Saturday, April 20, 2019

Endpoint Detection and Response(EDR)

  • The features that most EDR solutions have include:


    The ability to detect and prevent hidden exploit processes that are more complex than a simple signature or pattern and evade traditional AV
    Threat intelligence
    Visibility throughout endpoints, including applications, processes and communications, to detect malicious activities and simplify security incident response
    Automation of alerts, as well as defensive responses such as turning off specific processes when an attack is detected
    Forensic capabilities, because once an attacker is inside, you need the ability to take a deep dive into their activities so you can understand their movements and minimize the impact of the breach
    Data collection to build a repository used for analytics
https://www.esecurityplanet.com/products/top-endpoint-detection-response-solutions.html


  • Let’s Define Endpoint Detection and Response (EDR)

Endpoint detection and response solutions collect, record, and store large volumes of data from endpoint activities to provide security professionals with the comprehensive visibility they need to detect, investigate, and mitigate advanced cyber threats.
Traditional antivirus solutions, as well as other, more-pointed solutions, provide enterprises with preventative endpoint protection, which means they react to new files entering a system and, if deemed malicious, automatically stop them from running. Despite this, attackers are still able to penetrate endpoints. This is because they use innovative techniques that stealthily compromise systems without triggering these defenses.
Endpoint detection and response, or EDR, solutions provide a different capability to the security stack. With EDR in place, security teams can continuously collect, record, and store endpoint data, providing them with surveillance-like visibility they can use to investigate a past incident or to proactively hunt for threats in their environment.

Where Does AV Stop... And EDR Start?
NGAV solutions can prevent known and unknown malware attacks, but comprehensive security programs need more power when they want to go after the undetected, persistent campaigns and attacks that act slowly and purposefully to evade automated defenses.
One of the most important benefits that EDR brings to a security team is visibility, which, when supported by the power of the cloud, can store large masses of data which is aggregated, processed and analyzed rapidly. With this intelligence, EDR solutions can zero in on behaviors that automated defenses may have missed, and supply greater visibility (and the ability to intervene) into suspicious activities that have not yet developed into full-blown attacks.
However, the best endpoint security scenario brings NGAV and EDR solutions together in a single integrated solution that leverages a single agent to provide the most secure approach possible.

https://www.carbonblack.com/resources/definitions/what-is-endpoint-detection-and-response/


  • WHAT IS ENDPOINT DETECTION AND RESPONSE?

“the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.”
HOW ENDPOINT DETECTION AND RESPONSE WORKS
Endpoint detection and response tools work by monitoring endpoint and network events and recording the information in a central database where further analysis, detection, investigation, reporting, and alerting take place. A software agent installed on host systems provides the foundation for event monitoring and reporting.
https://digitalguardian.com/resources/data-security-knowledge-base/endpoint-detection-and-response-edr


  • The difference between SIEM and EDR


an EDR is used to determine if malware (APTs, advanced persistent threats) has been installed on an endpoint device (detect) and find ways to reply to this kind of threat (response).
Often, EDR solutions are using agents installed on such an endpoint to collect data from many different kind of data sources directly on the endpoint and store them in a central database.
data from the following sources:
ARP
DNS
Sockets
Registry
Memory dumps
System calls
IP addresses
Hardware types

An EDR is seen complimentary to traditional means of protection like signature-based tools or a SIEM.
They all provide dashboards or reports and data analysis is performed.

SIEM
A SIEM is used to provide a single central place for storing and analyzing data coming from many different log sources.
It is possible to understand many different use-cases, which do not rely on just one type of system, but on many different log sources such as firewalls, servers, IPS, proxies, etc. A SIEM supports a multitude of different platforms and can be used for advanced correlation, log management, and forensics

Summary
A SIEM can be used to collect data from many different types of log sources and do advanced correlation, log management, or forensics. There is no limit regarding supported platforms or the type of use case in question. An EDR tool is considered to be complimentary to a SIEM tool and many EDR vendors try to integrate into a SIEM. From a SIEM point-of-view an EDR is considered to be another log source, which can provide valuable information to a SIEM.

https://www.logpoint.com/en/blog/the-difference-between-siem-and-edr/
  • SIEM vs EDR: Which One Does Your Business Need?

What is SIEM?
SIEM refers to Security Information and Event Management. It provides log management and security event correlation, both of which offers more visibility into enterprise IT environments. In fact, SIEM places a great emphasis on its log capabilities.

