Where’s the Beef?

Many Endpoint Detection and Response (EDR) companies are very large and well provided with significant advertising budgets and creative staff to generate marketing campaigns that emphasize their Artificial Intelligence (AI), Machine Learning (ML) and many other trendy and compelling buzzwords…but one may be forgiven for asking sometimes: ‘Where’s The Beef?’

What I mean by ‘Where’s the Beef?’ is, what are the significant advantages to users in choosing an EDR beyond the marketing hype? Does the EDR deliver as advertised?  In our very competitive world, the key thing for large, publicly listed security companies is to have a market and advertising presence and sometimes, oftentimes, the substance of what is delivered falls far short of the hype. Sometimes, the AI and ML and all that stuff, doesn’t deliver the goods or meet up with our expectations…especially when we find advanced malware that is bypassing the EDR, notwithstanding the glossy advertising and big marketing budgets.

When crafting a security posture for your company, be it a Small Medium Enterprise (SME) or a large conglomerate, you need to consider a multi-layered approach to security as the best way to thwart increasingly sophisticated and persistent threats. By multi-layered, I mean consisting of a firewall, Anti-Virus (AV) and an EDR. But the choice of EDR is critical.

The key considerations on selecting an EDR for positive security outcomes are as follows:

  • Is the advanced threat caught or detected at all?
  • Is the advanced threat contained and isolated before it causes irreparable harm?

Most traditional EDRs are based on a reactive, query-based approach along with a list of known bad activities; the most appropriate analogy is ‘looking for a needle in a haystack’ or looking for suspicious behaviors and Indicators of Compromise (IoCs). Most EDRs are reactive and do not include pro-active threat-hunting in their base offering. Of course, traditional EDR companies will gladly up-sell expensive threat-hunting from foreign experts…at a cost.

OmniSecuritas, using CYDEF’s SMART-Monitor advanced pro-active EDR, turns the traditional EDR model on its head by baselining all normal behavior and using human threat-hunters to seek and destroy threats that are too sophisticated or specifically-engineered to bypass the firewall, AVs and traditional algorithmic automatic threat detection in traditional EDRs…So to continue the analogy: instead of looking for a ‘needle in a haystack’, we define ‘what the haystack looks like’, and investigate everything….this is a real ‘Zero Trust’ model. Traditional reactive EDRs implicitly trust anything that is not flagged by their AI. That is where we at OmniSecuritas and CYDEF deliver the goods. We trust nothing and investigate everything using our powerful AI and ML along with human threat-hunters.

I just want to clarify that it isn’t so much the sophisticated AI algorithm that makes the better OmniSecuritas/CYDEF detection rate possible… because in fact, the entire methodology is what makes the detections possible. The CYDEF AI takes all the millions of raw logs and truncates and organizes them into three categories for pro-active human threat-hunter investigation:

  1. Known proven good and normal activities – listed in green
  2. Unknown activities – listed in white
  3. Activities that need to be investigated because they can be manipulated to do bad things (powershell, certutil, CMD) – listed in yellow
  4. Bad activities – with threat intelligence database hits or known to be bad – listed in red

Our security analysts then manually review all activities (green, white, yellow, and red) to determine what the problem is, where it came from and where it spread to (using the patented stack view) and then work with your team to contain and give remediation advice.

So, when you are faced with big security companies throwing a lot of expensive advertising and slick promotions at you, please ask yourself: Where’s the Beef?

Bernard Gibbs