Professional Documents
Culture Documents
KeyCriteriaEval 01072019
KeyCriteriaEval 01072019
IN EVALUATING
ENDPOINT SECURITY
ENDGAME BUYER’S GUIDE 2019
According to a recent report, the issue worrying
most enterprise CISOs is that they have no idea
how effective their endpoint security is, nor
where the gaps are, until it is too late1.
FACT S
◾◾ Your enterprise is at more risk of attack than ever2.
◾◾ The proliferation of encrypted communication reduces the effectiveness of your perimeter security – if your users
are even within your perimeter at all.
◾◾ Attackers look for the easiest point of entry by manipulating application vulnerabilities, operating system
weaknesses, lackluster device configuration and hardening, and through social engineering to subvert valid user
activities and behaviors³.
◾◾ With breaches that circumvented air-gapped networks and stringent network hygiene, the endpoint has become the
only place that attacks can be detected and prevented4.
◾◾ Stand-alone Endpoint Detection and Response (EDR) tools sing songs of enhanced security, but the majority of
organizations do not have the staffing to add complex forensic-like tools5.
◾◾ Few Endpoint Protection vendors have integrated the prevention and visibility components together well enough to
function as a cohesive platform, resulting in separate and confusing implementation and operations.
This lack of visibility makes it exceptionally hard to identify where to make changes and investments in endpoint
security. The vast range of vendors, the potential complexity of poorly described protection capabilities, and the
potential for increased operational demands placed on your security team all combine for a state that favors status
quo bias. Until it is too late.
Regardless of what stage of maturity you are at this paper will provide you with the context and knowledge to begin
asserting control over your endpoint security operations by using the three pillars that support a modern endpoint
protection strategy.
3 | RESPONSE – Contain the threat, repair damage, address the root cause
2 | ENDGAME
¹ Metrics are used in only about half (54%) of SOCs. ©2018 SANS™ Institute, SANS 2018 Security Operations Center Survey
² Regional Risks for Doing Business 2018. © 2018 World Economic Forum.
³ “The 2018 State of Endpoint Security Risk” Ponemon Institute LLC © Research Report, October 2018
4 8 Ways Hackers can game Air Gap Protections. DARKReading. Copyright © 2018 UBM. InformationWeek IT Network
5 62% cite lack of skilled staff. ©2018 SANS™ Institute, SANS 2018 Security Operations Center Survey
By analyzing the content of MS Office docs and applying
1 | PREVENTION
Pre-execution blocking without Prevent malicious Microsoft Office Increase the scope of prevention
a reliance on cloud-look up or files before they have a chance to by preventing adversary behaviors
signature distribution ensures full cause damage and loss. and system tool misuse, not just
protection at all times, wherever file-based threats.
the endpoint is.
3 | ENDGAME
“
2 | DETECTION
ADDRESSING ADVERSARY ACTIVITY
With the rapid pace of change in today’s threat landscape, "EDR USERS REPORT THAT, ALTHOUGH THEIR
organizations need to consider not just the accuracy and TOOLS WERE INSTRUMENTAL IN 'DETECTING THE
efficacy of the malware prevention and adversary detection
UNDETECTABLE, THEY ALSO DELIVERED MANY
available, but also the efficiency of workflow needed to scale
towards a security operations approach, without demanding OTHER ALERTS THAT WERE NOT ACTIONABLE IN
complex training and without placing success pre-requisites THEIR ENVIRONMENTS.'"
on hiring experienced Digital Forensics and Incident Response
"ENDPOINT DETECTION AND RESPONSE ARCHITECTURE
(DFIR) staff.
A N D O P E R AT I O N S P R A C T I C E S ” – D E C E M B E R 1 3 , 2 0 1 8 ,
GARTNER RESEARCH
As no solution is able to guarantee complete prevention, it
is critical to evaluate how the solution responds when these
defenses are compromised. By comparing their existing
security program to the MITRE ATT&CK™ matrix6, organizations technique is only part of a valid solution. Alert fatigue is a real
can identify gaps in program coverage and prioritizing the problem for organizations of all sizes, simply adding new alerts
improvement of necessary skills, processes, and technologies for detections is not going to help. Especially when you consider
to eliminate them. The ATT&CK framework is built in such a the use of common system tools can be flagged as suspicious.
way that organizations can choose where to prioritize things
Enterprises will find much greater value in platforms that
based on their threat model, and based around other mitigating
enrich the alerts with data and context related to the incident.
controls deployed across their enterprise.
Endgame provides all of the information needed to quickly and
Endgame pioneered the use of the ATT&CK framework as an accurately triage an alert, using visual representations of the
embedded part of the Endgame platform, and many other origin and full extent of the incident, allowing analysts to act
vendors are starting to follow suit. But highlighting an attack faster and with great confidence.
Validate how easily a junior A single platform that delivers Capabilities that allow
analyst can use your EPP to incident investigation and organizations to reduce “Time to
answer: “is anyone misusing searching, automatically detects Detection” and “Time to Contain”
Powershell in the enterprise?” suspicious activity, and provides by automatically providing
guided threat hunting. easy to parse context about a
security incident.
4 | ENDGAME
The ability to immediately Investigation data must be retained Capabilities that allow
isolate any device, restricting for a useful period – 7 days is not organizations to reduce the
network traffic to just the sufficient when the average dwell “Time to Contain” and “Time to
incident responders toolset and time is >90 days – and data should Respond” by providing strong,
investigation platform, wherever be stored in locations that meet kernel-level host isolation and
the endpoint is. the needs of complex, security vendor guidance on the most
conscious data privacy laws appropriate response actions.
and regulations.
ABOUT ENDGAME
Endgame’s converged endpoint security platform is transforming security programs — their people, processes and technology — with the most
powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before information theft.
Endgame unifies prevention, detection, and threat hunting to stop known and unknown attacker behaviors at scale with a single agent. For more
information, visit www.endgame.com.