3. 1E - Copyrighted. All rights reserved
• Phishing and Box Fatigue
• Rise of zero trust
• Here come the (US) Feds
• What the scope of an EDR product means today
• Competitive landscape of 1E Tachyon, Tanium and
6. Then Covid happened
• VPNs aren’t the (total) answer, despite Jerry’s
• Ransomware attacks up 25% from 2019Q4 =>
• Most everyone reported overall increase in the
number of attacks
• FBI cybercrime reports went from 1000/day to
• UK’s NCSC Covid on the rise
• Huge rise in phishing emails …
7. Phishing subject lines
• Password Check Required
• Vacation Policy Update
• Corporate Reopening Schedule
• COVID-19 Awareness
• Coronavirus Stimulus Checks
• List of Rescheduled Meetings Due to
• Confidential Information on COVID
• COVID-19 - Now airborne, Increased
• Fedex Tracking #
13. Rise of zero trust networks
• Origin: 2010 John Kindervag of Forrester
coined the term
• Core idea: No one gets access until they
prove who or what they are
• Better idea: zero risk, find the critical data
that is worth protecting
14. Another way to ask
• What is the single
source of truth that we
can use to secure the
17. NIST implementation
Cybersecurity Maturity Model
Certification (CMMC) program
Jan 2020 – first released
Sept 2020 – interim guidelines
Nov 2020 – start date to phase
things in and get certified
Nov 2025 – when it is
supposed to be complete and
required for everyone
1, basic cyber hygiene
2, document best practices
3, where everyone should be and
have implemented plans
4, more defensive measures in place
5, advanced threat prevention
• Ad hoc search queries
• Better security policy enforcement and
• Automatic discovery of outliers and
• Detection of lateral network movement (for
better early attack notifications)
• Better remediation and deployment tactics
• Better security awareness training
• Better patch management (ditto)
• Integration into existing protective gear such
as event and service management tools
19. 2. Network Traffic Analysis
3. Malware sandboxes
4. Cyber threat intelligence
5. Central analytics and management
6. Email protection
21. Tanium features
Not just p2p but
also across the
Added its own
<15s, so a bit
access rights and
25. Carbon Black features
LOTS OF CB SENSORS
NOW INSIDE MANY
SUCH AS VSPHERE,
VCENTER, NSX, HORIZON
AGENTS ARE MORE LIKE
CONTAINERS THAT CAN
FOCUS IS ON CAPTURING
THE NETWORK AND
INSIDE THE ENDPOINT
OR VM INSTANCE
EFFORT WITH OTHER
INTEL SERVICES, SIEMS,
• Deploying patches across a mixed
• Find the compromised PC for a
specific malware intrusion
• Why can’t I install this software on
• Is my web browser slow?
• My always-on business is offline.
• Can I automate a non-infosec
• Can I track which users have
reviewed which infosec policies?
37. Tanium 1E Tachyon Carbon Black
• P2P/LAN design
• UI could use a
• Win, Mac, lots of Linux
clients (but no phones)
• Multiple sensors already
embedded in Vmware
products like vCenter and
vSphere and NSX
• File distribution not as
well as competitors
• Confusing array of
• Powerful query
• Built-in sec
38. Thank You –
+1 (314) 277-7832
We are experiencing a changing nature of cyberattacks, especially as the world has moved towards more working from home. These attacks have evolved with the changing nature of our enterprise networks. Back when everyone was working from well-defined offices, we could definitely state that there was a difference between what was considered “outside” and “inside” the corporate network. But then the Internet happened, and we all became connected. Even before the pandemic, there was little difference. With the advent of the cloud, and definitely since the pandemic began, we are now all considered out. We are all working from home, using devices that aren’t necessarily ones that IT has purchased and sharing them with other family members. In my talk talk, I want to identify some trends that have changed the endpoint detection and response marketplace, and examine a few of the EDR products and show how they have evolved as well to meet these new collection of threats.
