Successfully reported this slideshow.
Your SlideShare is downloading. ×

What endpoint protection solutions are available on the market today?

Loading in …3

Check these out next

1 of 38 Ad

What endpoint protection solutions are available on the market today?

Download to read offline

This is a talk I gave in Nov 2020 about how the working from anywhere movement is changing how we protect our endpoints and business networks.

This is a talk I gave in Nov 2020 about how the working from anywhere movement is changing how we protect our endpoints and business networks.


More Related Content

Slideshows for you (20)

Similar to What endpoint protection solutions are available on the market today? (20)


More from David Strom (20)

Recently uploaded (20)


What endpoint protection solutions are available on the market today?

  1. 1. What EDR solutions are available on the market today? • David Strom • St. Louis, USA • @dstrom
  2. 2. 2
  3. 3. 1E - Copyrighted. All rights reserved Agenda • Trends • Phishing and Box Fatigue • Rise of zero trust • Here come the (US) Feds • What the scope of an EDR product means today • Competitive landscape of 1E Tachyon, Tanium and Carbon Black
  4. 4. Trends
  5. 5. Then Covid happened • VPNs aren’t the (total) answer, despite Jerry’s pleas • Ransomware attacks up 25% from 2019Q4 => 2020Q1 • Most everyone reported overall increase in the number of attacks • FBI cybercrime reports went from 1000/day to 4000/day • UK’s NCSC Covid on the rise • Huge rise in phishing emails …
  6. 6. Phishing subject lines • Password Check Required Immediately • Vacation Policy Update • Corporate Reopening Schedule • COVID-19 Awareness • Coronavirus Stimulus Checks • List of Rescheduled Meetings Due to COVID-19 • Confidential Information on COVID • COVID-19 - Now airborne, Increased community transmission • Fedex Tracking #
  7. 7. Verizon Data Breach Report 2020
  8. 8. Box fatigue c. 2017 vs. security fatigue today
  9. 9. • Get a password manager • Use an ad blocker • Patch and update everything you can • Check/think before you click
  10. 10. Do these ‘package delivery’ phishes seem familiar?
  11. 11. Rise of zero trust networks • Origin: 2010 John Kindervag of Forrester coined the term • Core idea: No one gets access until they prove who or what they are • Better idea: zero risk, find the critical data that is worth protecting
  12. 12. Another way to ask • What is the single source of truth that we can use to secure the WFA endpoint?
  13. 13. Here come the Feds
  14. 14. National Institute of Standards and Technology (NIST) Special Publication 800- 171
  15. 15. NIST implementation guidelines Cybersecurity Maturity Model Certification (CMMC) program Jan 2020 – first released Sept 2020 – interim guidelines Nov 2020 – start date to phase things in and get certified Nov 2025 – when it is supposed to be complete and required for everyone 1, basic cyber hygiene 2, document best practices 3, where everyone should be and have implemented plans 4, more defensive measures in place 5, advanced threat prevention
  16. 16. EDR/EPP/ XDR functional expectations • Ad hoc search queries • Better security policy enforcement and reporting • Automatic discovery of outliers and unmanaged endpoints • Detection of lateral network movement (for better early attack notifications) • Better remediation and deployment tactics • Better security awareness training • Better patch management (ditto) • Integration into existing protective gear such as event and service management tools
  17. 17. 2. Network Traffic Analysis 3. Malware sandboxes 4. Cyber threat intelligence 5. Central analytics and management 6. Email protection
  18. 18. Let’s look at three EDR products
  19. 19. Tanium features Not just p2p but also across the LAN/WAN Added its own natural language explorer query tool Queries take <15s, so a bit slower than Tachyon More granular access rights and drill-down analysis features now included Scripts supported in PowerShell, Python or VBScript, >800 written
  20. 20. Tanium
  22. 22. Use cases for 1E Tachyon • Deploying patches across a mixed OS environment • Find the compromised PC for a specific malware intrusion • Why can’t I install this software on this PC? • Is my web browser slow? • My always-on business is offline. Why? • Can I automate a non-infosec event? • Can I track which users have reviewed which infosec policies?
  23. 23. Tanium 1E Tachyon Carbon Black • Slower responses on queries • Microsoft “insurance” vendor • P2P/LAN design outmoded • UI could use a refresh • Win, Mac, lots of Linux clients (but no phones) • Multiple sensors already embedded in Vmware products like vCenter and vSphere and NSX • File distribution not as well as competitors • Confusing array of product versions • Millisecond response time on queries • Powerful query construction process • Built-in sec awareness tool
  24. 24. Thank You – David Strom +1 (314) 277-7832 Twitter: @dstrom Slides available:

