Beyond EDR – What does it take to detect advanced attacks?
As cyber threats continue to evolve and become more sophisticated, so too does the technology designed to defend against them. The implementation of endpoint detection and response (EDR) technology is a growing trend among organizations in reaction to the existing threat landscape. However, the question remains, is modern technology enough to defend against the current capability exhibited within the global threat landscape?
This article considers the complexities around building an effective detection and response capability while looking to address the above question regarding whether modern technology alone can defend against the pervading threat landscape.
Over-reliance on technology
The security threats facing organizations are real and prescient. Attackers are remarkably adept at finding ways to work around virtual defenses such as firewalls, anti-virus, next-gen, signature-based alerting and even off-the-shelf EDR tooling.
The problem with any technology is that it presents a static target for attackers to study. As such, there will always be ways and means to evade the automated detection methods of technology. Moreover, advanced attackers purposefully design and execute attacks to circumvent and evade security detection. Therefore, the idea that the best way to handle the increasing number of successful cyber-attacks is simply to implement more advanced technology, is fatally flawed.
From technology to an organizational capability
If simply upgrading your technological solutions isn’t the answer, then what can organizations do to protect themselves from the rising tide of targeted attacks? The best option is to focus on building a robust detection and response capability, with an emphasis on people and process, and then bringing in the right tools to support that function’s needs. Only the right combination of people, process and technology will deliver an Advanced Detection and Response capability that is fit for purpose in today’s cyber threat landscape.
While attackers often utilize highly advanced technology, the perpetrators behind targeted attacks are ultimately humans. As such, to have any success at defending successfully, a paradigm shift towards human-driven-technology-enabled detection and response is key.
However, this is not a quick or simple process. Building an internal detection and response capability that can defend and respond to modern threat actors – even with the best EDR tooling to support you, requires expert knowledge of attacker techniques, tactics and procedures (TTPs), all of which are continuously and rapidly evolving.
Furthermore, in a globally skill-constrained industry, attracting and retaining specialist talent in more than one area is a major challenge. Achieving the appropriate level of capability can take anywhere from four to seven years which, considering the rapid increase of targeted attacks, is both risky and impractical for most organizations.
Building the Capability
Continuous and dedicated long-term commitment is necessary to build an advanced detection and response capability. As stated above, the implementation of modern technology such as EDR is simply not enough on its own to successfully defend an organization. To achieve a robust detection and response capability, organizations need to overcome a number of challenges:
- The rate at which attackers evolve: In the current threat landscape, malicious attackers massively outnumber security professionals across the globe. In addition, criminal groups and nation state-sponsored attackers are able to move significantly faster than most organizations as they are able to adopt and utilize new technology much faster. As such, it can be difficult for an enterprise’s internal teams to match both the cyber security industry’s development and the pace at which attacker groups are evolving.
- The global skills shortage: It was recently reported that 70 percent of cyber security professionals have felt the impact of the global skills shortage, with 22 percent believing their cyber security team was not large enough for the size of their organization. More than two-thirds felt they were too busy with their jobs to put time into skills development and training.[1] Considering that an Advanced Detection and Response capability requires a 24x7x365 operation, you will need a team of at least 8 highly skilled individuals, supported by a small dedicated development team
- Offensively trained Threat Hunters: For an EDR technology to be effectively utilized, offensively trained people are required. You have to be able to think like an attacker to effectively predict, track, and contain an attacker’s movements. Failure to operate EDR software to its full extent will result in ineffective detection.
- Cyber security trained Incident Responders: Many EDR tools do not provide in-built support to monitor or contain an attacker’s movements. Therefore, additional tooling is required to respond once detection has occurred. This requires a number of different skills, including ongoing knowledge of – to name a few – new attacker techniques, the types of tools that may be used, best practice for incident containment, and processes for applying the learnings of any attempted attack to future investment and training.
- Retaining your team: It is one thing to attract the right talent to your organization, but many organizations that have embarked on the journey to build their own advanced detection and response capability have battled to retain talent. Among other things, the reasons are: unfavorable working hours (night shifts, holidays, weekends), employees becoming isolated from the broader cyber security world, and limited options for career growth in this emerging field.
- Tactical Research: The route to achieving an advanced detection & response capability is allowing a healthy percentage of a team’s working hours to research, which could include anything from developing use cases to attending conferences and offensive training courses, from automating processes to devising and testing new attacker methods. Such tactical research should result in a continuous flow of new ideas to search for evidence and artifacts of advanced attacks within an organization. The freedom required to do the above is typically not something that fits well with the corporate environments of large organizations. However, combining all of these elements increases team effectiveness significantly. Without this dedicated time and investment, even the best employees will find their skills start to atrophy and their experience becomes obsolete.
- Rapid tooling development: This is purposely independent of any existing EDR, tooling, software or service as relying on existing tooling will hinder your ability and limit your capability to that of said tooling, software or service. With a continuous feed of information from tactical research, you need the ability to develop tooling based on those findings. Ideally, a dedicated development team can achieve the desired outcomes. The development team can then develop the best possible tooling to apply the detection efficiently and at scale. Establishing a dedicated team that is able to rapidly develop tooling to support the exact requirements as defined by tactical research is often overlooked by organizations and presents a challenge in its own right.
- Costs involved: Organizations that have systemically underspent on cyber security grapple with the costs involved in establishing an advanced detection and response capability. Achieving the appropriate level requires sustained long-term financial commitment over a number of years, often beyond the financial appetite of the business.
Should you consider a managed service while you build?
As set out in the section above, the odds are unfortunately stacked against organizations. So what are the alternatives to building an internal advanced detection and response capability?
One option is to partner with a managed detection and response service (MDR) provider that can help you build this capability over time, whilst keeping you secure from day one. To guide you through the minefield of empty vendor promises, Countercept has put together a checklist to help you find an appropriate MDR partner.
Categories