Firewalls are now all about the software
Ubiquitous Internet means no difference between in and outside
Your Internet pipe is probably too small and has too much latency to support 100% WFH
BYOD is the norm, not the exception, There is this CIO.com piece from 2014!! BTOD was never a great idea to begin with. Now everyone is BYOD.
And VPNs—at least as most companies use them today—are not a long-term solution for the distributed workplace. Having everyone have to connect to the physical office network to get work done requires a whole new level of networking infrastructure. We have tools such as remote desktops that weren’t designed to be used in such abundance, by the general user population. We have VPNs that circumvent all kinds of network protection, not to mention all the various vulnerabilities they have experienced recently.
The UK’s NCSC reported that so far this year they have had 200 Covid-related attacks, a third of all of those they have dealt with that have affected 1200 victims, mainly with the National Health Service and other public agencies that they protect.
This is from a report by the phishing awareness vendor Know Be 4 compiled from 2020Q2 emails. The company then uses this research to produce a series of simulations to see if users are paying attention. They found that the scams are becoming more aggressive and more targeted as we continue under lockdown.
the pandemic is making it easier for cybercriminals to target mid-level managers, with various lures such as Covid-related ones to more traditional business impersonations. In one case, the FBI investigated a COVID-19-related case of CEO fraud in which the hacker, posing as a CEO, requested a money transfer date to be move up due to precautions surrounding COVID-19 and the quarantine process. In the end, the hoax cost one financial institution a million dollars. Other phishing lures claim to come from the CDC or local public health offices to trick users into divulging private data or to open attachments.
This the Verizon breach report that was released earlier this year. Once again it highlights the role that phishing plays, moving to the #1 spot in the 2019 report and in the top two of threat types across all incidents. Google blocks 1M phishing emails daily across its infastructure
The pandemic has made phishing attacks more dangerous, as we can see in the next slide with the typical email subject lines.
MalwareBytes used this term back in 2017. The problem is that we ask too much from our endusers: they have to watch out for phishing emails. Make sure they have complex enough passwords and are using MFA properly. “People are told they need to be constantly on alert, constantly ‘doing something,’ but they are not even sure what that something is or what might happen if they do or do not do it.” The volume of messaging, combined with an unclear understanding of how to move forward, is what leads to security fatigue.” All these cybersecurity warnings result in desensitization by the users.
This is from 1970 comic strip artist Walt Kelly. You’ll see why in a moment.
That article that mentioned box fatigue recommends these four simple actions to take.
Note the date: April 7th. I got this notification in September! I guess the US postal mail really takes that long to deliver a package? Needless to say, I didn’t click on the link.
IT shouldn’t be the interstate highway system but part and parcel to today’s business decisions
Certainly, Covid changed things, and accelerated the adoption of zero trust to protect wFH STAFFERS
But zero trust needs to be systematically, making network segments based on risk and auditing their access rights --
When was the last time you audited your AD users? Do you have an out-boarding policy in place to remove users who no longer work for the company? How quickly are they taken off the roles and their authentications removed from all your systems?
Once upon a time a US bicycle manufacturer would hold a status meeting for their product staff in a conference room, updating a shared spreadsheet on the status of their products in the pipeline. Granted, this was a long time ago, but still you can’t use outdated technology as your single source of truth. This is the Stone Age, we must bring things into the modern era.
Back when we could attend conferences, the popular DefCon show in Vegas every summer would have this activity called spot the fed, meaning the conference attendee who was from the intelligence and law enforcement community. The attendees were warned that “If you see some shady Men in Black earphone penny loafer sunglass wearing Clint Eastwood to live and die in LA type lurking about, you might win one of these t-shirts and the fed would get an equivalent “I am the fed” shirt. Today I want to talk about two efforts by my government to try to bring some order to your endpoints.
The first is this NIST document which establishes cybersecurity standards for federal contractors and is being used as a playbook by many endpoint protection vendors and customers. It has a long list of action items to try to improve security. 1e has put this together in the follow slide.
