Back in the day (and to some extent even today), companies hired incident response teams to come in and investigate security breaches. In 2013, the most reliable among these was Mandiant. They offered security professionals that were always ready to jump in and find out what happened. And they were not cheap.
In parallel, some more technical enterprises began to invest in visibility tools like Facebook’s osquery and other ways to see into networks. That opened a new category for the overcrowded market of cybersecurity, and many new solutions were created as a result. These often fell under the umbrella term “EDR” (originally endpoint threat detection and response).
With that revolution, the inherent problems of EDR solutions started to show. You needed a highly skilled crew to manage these solutions as they provide so much data (most of which lacked any context). Enterprises found themselves hiring more and more bodies to solve this problem, but the past couple of years have seen barely a month go by without the news headline of yet another high-profile data breach.
The other critical problem of EDR revolved around “dwell time.” Dwell time represents the time between infection and discovery of the malicious activity. The 2019 Ponemon Cost of a Data Breach Report found the average time to identify a breach was 206 days. In some cases, even 10 seconds is too long—attackers can run their code, execute their attack, wrap up, and clean up in a matter of a few seconds. Any solution that can’t detect in real time is too late in the game.
Cybersecurity firms have tried to solve this problem in several ways.
1. Create a hunt chat bot
To simplify the life of the security analyst, one strategy includes having the professionally-trained security operations center (SOC) analyst to converse with a chat bot. Getting a chat bot to understand exactly what you mean can often be more challenging than simply writing a SQL query that you do every day, particularly for an experienced threat hunter.
2. Rely on a custom SOC
If you have a SOC, it will allow you to see more and do more to maintain business security. With that said, throwing more uncorrelated data at your team without true context creates alert fatigue and an unhappy team. SOC analysts have advanced skills and should be doing the advanced work. Instead of laboriously trying to piece together the pieces of the picture, they should work from already contextualized data that gives them the attack storyline to begin with—so they can use their skills to decide on additional action beyond merely stopping the attack.
3. Provide a service on top of the technology
This is becoming popular and it’s a good, sometimes necessary, move—many enterprises don’t have the staff with the necessary skillset to hunt and understand the data seen on their own network. Even as valuable as these services can be, there are still aspects of their work you should automate, like real-time response—because waiting for a service powered by people may take too long if you don’t. If you have a technology that can see everything that’s happening in real time and an on-device AI that can immediately take the necessary remediation action, then the problem of dwell time significantly reduces. There’s simply real-time detection and response.
Imagine if you had a SOC analyst on each endpoint, transforming massive amounts of data into attack stories and raising high-quality, prioritized alerts when threat behavior is observed. That’s the goal of SolarWinds® Endpoint Detection and Response, powered by SentinelOne. At machine speed, SolarWinds EDR can help prevent, detect, and respond to advanced attacks regardless of delivery vectors, whether the endpoint is connected to the cloud or not. The solution can help teams gain the context to not only understand what is found, but to autonomously block attacks in real time.
Learn more about SolarWinds EDR and how it can help your MSP business today by visiting the site today.
Note: This article has been reprinted and slightly modified with permission from SentinelOne.