Most breaches begin at the endpoint because in many instances it's the obvious and most likely starting point for an external attacker to gain entry into an organisation.
And while the introduction of endpoint detection and response (EDR) solutions and next-generation anti-virus (AV) have significantly improved organisations' ability to protect endpoints, attackers have responded by increasing the sophistication of their attacks.
So says Christo Erasmus consultancy director at F-Secure, who will be presenting alongside Warren Hero, CIO at Webber Wentzel on 'Endpoint detection and response: Preparing your organisation for a cyber attack’, at the ITWeb Security Summit 2020, to be held as a virtual event from 25 to 28 August.
Erasmus says organisations can place themselves at risk by relying too heavily on these technologies alone, instead of building a skilled team of threat hunters who can use these technologies as force multipliers.
“Endpoint hardening controls are also often overlooked, as they may initially appear as if they would impact usability too much,” adds Erasmus. “However, neglecting to implement these controls provides attackers with many different options, which makes it easier for them to compromise users and systems, and harder for defenders to stop them in time.”
Successfully defending against sophisticated attackers requires a combination of people, process and technology. “Organisations need to ensure that the people and process components are not neglected in favour of technology. Finding skilled people can be a challenge, so you need a clear long-term plan for building and retaining a threat hunting blue team.”
He says for the team to be successful, it needs a deep understanding of the tactics, techniques, and procedures (TTPs) used by attackers. A practical and effective way of improving this understanding is simply through practice – conducting simulated attacks against the organisation, or collaborative exercises between the red team and blue team, will provide the blue team with opportunities to gain first-hand insight into how attackers operate and allow them to practice their detection and response skills.”
Attackers are constantly improving and a good blue team needs to do the same if they are to be successful, Erasmus adds.
Speaking of how the COVID-19 pandemic has changed endpoint detection and response, he says threat actors continue to grow in sophistication, with or without the pandemic. “Remote working for employees, including security staff, has introduced new challenges in dealing with these attacks that organisations would be well aware of by now.”
Blue teams needed to adapt to ensure employeees are still able to collaborate effectively, and that the tools they rely on can be accessed remotely without compromising security or effectiveness, he says. “In many cases, this would have necessitated a significant change in processes and the introduction of new systems.”
For EDR and similar solutions, flexibility is even more important now, Erasmus stresses. “Blue teams need to conduct more incident response activities remotely, often with bandwidth limitations. EDR solutions that provide blue teams with the necessary functionality to operate effectively and decisively under these circumstances will stand out from the rest.”
Delegates attending Erasmus and Hero’s talk – on day 2 of the Security Summit, in the Blue/red team strategies track – will hear about balancing technology with human insight from the perspective of a CISO. In addition, they will be shown real-world examples of how sophisticated attackers bypass modern technology, and will receive practical tips for building a resilient defence team.
Share