What is EDR?
EDR functions as an extension of next-generation endpoint security.
Accordingly, EDR solutions record and store behaviors on enterprise endpoints, analyze that data for suspicious behaviors and block malicious activity. Moreover, these solutions can provide contextual information on suspicious behavior and provide remediation suggestions.
EDR can help your enterprise detect cyber attacks which slipped past your digital perimeter security. Also, it offers granular visibility, threat investigations, and detection of fileless malware and ransomware. Critically, it too can provide security alerts for investigations.

SIEM vs EDR
EDR draws from endpoint data sources as one might expect from an endpoint security capability
Its design lends itself to endpoint prevention, endpoint detection, and analysis.
EDR typically doesn’t need to deal with encryption issues in its analyses. Usually, these solutions come with out-of-the-box capabilities and pre-built dashboards and workflows.
EDR remains heavily tied to the endpoint rather than the network as a whole

SIEM draws from unlimited data sources; the only constraints come for the correlation rules placed on it by enterprises themselves. Thus SIEM allows for security analysis and compliance fulfillment much more readily. It also provides data contextualization.
SIEM can run into issues with encryption.
these solutions tend to focus heavily on detection over prevention
Without logged data, SIEM can’t function, which can create new challenges for underprepared enterprises

both SIEM and EDR provide security alerts. Therefore, both can run into similar problems concerning false positives and alert bombardments overwhelming security teams.

https://solutionsreview.com/endpoint-security/siem-vs-edr-which-one-does-your-business-need/


  • What is Endpoint Detection and Response?

endpoint detection and response solutions record system activities and events taking place on endpoints and provide security teams with the visibility they need to uncover incidents that would otherwise remain invisible

What is the difference between EDR and Antivirus? Antivirus is the prevention component of endpoint security, which aims to stop threats from entering a network. When threats slip past an antivirus, EDR detects that activity and allows teams to contain the adversary before they can move laterally in the network

EDR Security Capabilities
    Incident data search and investigation
    Alert triage or suspicious activity validation
    Suspicious activity detection
    Threat hunting or data exploration
    Stopping malicious activity

Choosing an EDR Solution
1. Visibility:
Real-time visibility across all your endpoints allows you to view adversary activities, even as they attempt to breach your environment, and stop them immediately.
2. Threat Database:
Effective EDR requires massive amounts of telemetry collected from endpoints and enriched with context so it can be mined for signs of attack with a variety of analytic techniques.
3. Behavioral Protection:
Relying solely on signature-based methods or indicators of compromise (IOCs) lead to the “silent failure” that allows data breaches to occur. Effective endpoint detection and response requires behavioral approaches that search for indicators of attack (IOAs), so you are alerted of suspicious activities before a compromise can occur.
4. Insight and Intelligence:
An endpoint detection and response solution that integrates threat intelligence can provide context, including details on the attributed adversary that is attacking you or other information about the attack.
5. Fast Response:
EDR that enables a fast and accurate response to incidents can stop an attack before it becomes a breach and allow your organization to get back to business quickly.
6. Cloud-based Solution:
Having a cloud-based endpoint detection and response solution is the only way to ensure zero impact on endpoints, while making sure capabilities such as search, analysis and investigation can be done accurately and in real time

How EDR Works?
The solution lies in having continuous and comprehensive real-time visibility into what is happening on your endpoints and the ability to apply behavioral analysis and actionable intelligence to stop an incident from turning into a breach.

Integrates With Threat Intelligence
Security Operation Centers (SOCs) and security analysts receive a detailed narrative that specifies the “who, why and what” of the event — empowering organizations to be better prepared to protect itself.

Provides Real-Time and Historical Visibility
This gives security teams the useful information they need, including:

    local and external addresses to which the host is connected
    all the user accounts that have logged in, both directly and remotely
    a summary of changes to ASP keys, executables and administrative tool usage
    process executions
    both summary and detailed process-level network activity, including DNS requests, connections, and open ports
    archive file creation, including RAR and ZIPS
    removable media usage

Real Time Response includes two sets of built-in commands you can execute during investigations to accelerate remediation.

