| Posted by , under Uncategorized

 

EndPoint Protection: (AV, NGAV, EPP etc)
Is like your doors, windows, gates that protect your property. It stops unwanted people from coming into your home.

  • What to look for in Endpoint Protection:
    There are two main types of methods

    • Detection based: These kind of systems have to be able to “identify” bad behaviour to be able to stop it. No detection, no protection!
      • Signature based
      • Heuristic based
      • Artificial Intelligence (AI)
      • Machine Learning (ML)
      • Behavior based
    • Detectionless: This method is based on ASR where no detection is required to protect. Detectionless Protection!
      • API Virtualization (taking away the resources that are important for adversaries – Attack Surface Reduction – ASR) (Comodo Dragon Platform for example)

When building your security stack its important to use both methods. Catch whatever you can with “Detection Based” methods, whatever those miss (and they are guaranteed to miss by the way), Detectionless method will kick in and Virtualize resources to mitigate damage.

Endpoint Telemetry: (EDR, XDR etc)
Is like your burglar alarm or smoke alarm. It “monitors and alerts” and provides intelligence, like Garage Door alarm triggered first, so that you know where the attack came first etc.

  • What to look for in Endpoint Telemetry:
    • Raw Data Collection: with Contextful information (OpenEDR)
    • Streaming/Storage/Retrieval: (Real Time, Indexed, Searchable) (Elastic with OpenEDR or Comodo Dragon with OpenEDR)
    • Correlation: Rule based detection, Threat Hunting (OpenEDR or Elastic)
    • Visualization: Human perception, engage the human brain into finding patterns in data (Elastic or OpenEDR  with Comodo Dragon)
    • Flexibility: Need both at data collection (what to collect, when to collect) as well as during correlation (easy to write queries and extendable rules) (Elastic or Comodo Dragon with OpenEDR)

With the above Endpoint Telemetry solution, you can build an open source solution that is more capable than so called market leading EDR vendors, which is open source and more cost effective to operate and maintain. You can either go with OpenEDR + Comodo Dragon or OpenEDR +ELK solutions, either solution will provide you Endpoint Telemetry in a much more capable way than whats in the market today.

In your security posture of course you want Endpoint Telemetry but you don’t want to leave an open door, open window policy where you only rely on your burglar/smoke alarm to catch when something bad happens, and certain circumstance even telemetry will fail.

“An ounce of prevention is worth a pound of cure”