New Visibility Features in Symantec Endpoint Detection and Response (EDR)
by Adan Mahmood
Cyber security is a relentless, high-stakes game of cat-and-mouse. And nowhere is this more true than in the realm of endpoint security. As enterprises have ramped up their investment in tools like endpoint protection platforms (EPP) and endpoint detection and response (EDR) solutions, cyber criminals have kept pace. Forced to find new ways to launch attacks, they are evolving, adapting, and developing ever more sophisticated attack strategies.
A principal attack strategy is to identify and target common blind spots in enterprise security infrastructures. Many of Symantec’s recent strategic investments in security products and services target attacker efforts to exploit these exact blind spots. Symantec, a division of Broadcom (NASDAQ: AVGO), added new capabilities to its EDR portfolio, raising its investment in advanced levels of protection.
These new tools are available as features in our flagship Symantec Endpoint Security Complete (SESC) product. Our foundational security product platform, SESC is designed to address security issues and the MITRE attack chain the only way that makes sense: holistically. SESC provides that holistic perspective while its individual tools and features address each of the different links in the attack chain from threat prevention early in the cycle to quickly detecting breaches and disabling attacks in progress.
The majority of the new features focus specifically on solving for three of the most common and potentially dangerous blind spots that we see across a majority of organizations. These three areas are:
- Trusted tools and applications
- Unprotected Active Directory (AD)
- Late discovery of breaches
Ending “Living Off the Land” Attacks
Trusted tools and apps are legitimate applications, dual-use tools and scripts that are almost impossible to avoid running in any organization. For example, virtually every organization uses Microsoft Office and PowerShell to drive worker productivity and routine Windows task automation. Along with third-party applications like Adobe Reader and Acrobat, they are so commonly used that they are practically ubiquitous, and as a consequence, default-trusted in the workplace.
In the colorful language of cyber security, attacks that use these commonly available, pre-installed tools are referred to as “living off the land” attacks. In other words, the attacker is using an organization’s own technology (land) to gain access to its most valuable data, financial, and other resources.
A major problem is that it’s been very difficult to see into what these apps and their scripts are doing after they are executed and go into the system’s memory. SESC addresses that blind spot by using a Microsoft technology called Antimalware Scan Interface (AMSI) as basically an “eyehole” to see into scripts running on an endpoint, such as PowerShell or Microsoft Office macros. Our Symantec agent collects that data and makes it searchable to uncover malicious scripts.
Preventing the Chief Source of Ransomware
Most organizations have their endpoints connected to Active Directory. A lot of information is accessible through that, but especially information around credentials and privileged accounts that can be used to move laterally across an organization and access its most valuable resources. When attackers attempt to access this data, many of their activities are recorded by Microsoft via a technology called Event Tracing for Windows (ETW). For example, ETW can record an event if a remote desktop connection is being established from a compromised endpoint. The problem has been that ETW is another data source that has to be correlated with all of the other activities recorded by the agent. Our SESC agent closes that blind spot – and with it, the number one source of all successful ransomware attacks — by tapping into that additional data feed and automatically correlating it with all activities related to an attack.
Additionally, SESC’s Threat Defense for Active Directory prevents, not just detects, lateral movement of attackers using credential theft. It’s able to do this by obfuscating account credentials in the endpoint’s memory so the attacker is misled. Subsequently, their process is automatically blocked to contain the attack.
Cutting Through the Noise
If an organization does suffer a breach, nothing is more important than to identify that fact as soon as possible. To help with that task many organizations have deployed a rising number of security tools. The problem is that the more security tools, the more alerts. The result is that SOC analysts are being fire-hosed with way too many data streams for their limited time and resources.
SESC closes this third major blind spot. Using advanced machine learning techniques, SESC’s Threat Hunter looks for unusual behavior and alerts our own experts here at Symantec when it does. Symantec threat hunters then immediately notify the organization’s SOC, dramatically reducing the response time to repair the breach.
We’ve Got Your Back
Taken together, these enhancements to SESC bring a new level of comprehensive security by eliminating the common blind spots in most enterprise security infrastructures. But these enhancements are not alone. We are also constantly adding new features to SESC, such as Granular Activity Recorder Rules, to help analysts and system administrators collect data even more efficiently and eliminate unnecessary event noise.
Another recently added feature allows you to block non-executable scripts, documents, and other files – closing if not exactly a blind spot, but another major gap in the response mechanisms contained in many EDR products.
All of these features are included within Symantec Endpoint Security Complete, the core of our defense in-depth strategy and the foundation upon which we will continually innovate. All built into a single agent and a single platform. From prevention to detection to augmenting your own security resources, in this relentless high-stakes game of cyber security cat-and-mouse: We’ve got your back.
Contact Us: WhatsApp / Cell : +8801714243446
Query Email: Sales@ngenitltd.com
Visit our website: www.ngenitltd.com