Information collectors allow security teams to immediately understand the risk and scope of a threat by enabling tasks such as:

    Explore the file system and extract files
    List running processes
    Extract Windows event log
    Query Windows registry
    List current network connections and configuration
    Extract process memory
    Calculate file hashes
    Collect environment variables
    Collect additional desired information using PowerShell or other tools

Remediation actions enable teams to take action to contain or remediate a threat with speed and decisiveness including:

    Delete a file
    Kill a process
    Delete or modify Windows registry key or value
    Put a file
    Run a script or an executable file
    Encrypt a file
    Restart/Shutdown

Why is EDR Important?
Reason #1: Prevention alone can’t ensure 100 percent protection
Reason #2: Adversaries can be inside your network for weeks and return at will
Reason #3: Organizations lack the visibility needed to effectively monitor endpoints
Reason #4: Access to actionable intelligence is needed to respond to an incident
Reason #5: Having the data is only part of the solution
Reason #6: Remediation can be protracted and costly

https://www.crowdstrike.com/epp-101/what-is-endpoint-detection-and-response-edr/

  • Endpoint Detection and Response: Threat Hunting and Incident Response for Hybrid Deployments

VMware Carbon Black EDR initially is an incident response and threat hunting solution designed for security operations center (SOC) teams with offline environments or on-premises requirements.Carbon Black EDR continuously records and stores comprehensive endpoint activity data, so that security professionals can hunt threats in real time and visualize the complete attack kill chain. It leverages the VMware Carbon Black Cloud’s aggregated threat intelligence, which is applied to the endpoint activity system of record for evidence and detection of these identified threats and patterns of behavior.
https://www.carbonblack.com/resources/endpoint-detection-and-response-threat-hunting-and-incident-response-for-hybrid-deployments/

  • Endpoint Detection and Response (EDR)
Identify, isolate and remove endpoint threats in real-time

Continuous monitoring for real-time EDR security
EDR works through continuous monitoring of the endpoint using Indicators of Compromise (IoC).

Rapid incident response times
Many endpoint threats can bypass traditional and advanced security in the time it takes for a human to respond to the activity

Complete visibility across your entire endpoint network

How EDR works
Endpoint Detection and Response tools work by continuously monitoring activity on endpoints, with the aim of identifying suspicious or threatening behaviour in real time.
Information is recorded and analysed for internal or external attacks.
EDR can identify specific behaviors to alert organizations to potential threats before the attackers can cause harm.
Once a threat has been detected, EDR can isolate and deflect attacks from internal and external sources, protecting endpoint devices from risks. 
The end-to-end analysis is supported by a range of innovative technologies, including machine learning and behavioral analysis.
https://www.fireeye.com/products/endpoint-security/endpoint-detection-response.html

The situation, task, action, result (STAR)

  • The situation, task, action, result (STAR) format is a technique used by interviewers to gather all the relevant information about a specific capability that the job requires

Situation: The interviewer wants you to present a recent challenge and situation in which you found yourself.
Task: What were you required to achieve? The interviewer will be looking to see what you were trying to achieve from the situation
Action: What did you do? The interviewer will be looking for information on what you did, why you did it and what the alternatives were.
Results: What was the outcome of your actions? What did you achieve through your actions and did you meet your objectives? What did you learn from this experience and have you used this learning since?
https://en.wikipedia.org/wiki/Situation,_task,_action,_result

  • STAR stands for Situation, Task, Action, Result. Using this strategy is particularly helpful in response to competency-focused questions, which typically start out with phrases such as, "Describe a time when..." and "Share an example of a situation where...."

The STAR interview response technique is a way of answering behavioral interview questions.
Behavioral interview questions are questions about how you have behaved in the past.
Specifically, they are about how you have handled certain work situations.
For example, employers might be looking for proof of problem-solving skills, analytical ability, creativity, perseverance through failure, writing skills, presentation skills, teamwork orientation, persuasive skills, quantitative skills, or accuracy.
Examples of behavioral interview questions include the following:
Tell me about an occasion when you had to complete a task under a tight deadline.
Have you ever gone above and beyond the call of duty?
What do you do when a team member refuses to complete his or her quota of the work?
However, job seekers can also use the STAR interview method to prepare for behavioral interview questions.
STAR is an acronym for four key concepts. Each concept is a step the job candidate can utilize to answer a behavioral interview question.
Situation: Describe the context within which you performed a job or faced a challenge at work. For example, perhaps you were working on a group project, or you had a conflict with a coworker. This situation can be drawn from a work experience, a volunteer position, or any other relevant event.
Task: Next, describe your responsibility in that situation.
Perhaps you had to help your group complete a project within a tight deadline, resolve a conflict with a coworker, or hit a sales target.
Action: You then describe how you completed the task or endeavored to meet the challenge. Focus on what you did, rather than what your team, boss, or coworker did. (Tip: Instead of saying, "We did xyx," say "I did xyz.")
Result: Finally, explain the outcomes or results generated by the action taken. It may be helpful to emphasize what you accomplished, or what you learned.