Editor's Notes

  • We are experiencing a changing nature of cyberattacks, especially as the world has moved towards more working from home. These attacks have evolved with the changing nature of our enterprise networks. Back when everyone was working from well-defined offices, we could definitely state that there was a difference between what was considered “outside” and “inside” the corporate network. But then the Internet happened, and we all became connected. Even before the pandemic, there was little difference. With the advent of the cloud, and definitely since the pandemic began, we are now all considered out. We are all working from home, using devices that aren’t necessarily ones that IT has purchased and sharing them with other family members. In my talk talk, I want to identify some trends that have changed the endpoint detection and response marketplace, and examine a few of the EDR products and show how they have evolved as well to meet these new collection of threats.
  • Firewalls are now all about the software
    Ubiquitous Internet means no difference between in and outside
    Your Internet pipe is probably too small and has too much latency to support 100% WFH
    BYOD is the norm, not the exception, There is this piece from 2014!! BTOD was never a great idea to begin with. Now everyone is BYOD.

    And VPNs—at least as most companies use them today—are not a long-term solution for the distributed workplace. Having everyone have to connect to the physical office network to get work done requires a whole new level of networking infrastructure.  We have tools such as remote desktops that weren’t designed to be used in such abundance, by the general user population. We have VPNs that circumvent all kinds of network protection, not to mention all the various vulnerabilities they have experienced recently.
  • The UK’s NCSC reported that so far this year they have had 200 Covid-related attacks, a third of all of those they have dealt with that have affected 1200 victims, mainly with the National Health Service and other public agencies that they protect.
  • This is from a report by the phishing awareness vendor Know Be 4 compiled from 2020Q2 emails. The company then uses this research to produce a series of simulations to see if users are paying attention. They found that the scams are becoming more aggressive and more targeted as we continue under lockdown.
  • the pandemic is making it easier for cybercriminals to target mid-level managers, with various lures such as Covid-related ones to more traditional business impersonations. In one case, the FBI investigated a COVID-19-related case of CEO fraud in which the hacker, posing as a CEO, requested a money transfer date to be move up due to precautions surrounding COVID-19 and the quarantine process. In the end, the hoax cost one financial institution a million dollars. Other phishing lures claim to come from the CDC or local public health offices to trick users into divulging private data or to open attachments.

