The Pulse of Risk Detection and Response at RSA 2019

The RSA Conference offers a great chance to catch up with vendors in the major cyber security categories. This year, I spoke with a number of players in the cyber risk detection and response category. This includes Endpoint Detection and Response (EDR), but the work of risk detection and response has grown far broader and deeper in scope.

The Growing Need for Context in Detection and Response

What is it, and what should we do about it? These twin questions create endless stress for SecOps teams. Is a threat serious? If so, how serious? And, if it’s serious, do we know how to handle it? To get better at answering these essential questions, SecOps is turning to threat detection and response solutions that can provide context for threats that appear on the horizon.

Brian Hussey, VP of Cyber Threat Detection and Response at Trustwave

Trustwave, which offers Managed Detection and Response (MDR) services, has taken a number of steps to build stronger context into their operations. They are feeding data about known bad actors into their intel fusion platform (IFP). Trustwave is constantly adding data about new threat actors and expanding their alliances with threat intel sources. The company is enriching its threat context awareness through an increasing network of partners. For example, they have close partnerships with Cybereason and Palo Alto Networks, which includes support for the Cortex XDR product. They map their threat hunting and threat assessment tools to the MITRE attack frameworks.

“When a threat appears, we want to know right away if it’s something that either we, or someone we trust, has seen before,” explained Brian Hussey, who serves as the company’s VP of Cyber Threat Detection and Response. “And, people in our space can no longer limit themselves to being perimeter-based,” Hussey added. “We have to have to have context guiding us all the way down into a deep dive into the threat. That’s the best way to take a security event and determine what it truly is all about.”

Trustwave threat detection interface

SentinelOne is focusing on context, too. For SentinelOne’s Chris Bates, context means “autonomously building a story in real time,” as he put it. “Let’s say the SoC analyst sees a bad hash on an IoT device. Big deal? Not a big deal? That’s the question, and the faster he or she can make the right call, the more effective the SoC will be. That takes context. And, to make a difference, the context has to be provided on an automated basis.”

SentinelOne uses MITRE, among other frameworks, to build context. In addition, the tool can query an Information Sharing and Analysis Center (ISAC) and get context about the threat actor, including ISEs to research. In contrast, with passive EDR, the analyst would have to spend time on any discovered ISEs and decide whether it’s a false positive. This eats up analyst time.

Automation in this case involves the use of Machine Learning. From automated detection and context, SentinelOne can trigger automated remediation. “We can set up policy,” Bates shared. “What can the endpoint agent do automatically, before it gets kicked to the operator. It can be set up to kill or quarantine a threat on its own.”

“We can set up policy,” Bates shared. “What can the endpoint agent do automatically, before it gets kicked to the operator. It can be set up to kill or quarantine a threat on its own.”

Where things get interesting, according to Bates, is when threat actors engage in context evasion. For example, an advanced attacker might use two different processes to trick the detection agent. “Let’s say that process A stops process B,” he said. “Then, process B uses an advanced OS call or injection to take over yet another remote process tree. Most existing tools will only see one process being affected, not both. Or, they’ll lose it and report it as separate event. SentinelOne is leveraging threat intelligence context and Machine Learning to mitigate these sophisticated types of attacks.

Changing the Place of Counterattack

Jack Danahy, Senior VP, Security, of AlertLogic, who has been working in the security field since 1989, is seeing the blurring of lines between Endpoint Protection Platforms (EPPs) and EDR. In his view, EDR technology is moving farther back in the kill chain. “Waiting for a threat to reach your endpoint is probably depriving yourself of adequate response time,” Danahy said. AlertLogic, for its part, is scanning the Dark Web to create a sort of early warning system for threats that have not yet reached endpoints.

Jack Danahy, Senior Vice President / Security at Alert Logic

“If we see credentials for your enterprise for sale on the Dark Web, that’s a strong hint that an attack is heading your way,” he explained. “With AI and multiple sources of threat intel, we can often get a good sense of what’s coming and how the attack will go down.” The company maintains an AI unit staffed with more than 30 data scientists. “Our goal with this team is to provide a level of AI that is difficult for all but the biggest organizations to maintain,” he said. “With their input, our AI abilities can remain on alert to detect threats before they hit your endpoints.”

Absolute is also focused on shifting the locus of endpoint countermeasures. Their endpoint security product is embedded in device firmware. In most cases, it comes with the device. The company has OEM relationships with Dell and other manufacturers. The customer can simply switch it on once they stand up the machine. From there, they can extend Absolute’s control over other attached devices.

Josh Mayfield, Director of Security Strategy at Absolute Software

As Josh Mayfield, Director of Security Strategy at Absolute, explained, their approach enables the tool to realize the intent of a control at the endpoint. It orchestrates other controls. For example, a company might have the intent to apply anti-virus controls at the endpoint. This goal can fall apart in several ways, however. The anti-virus software might become out of date. In this case, Absolute would orchestrate the needed update or patch.