How to Prepare for an Interview Using STAR
Since you won’t know in advance what interviewing techniques your interviewer will be using, you’ll benefit from preparing several scenarios from the jobs you’ve held.
First, make a list of the skills and/or experiences that are required for the job.
It may help you to look at the job listing and similar job listings for indications of the required or preferred skills/qualities and match your qualifications to those listed in the posting.
Then, consider specific examples of occasions when you displayed those skills.
For each example, name the situation, task, action, and result.

Examples of Interview Questions and Answers Using STAR
Example Question 1: Tell me about a time you had to complete a task within a tight deadline. Describe the situation, and explain how you handled it.
Example Question 2: What do you do when a team member refuses to complete his or her quota of the work?
Example Question 3: Tell me about a time you showed initiative on the job.

https://www.thebalancecareers.com/what-is-the-star-interview-response-technique-2061629


  • What is a Behavioral Job Interview?

Behavioral based interviewing is interviewing based on discovering how the interviewee acted in specific employment-related situations
The logic is that how you behaved in the past will predict how you will behave in the future, i.e., past performance predicts future performance.
Traditional Interviews
In a traditional interview, you will be asked a series of questions which typically have straightforward answers like "What are your strengths and weaknesses?" or "What major challenges and problems did you face? How did you handle them?" or "Describe a typical work week."
In a behavioral interview, an employer has decided what skills are needed in the person they hire and will ask questions to find out if the candidate has those skills.
Instead of asking how you would behave, they will ask how you did behave.
The interviewer will want to know how you handled a situation, instead of what you might do in the future.

Questions Asked
Behavioral interview questions will be more pointed, more probing and more specific than traditional interview questions:
Finally, review the job description, if you have it, or the job posting or ad. You may be able to get a sense of what skills and behavioral characteristics the employer are seeking from reading the job description and position requirements.
It's important to keep in mind that there are no right or wrong answers. The interviewer is simply trying to understand how you behaved in a given situation. How you respond will determine if there is a fit between your skills and the position the company is seeking to fill.
https://www.thebalancecareers.com/behavioral-job-interviews-2058575

  • The interviewer will want examples of what happened in a particularly challenging circumstance, what you did, and how you achieved a positive outcome.

The Best Behavioral Interviewing Techniques and Strategies
Review what a behavioral interview is and what companies are looking for during a behavioral interview.
Use the STAR interview technique to prepare examples to share during an interview.
Review sample behavioral interview questions.

Research the Job and Company
Techniques
(S) A specific situation
(T) The tasks that needed to be done
(A) The action you took
(R) The results, i.e., what happened


It is the STAR interview response technique, and it's an excellent way to prepare. Do keep in mind that there are no right or wrong answers to behavioral interview questions. The interviewer's goal is to understand how you behaved in a given situation. How you respond will determine if there is a match between your skills and the position the company is seeking to fill.

https://www.thebalancecareers.com/behavioral-interview-techniques-and-strategies-2059621


  • Behavioral Based Job Interview Questions

In a behavioral job interview, the company asks questions about your past work experiences in order to find out if you have the skills needed for the job. Behavioral interview questions focus on how you handled various work situations in the past. Your response will reveal your skills, abilities, and personality.

(S) Situation. Describe the situation in which the event took place.
(T) Task. Describe the task you were asked to complete. If there was a particular problem or issue you were trying to solve, describe that here.
(A) Action. Explain what action you took to complete the task or solve the problem.
(R) Results. Explain the result of your actions. For example, if your actions resulted in completing a task, resolving a conflict, improving your company’s sales record, etc., explain this. Try to focus on how your actions resulted in a success for the company.

Follow the STAR Technique. Be sure to answer any questions using the STAR technique described above. By completing each of the four steps, you will provide a thorough answer without rambling or getting off topic.
Be Positive. Often, behavioral interview questions require you to focus on a problem or a failure at work. Describe the problem or issue you faced, but don’t focus too much on the negative. Quickly shift to describing how you solved the problem and the positive results.

Give an example of a goal you didn't meet and how you handled it.
Have you been in a situation where you didn't have enough work to do?
Have you ever made a mistake? How did you handle it?
Have you ever dealt with company policy you weren't in agreement with? How?
When you worked on multiple projects how did you prioritize?

https://www.thebalancecareers.com/behavioral-job-interview-questions-2059620


  • Competency-Based Interview Questions

Competency-based interview questions require interviewees to give specific examples of times in which they demonstrated particular skills or attitudes.
Often, these types of questions begin with the phrases "Describe a time when..." or "Give me an example of a situation where..."
Generally, these questions require interviewees to describe a problem or situation, the actions they took to handle it, and the end results.
They allow the employer to quickly evaluate a candidate's mindset, and gauge how a candidate handles certain situations.
an interviewer for an upper management job may ask questions about leadership, independence, and creativity.

How to Prepare for Competency-Based Interview Questions
make a list of skills and attitudes that you think are important for the job for which you are interviewing.
Check the job listing for examples of required abilities.
Next, list situations in which you have demonstrated each of these competencies.
For each situation, write down the situation or problem, the actions you took to handle the problem, and the ultimate results
STAR stands for situation, task, action, result. Using this technique will help you give a brief, coherent, and structured response to interview questions.
Once you have prepared a list of situations, review it. By thinking of examples before the interview, you will be able to answer questions quickly and concisely.

Be Concise
It is easy to wander when answering a competency-based interview question, particularly if you do not have a specific situation or problem in mind.
Do Not Place Blame
If you are describing a particular problem or difficult situation (for example, a time when you had to work with a difficult boss), it may feel natural to attack or place blame on another person. However, these questions are about you, not about anyone else. Focus on what you did to manage the situation; do not dwell on other peoples’ issues or failures.


Examples of Competency-Based Interview Questions
Adaptability
Tell us about the biggest change you have had to deal with in your previous employment. How did you handle it?
Decisiveness
Tell us about a decision you made that you knew would be unpopular with certain people. How did you handle the decision-making process? How did you handle other peoples’ negative reactions?
Integrity
Tell us about a time when someone asked you to do something you objected to. How did you handle the situation?
Resilience
How do you deal with stress?
Describe a time in which you received negative feedback from an employer, colleague, or client. How did you manage this feedback? What was the outcome?
https://www.thebalancecareers.com/competency-based-interview-questions-2061195


  • This method is slightly more involved than the STAR method and some people may prefer using it, particularly if they have a lot of management experience from which to draw examples.

The SOARA method:

1) Identify a Situation that enables you to illustrate how you behaved in that recent event, giving particular emphasis to describing the required competency the question is aimed at assessing.

2) State the Objective you wanted to attain by the conclusion of this situation or event.

3) Describe what Action you took to achieve your objective. Your actions and behaviors must reflect those of someone who is performing the role. This is most easily shown in your reasoning for doing what you did and how you assessed alternatives.

4) Make sure you clearly state the Results of your decisions and actions as well as how you attained your objective.

5) Conclude your answer with a summary of what you learnt from this situation and how this has influenced you since. This is referred to as the Aftermath

To make it easier to identify the best events and challenges Helena has quickly created a 'situation mind map' from her work experiences and personal achievements. This visual representation of her resume will be copied and completed for each competency required in the role. In this example it is for 'strategic thinking.'

This mind map shows the five projects that enable her to illustrate strategic thinking. The table below shows how she uses SOARA to prepare an answer to the selected question.
If you are going to succeed in a competency-based interview then your answers must:

• Be specific in their description and detail
• Be concise and highlight your achievements clearly
• Show your actions were structured
• Convey the maximum achievement in the minimum time
• Give a strong and positive impression at the end of your answer
• Show what you learnt from the situation.

Key Points
The SOARA method is slightly more involved than the STAR method.
SOARA stands for: Situation, Objective, Action, Results, and Aftermath.
The process is similar to that of the STAR method explained earlier in that it is time consuming and takes a lot of work.
Both methods provide you with the best examples of competency-specific behaviors that you can use in all of your interviews.

http://www.free-management-ebooks.com/faqcr/competency-04.htm