Presented By Charles Leaver And Written By Dr Al Hartmann
Part 2 in a 3 part series
Continuous Endpoint Monitoring Is Really Efficient
Convicting and blocking destructive scripts before it has the ability to compromise an endpoint is fine. But this approach is largely inadequate against cyber attacks that have been pre checked to avert this type of approach to security. The genuine problem is that these hidden attacks are carried out by proficient human hackers, while standard defense of the endpoint is an automated procedure by endpoint security systems that rely mainly on basic anti-virus technology. The intelligence of humans is more creative and versatile than the intelligence of machines and will constantly be superior to automatic machine defenses. This underlines the findings of the Turing test, where automated defenses are trying to rise to the intellectual level of a skilled human hacker. At the current time, artificial intelligence and machine learning are not sophisticated enough to totally automate cyber defense, the human hacker is going to be victorious, while those infiltrated are left counting their losses. We are not living in a science fiction world where machines can out think humans so you must not think that a security software suite will automatically take care of all of your issues and avoid all attacks and data loss.
The only genuine method to prevent an undaunted human hacker is with a resolute human cyber defender. In order to engage your IT Security Operations Center (SOC) staff to do this, they should have full visibility of network and endpoint operations. This kind of visibility will not be achieved with conventional endpoint antivirus suites, rather they are created to stay silent unless implementing a capture and quarantining malware. This conventional technique renders the endpoints opaque to security workers, and the hackers utilize this endpoint opacity to conceal their attacks. This opacity extends backwards and forwards in time – your security workers don’t know what was running across your endpoint population previously, or at this point in time, or what can be expected in the future. If thorough security workers find hints that need a forensic look back to reveal hacker traits, your antivirus suite will be unable to assist. It would not have actually acted at the time so no events will have been recorded.
On the other hand, continuous endpoint monitoring is always working – offering real time visibility into endpoint operations, offering forensic look back’s to act against brand-new evidence of attacks that is emerging and find signs earlier, and providing a baseline for typical patterns of operation so that it understands exactly what to anticipate and alert any abnormalities in the future. Offering not just visibility, continuous endpoint monitoring provides informed visibility, with the application of behavioral analytics to spot operations that appear abnormal. Irregularities will be continuously analyzed and aggregated by the analytics and reported to SOC personnel, through the organization’s security information event management (SIEM) network, and will flag the most worrying suspicious problems for security workers interest and action. Continuous endpoint monitoring will enhance and scale human intelligence and not replace it. It is a bit like the old game on Sesame Street “One of these things is not like the other.”
A kid can play this game. It is simplistic because many items (called high prevalence) resemble each other, but one or a small amount (called low prevalence) are not the same and stand out. These different actions taken by cyber wrongdoers have actually been quite consistent in hacking for decades. The Carbanak technical reports that noted the signs of compromise are good examples of this and will be gone over below. When continuous endpoint monitoring security analytics are enacted and reveal these patterns, it is easy to acknowledge something suspicious or unusual. Cyber security personnel will be able to carry out rapid triage on these abnormal patterns, and quickly figure out a yes/no/maybe response that will distinguish uncommon but known to be good activities from destructive activities or from activities that require additional monitoring and more insightful forensics examinations to verify.
There is no chance that a hacker can pre test their attacks when this defense application remains in place. Continuous endpoint monitoring security has a non-deterministic risk analytics part (that signals suspect activity) as well as a non-deterministic human element (that performs alert triage). Depending upon the current activities, endpoint population mix and the experience of the cyber security workers, cultivating attack activity may or may not be uncovered. This is the nature of cyber warfare and there are no warranties. But if your cyber security fighters are equipped with continuous endpoint monitoring analytics and visibility they will have an unfair advantage.