5 tips to better detect and respond to advanced endpoint threats

intruder

Endpoint threats are growing more sophisticated and targeted, as hackers come up with new attack techniques and tailor hacking tactics to their specific targets. Recently, ransomware attacks such as WannaCry and Petya compromised hundreds of thousands of end-user devices, leaving IT departments scrambling to resolve the outbreaks without good visibility or control of their endpoints. But the targeted attacks leading to critical company breaches are typically more stealthy and harder to detect.

Today, it’s not a matter of if your company will get compromised, but when. The challenge is how quickly you find out and how well prepared you are to respond to a compromise. Security teams are judged by how well they can react to and mitigate any impact to the organization before it’s too late.

A prevailing concern among security pros is that traditional endpoint protection platforms miss a number of threats, especially Advanced Persistent Threats (APTs). And even when an endpoint protection product does successfully stop a threat, it doesn’t always capture details on the incident, so an analyst can’t inspect or review threat activities to determine the threat’s exact scope. For security analysts to scale their capabilities, they need comprehensive endpoint visibility that quickly helps determine the who, what, where and when of a security threat.

There are many new endpoint detection and response (EDR) technologies on the market now that let security analysts gain full visibility of endpoints, detect compromises early, investigate and get an understanding of the extent of the compromise and the goals of the attacker.

However, it’s not just about technology. To reap the real benefits from those solutions, companies need to have the expertise to integrate them into their specific environment and to configure and maintain them.

Here are five tips for companies looking to get the most out of an EDR tool:

  1. Focus on policy management. Companies need to fine-tune their security policies. It’s important to evaluate the specific risk posture of your industry and know when to enable policies as less restrictive or more restrictive. It’s also key to quickly evolve your policies as the threat landscape changes or new business requirements and risks emerge.
  2. Take a phased approach. Don’t just turn on the new tool. Start with a proof of concept, then pilot with a subset of users and add on more servers. Deploy your policies to be gradually more restrictive with a phased approach, until you’re finally at the point where the product is in full production and really meeting your needs – without impacting your end-users.
  3. Maintain solid threat intelligence. Good threat intelligence starts with looking for indicators of compromise (IOCs) of recent events, from both company-specific incidents, as well as known industry threats. IOCs can range from unusual outbound network traffic to known bad processes or registry keys. Make sure your solution can hunt down those specific IOCs and alert you when they are found in your environment.
  4. Deploy efficient 24×7 monitoring. With the volume of attacks attempted by malicious actors, security solutions can generate huge volumes of alerts. Organizations can get overwhelmed and may not have the manpower to process and review the events generated, or may underestimate the effort and expertise required to give those events the right attention. Differentiate and identify those events that are meaningful and critical (versus failed hacking attempts without consequence or that are not targeted), as it will let the security team focus investigation efforts where they really matter.
  5. Make well-informed decisions. Once you’ve identified malicious activity or compromise, you need the ability to understand, assess and react to that threat and then know the best course of action to take. For example, know when to investigate stealthily versus when to react immediately to contain a threat and avoid damage. There may be certain circumstances where you’ll want a threat hunter to do more research, and there may be times you just have to act swiftly to contain a threat to avoid further damage.

That’s where DXC’s Managed Endpoint Threat Detection and Response (METDR) team can help. We have experienced threat hunters on staff who can do the tough research projects, and we also have teams that can conduct the 24×7 monitoring that often gets overlooked by many organizations. Let us help your organization improve its security posture by developing a thorough plan that includes full end-to-end capabilities — including risk analysis, detection, monitoring, incident response and threat hunting and intelligence.


Rishu-Bansal-headshotRishu Bansal is an Offering Manager at DXC, focusing on Managed Security Services. He has more than 12 years of experience in cybersecurity, including roles in product and portfolio management, solution design and presales, transitioning and transformation, and implementation and delivery of cybersecurity services. Bansal has worked in different cybersecurity domains, such as network security, endpoint security, cloud security, security monitoring, and threat and vulnerability management.


Cathia-Remond-headshotCathia Rémond is an Offering Manager at DXC  focusing on Managed Security Services. She has more than 15 years of experience in cybersecurity in various fields ranging from vulnerability management and data privacy and protection to security information and event management and endpoint security.

Trackbacks

  1. […] 5 tips to better detect and respond to advanced endpoint threats […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: