They spend none of their marketing time telling you that a lot of adversarial behavior can be GOOD behavior, just like MS Powershell can be used for good and bad. Trying to detect every possible adversary behavior is going to light up your alerts and notifications like Clark W. Griswold’s holiday lights, and have your team chasing their tails until they can’t take it anymore.
I’m lucky enough to spend time working in our SOC, triaging alerts and looking for true and false positives. What’s been most interesting is how much time I spend investigating suspicious activity that turns out to be totally fine and expected, and probably would not have taken more than a few moments attention if I worked at that organization myself.
For example, a configuration management tool like IBM’s Tivoli Application Dependency Discovery Manager – what a name – can look VERY suspicious when it uses remote WMI calls to run asset discovery tasks. If that was my environment, I would use my local knowledge to say, “yup, this is expected.” Without that knowledge, it looks a lot like lateral movement – see ATT&CK ID T1028 – and running processes from unusual paths looks like defense evasion.
What’s great about Endgame’s new whitelisting capability is that I can stop those alerts from coming up by using a very specific whitelist for that specific adversarial tactic. So, if Endgame detects this behavior originating from a specific IP address, under a specific user account, for a specific process path, we can safely suppress the alerts from firing and leave the security team to investigate other issues.
Every single organization’s environment is different, and every security tool is going to need tuning and configuring. Anyone that tells you that everything works out-of-the-box is probably selling something useless. The difference is in the user experience, and this is how Endgame continues to bring more advanced capabilities to security teams of all sizes.
See for yourself, visit endgame.com/demo.