The anti-virus could also fail due to losing access to system resources. “You can have quite a competition for resources at the endpoint,” Mayfield observed. “We now see a dozen or more agents on each endpoint. Without something regulating the environment, some countermeasures can effectively be starved of resources and stop working. We prevent this from happening.” The process is invisible to the end user.

Delivering EDR in New Verticals and Customer Segments

RSA also showcased threat detection and response providers who are focusing on specific verticals or expanding into new customer segments. CyberInt, for example, is concentrating some of its efforts on retail, banking and online gaming. The advantage of this approach is that it allows deep focus and knowledge of the way malicious actors behave in a specific industry context.

Daniela Perlmutter, VP of Marketing at CyberInt

“Hackers tend to specialize, just like business managers,” said Daniela Perlmutter, VP of Marketing at CyberInt. “They do best when they understand their targets as well as possible. Therefore, it only makes sense to concentrate on defending them with specialized countermeasures.”

As Perlmutter put it, the retail and banking sectors have distinct risks and vulnerabilities. The retail business, for example, faces exposure through its point of sale (PoS) systems, which often carry vast amounts of personal data through obsolete operating systems. Retailers are also vulnerable due to the way they promote their businesses with gift cards and online advertising.

Cyber Monday ad hijacking offers an object lesson in retail-specific risk. Millions of consumers are online looking for special deals in the pre-Christmas shopping season. Hackers place ads on Google offering special savings on gifts, spoofing retailer websites and using the technique to capture account log in credentials. With the log in data, the hackers can take over consumers’ accounts at stores and order merchandise or gift cards.

CyberInt mitigates such risks through an MDR service. Their platform combines insights from a variety of threat detection sources. These include the Dark Web as well as endpoints, SIEM systems, firewalls and open source data such as social media. Their Dark Web crawlers can discover incoming threats by searching for customer names. For example, if the crawler is set to look for Angie’s List, it might find Dark Web postings for “Angie’s List refund Codes.” This tip can lead CyberInt to block the owner of these stolen codes from accessing the Angie’s List website.

Their Dark Web crawlers can discover incoming threats by searching for customer names.

Netsurion is building its business by offering EDR and SIEM services to mid-sized customers. “We have found strong demand for our advanced EDR and SIEM services in companies that do not have the resources to build their own teams for these capabilities,” said A.N. Ananth, Chief Strategy Officer of Netsurion. “A company with 1,000 employees is just as vulnerable, if not more so, than a company with 50,000 people,” he observed. “They need protection, but in order for the service to work, it has to be packaged and priced in a way that makes sense. That’s what we do.”

Netsurion works largely through the Managed Security Service Provider (MSSP) channel to reach smaller organizations. The approach also works with multi-site companies that must deploy endpoint protection across many locations. With this model, Netsurion can give highly advanced threat detection and response to clients who would generally not be able to build such a capability for themselves.

Netsurion can give highly advanced threat detection and response to clients who would generally not be able to build such a capability for themselves.

For example, Netsurion’s centralized SOC can follow threat actors as they use techniques like PowerShell scripting or Microsoft Outlook-based attacks to enter targets through what Ananth calls “the side door”—penetrating departments like HR and moving laterally across networks. “We can catch them if they try,” he said. “Now, everyone can have this level of defense, not just the big guys.”

Tricking the Attacker

Deception-based threat detection and response is also growing more sophisticated. Though deception is not a new technique, it is now being deployed on a far broader scale. Illusive Networks, for example, is now able to plant deceptive credentials on virtually every endpoint in an enterprise. Thus, if an attacker takes over an endpoint and starts moving laterally in search of network log in credentials contained on other endpoints, he or she will find many, but they will invariably be traps.

Ofer Israeli, Founder CEO of Illusive Networks

“Our approach is to use deception to detect compromises early,” said Ofer Israeli, Founder and CEO of Illusive Networks. “With early detection, we can follow the attacker and see which fake credentials they grab. From there, we can block them, learn more about their techniques and so forth.”

The Illusive approach is based on the reality that many servers contain cached credentials. For example, if an admin logs onto a machine to service it, the admin’s credentials are almost always left on the machine. “This serves no business purpose and it exposes the machine to takeover,” Israeli explained. He added, “The attacker, though, usually won’t know if it’s just great luck that he’s found cached credentials or it he’s like a fish that bit onto a hook hidden in a worm.”

Illusive is taking the deception practice even further now. They can now deploy decoys. These systems look real (e.g. they’re running databases and application servers, etc.) but they’re actually fake. They exist to trap hackers. When hackers compromise these decoys, they are then watched as they make their next moves. “We can watch them and learn a lot about how they work,” Israeli said. “This gives us the advantage in stopping them, regardless of what they try. And, it helps us protect against them all the better the next time they try to get inside the network.”

Photo Credit: dejankrsmanovic Flickr via Compfight cc