  • This the Verizon breach report that was released earlier this year. Once again it highlights the role that phishing plays, moving to the #1 spot in the 2019 report and in the top two of threat types across all incidents. Google blocks 1M phishing emails daily across its infastructure
    The pandemic has made phishing attacks more dangerous, as we can see in the next slide with the typical email subject lines.
  • MalwareBytes used this term back in 2017. The problem is that we ask too much from our endusers: they have to watch out for phishing emails. Make sure they have complex enough passwords and are using MFA properly. “People are told they need to be constantly on alert, constantly ‘doing something,’ but they are not even sure what that something is or what might happen if they do or do not do it.” The volume of messaging, combined with an unclear understanding of how to move forward, is what leads to security fatigue.” All these cybersecurity warnings result in desensitization by the users.
  • This is from 1970 comic strip artist Walt Kelly. You’ll see why in a moment.
    That article that mentioned box fatigue recommends these four simple actions to take.
  • Note the date: April 7th. I got this notification in September! I guess the US postal mail really takes that long to deliver a package? Needless to say, I didn’t click on the link.
  • IT shouldn’t be the interstate highway system but part and parcel to today’s business decisions
    Certainly, Covid changed things, and accelerated the adoption of zero trust to protect wFH STAFFERS
    But zero trust needs to be systematically, making network segments based on risk and auditing their access rights --
    When was the last time you audited your AD users? Do you have an out-boarding policy in place to remove users who no longer work for the company? How quickly are they taken off the roles and their authentications removed from all your systems?
  • Once upon a time a US bicycle manufacturer would hold a status meeting for their product staff in a conference room, updating a shared spreadsheet on the status of their products in the pipeline. Granted, this was a long time ago, but still you can’t use outdated technology as your single source of truth. This is the Stone Age, we must bring things into the modern era.
  • Back when we could attend conferences, the popular DefCon show in Vegas every summer would have this activity called spot the fed, meaning the conference attendee who was from the intelligence and law enforcement community. The attendees were warned that “If you see some shady Men in Black earphone penny loafer sunglass wearing Clint Eastwood to live and die in LA type lurking about, you might win one of these t-shirts and the fed would get an equivalent “I am the fed” shirt. Today I want to talk about two efforts by my government to try to bring some order to your endpoints.
  • The first is this NIST document which establishes cybersecurity standards for federal contractors and is being used as a playbook by many endpoint protection vendors and customers. It has a long list of action items to try to improve security. 1e has put this together in the follow slide.
  • The CMMC requires 3rd party assessments by DoD contractors with various levels of compliance. The goal is to move these contractors – which number > 300,000 companies – up thru the levels and improve their cyber hygiene
  • These efforts by NIST and the DoD have resulted in a consolidation of various endpoint protection functions, in some cases making EDR products with a wider scope. We are asking an awful lot from our EDR vendors, and some of them, such as 1e, have risen to that challenge, to provide a more integrated and powerful product.
    Some vendors have called this EPP or XDR to show this wider context. Qualys calls their product vuln management, detection and response or VMDR, so they win on the acronym pile-on
  • This is an article from CSO in Mat 2019
    The integration will happen by consolidating analytics, using integrated platforms like Tachyon, and integrating APIs
    I would add to this list email protection – while it isn’t an endpoint technology per se, phishing attacks are making it more important.
  • The question of scale is important. A lot of EDR products can’t handle hundreds of thousands of endpoints and be able to find items such as an executable process by a specific hash value or examine a particular set of IP address pairs or a DNS lookup that points to a malware site. Or they can’t deploy or remediate many concurrent systems.
    Tachyon: 190k endpoints with 100k concurrent machines
    Tanium: 900k endpoints in one DoD service branch
    Carbon Black: Equally large -- with a collective daily analysis of 1T events
  • Tanium has a lot slower query response time, whereas Tachyon’s responses take just a few milliseconds, and seem almost instantaneous.
  • Tanium separates its EDR product into a series of modules each with a specific single function, such as patching or threat response.
  • Tanium now has the same explorer query tool that Tachyon has had for years but it much more bare bones
  • Here is the threat response dashboard, with links to learning resources at the top and some simple charts below that summarize the alerts.
  • We are not about finding bombs but about finding a van that you are going to drive into a crowd
  • At the core of Carbon Black is its Watchlist -- this is where you set up your detection policies and it also maps the treats to the MITRE ATT&CK framework to learn more about mitigation measures.
  • Here is its malware process tree discovery tool where you can examine each piece of code and see its resources and how a piece of malware spread throughout your infrastructure and endpoints.
  • Vmware is trying to do its best to integrate Carbon Black into its existing security tools, and more focused on managing large scale virtual infrastructure. It has a confusing array of different product versions, starting with cloud vs. on premises versions. Some of its existing tools, such as NSX and vSphere, include Carbon Black agents.
  • Finally, we come to Tachyon. Here is its main portal, and like Tanium you can see separate modules for the various protective features such as patching and inventory management.
    It is easier to define What Tachyon is not -- a MDM, not just a SIEM, endpt management and threat intel -- somewhat
  • If we go back to the NIST framework, you can see how 1E’s Tachyon maps these five basic categories of protection in their framework.

  • It is like what Google was in the mid 1990s – back then no one knew what a search engine was, and this open-ended dialog box was odd. This simply query interface has been adopted by other EDR vendors in the past several years. This is an example of a very complex query string to check for which KB patches have been applied across your endpoints.
  • Here is a tool that can be used as a way to test your existing end user knowledge of their security posture. There are vendors that focus on security awareness training, but this can be a useful way to begin to assemble your own training efforts on a more granular level, such as this report that shows if users understand their access control policies.
  •  Guaranteed State ensures you have up-to-the-minute data on the current configuration state and compliance of all your endpoints – even for remote workers. The idea is to supply real time visibility and continuous remediation, so your equipment doesn’t fall behind your intentions to maintain a secure profile.
  • Tachyon can deliver real-time automated endpoint remediation and management, especially if you need a tool that emphasizes improved automated and almost real-time operations. Tachyon isn’t searching for a needle in a haystack filled with log files and other data but figuring out that first you need to look for something that doesn’t appear to be a piece of hay. Think of it as the search tool for finding out the health of your network.
  • Google’s Chronicle has this product which is ingesting so much network traffic and log data that they have built ML tools to figure out when someone was first attacked, even many years ago, from their technologies. Original staff has left
  • Microsoft suggests using Tanium as a very costly insurance policy and now bundled with an enterprise e5 license
    Like Google’s product, it hoovers up all your data from one month to 6 months. MS’ Defender implementation requires a complex collection of O365 tools and add-ons including the agent formerly known as Defender ATP now called Defender for Endpoint
  • Summary slide of 3 products