Improve Security Posture with Deep Learning Enabled Endpoint Detection and Response
January 2019 by Harish Chib, Vice President – Middle East & Africa, Sophos
In this article, Harish Chib, Vice President – Middle East & Africa, Sophos explains why organisations need an additional layer of deep learning enabled Endpoint Detection and Response (EDR) tools to improve their security posture.
Cybercrime is big business and hackers are continually looking for new attack vectors. SophosLabs team see 400,000 new malicious samples every day; this does not mean 400,000 programmers writing code. It means heavily automated systems. The result is bespoke malware – a virus written just for you. With that reality, the best line of defense is to use a multi-layered security strategy to work to protect organisations against both known and unknown threats.
The best endpoint technologies will protect organisations against the majority of malware and threats impacting their organisation. But as the threat landscape evolves and cybercriminals continue to morph attacks and work to find new security holes to access organisations, the unknown minority becomes important. Endpoint detection and response tools are about detecting that minority.
EDR tools are built to supplement endpoint security with increased detection, investigation, and response capabilities. However, EDR tools can make it difficult to understand how exactly they can be used and why they are needed. Making matters worse, today’s EDR solutions often struggle to provide value for many organisations as they can be difficult to use, lack sufficient protection capabilities, and are resource intensive.
The good news is deep learning enabled EDR tools provide the easiest way for organisations to answer the tough questions about security incidents. Here are the ways how deep learning enabled EDR tools help organisations to add an additional layer to their security posture.
EDR helps in generating clear view of an organization’s security posture
The hardest question for most IT and security teams is “are we secure right now?” This is because most networks have sizable blind spots that make IT and security teams struggle to see what is going on inside their environments. Lack of visibility is the primary reason why organisations struggle to understand the scope and impact of attacks. This often manifests itself when an incident occurs and the team assumes they are safe because that incident was detected. Deep learning enabled EDR provides this additional insight as well as determines if other machines were impacted.
Generating a clear view of an organization’s security posture provides the benefit of being able to report on compliance status. This information will help identify areas that may be vulnerable to attacks. It also allows administrators to determine if the scope of an attack has impacted areas where sensitive data is housed.
It provides additional layer of detection
When it comes to cybersecurity, even the most advanced tools can be defeated given enough time and resources, making it difficult to truly understand when attacks are happening. Organisations often rely solely on prevention to stay protected, and while prevention is critical, EDR offers another layer of detection capabilities to potentially find incidents that have gone unnoticed.
Organisations can leverage EDR to detect attacks by searching for indicators of compromise (IOCs). This is a quick and straightforward way to hunt for attacks that may have been missed.
It increases response time to potential incidents
Once incidents are detected, IT and security teams usually scramble to remediate them as fast as possible to reduce the risk of attacks spreading and to limit any potential damage. On average, security and IT teams spend more than three hours trying to remediate each incident. EDR can speed this up significantly.
The first step an analyst might take during the incident response process would be to stop an attack from spreading. Analysts will often do this before investigating, buying time while they determine the best course of action.
The investigation process can be a slow and painful one. This of course assumes an investigation occurs at all. Incident response traditionally relies heavily on highly-skilled human analysts. Most EDR tools also rely heavily on analysts to know which questions to ask and how to interpret the answers. However, with deep learning enabled EDR, security teams of all skill levels can quickly respond to security incidents thanks to guided investigations that offer suggested next steps, clear visual attack representations, and built-in expertise.
It adds expertise without adding headcount
By a large margin, organisations looking to add endpoint detection and response capabilities cite “staff knowledge” as the top impediment to EDR adoption. To combat the staff knowledge gap deep learning enabled EDR replicates the capabilities associated with hard-to-find analysts. It leverages machine learning to integrate deep security insight, so organisations can add expertise without having to add staff.
It helps in understanding how an attack happened and how to stop it from happening again
Threat cases, included with EDR, spotlight all the events that led up to a detection, making it easy to understand which files, processes, and registry keys were touched by the malware to determine the impact of an attack. More importantly, by understanding the root cause of an attack, the IT team will be much more likely to prevent it from ever happening again.