The CMMC requires 3rd party assessments by DoD contractors with various levels of compliance. The goal is to move these contractors – which number > 300,000 companies – up thru the levels and improve their cyber hygiene
These efforts by NIST and the DoD have resulted in a consolidation of various endpoint protection functions, in some cases making EDR products with a wider scope. We are asking an awful lot from our EDR vendors, and some of them, such as 1e, have risen to that challenge, to provide a more integrated and powerful product.
Some vendors have called this EPP or XDR to show this wider context. Qualys calls their product vuln management, detection and response or VMDR, so they win on the acronym pile-on
This is an article from CSO in Mat 2019
The integration will happen by consolidating analytics, using integrated platforms like Tachyon, and integrating APIs
I would add to this list email protection – while it isn’t an endpoint technology per se, phishing attacks are making it more important.
The question of scale is important. A lot of EDR products can’t handle hundreds of thousands of endpoints and be able to find items such as an executable process by a specific hash value or examine a particular set of IP address pairs or a DNS lookup that points to a malware site. Or they can’t deploy or remediate many concurrent systems.
Tachyon: 190k endpoints with 100k concurrent machines
Tanium: 900k endpoints in one DoD service branch
Carbon Black: Equally large -- with a collective daily analysis of 1T events
Tanium has a lot slower query response time, whereas Tachyon’s responses take just a few milliseconds, and seem almost instantaneous.
Tanium separates its EDR product into a series of modules each with a specific single function, such as patching or threat response.
Tanium now has the same explorer query tool that Tachyon has had for years but it much more bare bones
Here is the threat response dashboard, with links to learning resources at the top and some simple charts below that summarize the alerts.
We are not about finding bombs but about finding a van that you are going to drive into a crowd
At the core of Carbon Black is its Watchlist -- this is where you set up your detection policies and it also maps the treats to the MITRE ATT&CK framework to learn more about mitigation measures.
Here is its malware process tree discovery tool where you can examine each piece of code and see its resources and how a piece of malware spread throughout your infrastructure and endpoints.
Vmware is trying to do its best to integrate Carbon Black into its existing security tools, and more focused on managing large scale virtual infrastructure. It has a confusing array of different product versions, starting with cloud vs. on premises versions. Some of its existing tools, such as NSX and vSphere, include Carbon Black agents.
Finally, we come to Tachyon. Here is its main portal, and like Tanium you can see separate modules for the various protective features such as patching and inventory management.
It is easier to define What Tachyon is not -- a MDM, not just a SIEM, endpt management and threat intel -- somewhat
If we go back to the NIST framework, you can see how 1E’s Tachyon maps these five basic categories of protection in their framework.
It is like what Google was in the mid 1990s – back then no one knew what a search engine was, and this open-ended dialog box was odd. This simply query interface has been adopted by other EDR vendors in the past several years. This is an example of a very complex query string to check for which KB patches have been applied across your endpoints.
Here is a tool that can be used as a way to test your existing end user knowledge of their security posture. There are vendors that focus on security awareness training, but this can be a useful way to begin to assemble your own training efforts on a more granular level, such as this report that shows if users understand their access control policies.
Guaranteed State ensures you have up-to-the-minute data on the current configuration state and compliance of all your endpoints – even for remote workers. The idea is to supply real time visibility and continuous remediation, so your equipment doesn’t fall behind your intentions to maintain a secure profile.
Tachyon can deliver real-time automated endpoint remediation and management, especially if you need a tool that emphasizes improved automated and almost real-time operations. Tachyon isn’t searching for a needle in a haystack filled with log files and other data but figuring out that first you need to look for something that doesn’t appear to be a piece of hay. Think of it as the search tool for finding out the health of your network.
Google’s Chronicle has this product which is ingesting so much network traffic and log data that they have built ML tools to figure out when someone was first attacked, even many years ago, from their technologies. Original staff has left
Microsoft suggests using Tanium as a very costly insurance policy and now bundled with an enterprise e5 license
Like Google’s product, it hoovers up all your data from one month to 6 months. MS’ Defender implementation requires a complex collection of O365 tools and add-ons including the agent formerly known as Defender ATP now called Defender for Endpoint