Carbon Black’s Open Letter to Cylance: Welcome to EDR!

Welcome_Letter
Brian_Gladstein
May 31, 2017 / Brian Gladstein

Cylance,

Welcome to the exciting world of EDR! We’re excited to learn you have finally recognized the value (and necessity) that comes from converging detection and response with prevention.

As we both know,  success in endpoint security is no longer about who has the biggest shield. Attackers are more sophisticated than ever and know how to get onto an endpoint without setting off the alarms. That’s why detection and response are critical — to find threats that get past file-based malware identification. We at Carbon Black have long known this to be true.

But fair warning – we’ve been in this market for a while and have learned a lot about what it takes to make organizations successful when it comes to security. It seems you have a lot of work ahead of you to get CylanceOPTICS to the level it needs to be — all the way down to some core architectural decisions you’ve made. So, as you continue to develop your EDR platform, make sure you are paying attention to these four primary requirements:

1- Must be able to see threats beyond malware

If you only have visibility into malware that successfully breaks through defenses, you’re missing much of what’s actually going on. In fact, only 47% of breaches use malware — the rest use non-malware techniques. EDR needs to show all these attacks, including the more dangerous non-malware attacks that use the operating system and existing applications to compromise a system.

Providing visibility into the malware you stop just isn’t enough — customers need detection of threats beyond blocked malware to get the full picture.

2- Must use the cloud for data storage and complete visibility

When you store EDR data on endpoints’ local disks, you never have complete visibility — which is required for detecting modern threats. Not only do you give up the ability to aggregate and analyze data across endpoints, but you also store less. According to your online brochure, CylanceOPTICS allocates 1GB of storage on each device for EDR functions, and it collects data at the rate of 100MB per day (according to its published specifications). This means that, at best, you have only 10 days of data to tap into if you discover a threat in your environment.

Even worse, an attacker can (and will most likely) delete this local data. The attacker doesn’t need to break encryption or read the data; once the attacker gets in and does this, all of your visibility disappears, and you are as blind as if you had nothing.

This is why the cloud is essential. With centralized recording in the cloud, these barriers disappear due to its unlimited storage capacity and clear separation from the attacker’s reach.

3 – Must tap into known threat watchlists and intel feeds

Despite aggressive worms and growing automation, it’s important to remember that attackers are human. That’s exactly why threat intel networks are an enormous defensive asset to protect us against these humans. When new attacks are found, they are shared and incorporated extremely quickly throughout the community. This reduces the time an attack can feasibly succeed, pushing attackers ever back to the proverbial drawing board

If you are, instead, relying solely on algorithms (machine learning, artificial intelligence, etc.) to see new attacks, you’ll miss some attacks with no ability to catch up until it’s too late. This also means threat hunters are left without the proper weapons to do their jobs effectively to root out an attack lurking across their network.

4 – Must be easy

Speed of response matters. Your UI needs to enable responders to quickly alert, help triage and control the situation. Since there is a lot of information associated with attacks, your EDR platform needs to organize it and convey it in a way that’s easily digestible and actionable.

And, it needs to be practical. When you’re under the pressure of an attack, the last thing you need is to wade through pages and pages of information when the system can do the work for you. Ensure that it is easy to “read” an attack so you can know what happened immediately and act confidently. Unfortunately — at least in the opinion of respected threat-hunters we know — the CylanceOPTICS user interface simply doesn’t meet that bar.

How Do We Stack Up?

Recognizing the need and benefits of integrating NGAV and EDR capabilities is the first step toward helping the larger community become more secure. We’re excited you’ve taken that first step – and can’t wait to see you take the next one.

Learn more about Cb Defense here.

Related Posts