Sometimes I make a lofty statement and need to defend it. This time I thought it should become a blog post. Below I offer three reasons that Endpoint Protection and Threat Hunting are more important now than ever before. These reasons are based on technological factors, constraints of traditional prevention tools, and how these technologies function once you are breached.
You have less visibility:
More and more network data are encrypted. Choose your source on that, a lot of people have said so. Fun fact about encrypted traffic – your firewall doesn’t get to peek inside, at least not without consequence. Yes, I’m aware many modern firewalls can decrypt SSL sessions – but, doing so brings with it its own set of performance, latency and privacy issues.
So, encryption remains a double-edged sword – it should prevent unauthorized access to your data, but it also prevents tools from accessing and evaluating the data going through your network. That means malicious code can hide inside. This lack of visibility blindfolds your prevention technology because without that visibility there is nothing for it to check known signatures against.
Prevention tools can’t assess behaviour:
Without the ability to evaluate behaviour and its potential impact, processes that could be malicious can go undetected. This is why ransomware is problematic – encrypting information (as we saw above) has to happen on your network, and less often on your endpoints. So, tools that assess signatures can’t just look for encryption – they would yield false positives all the time. A human threat hunter can evaluate whether behaviour is suspicious or not; whether a given user should be encrypting on a specific machine at a particular time. Considering that attackers are building their weapons with an incubation period, having a threat hunter who can investigate suspicious activity before dormant threats become active is critical.
After a breach, prevention tools don’t limit the spread of infection:
Prevention tools are designed to keep out the bad guys. But how does it function once they are in? If you have the same anti-virus installed on your endpoints, and hackers have gotten past it, what is keeping that infection from spreading? Similarly, once malware is beyond your firewall, what can that firewall do to prevent the spread of other endpoints downstream of it?
The attacks that we see these days have evolved beyond malware; its uses are limited once hackers have access to user credentials that can bypass all those checks prevention technologies are doing. Attackers will gladly RDP into your SQL server, dump the database, zip it up and exfiltrate data using legitimate credentials – without your endpoint protection software being the wiser. On the other hand, through root-cause analysis, and with the visibility across your network they are afforded, threat hunters can proactively quarantine compromised devices and shut the doors on machines that are still clean using Endpoint Detection and Response (EDR).
Until automation yields technologies that can overcome these barriers (see my post on Why Machine Learning Won’t Replace Threat Hunters… Yet) you need to have detection and response capabilities, and you need to have tools at your disposal on the endpoint to take action. Our Managed Detection and Response service gets around these barriers by using your existing anti-virus and firewall to gain information (logs) while leveraging human Threat Hunters to deal with threats without false-positives. Our service includes Endpoint Detection and Response (EDR), which enables us to take near-real-time action when you need it most.