Endpoint security is broken.
Yes, you’ve heard it before – traditional, signature-based antivirus (AV) can’t keep up with the volume of new malware and advanced attack methods being developed by cyber criminals every day. And that’s absolutely true. But a report published last year highlights an even more concerning issue with endpoint security.
According to The Ponemon Institute’s 2017 Cost of Data Breach study, the average time to identify a successful breach is 191 days. And as if that’s not alarming enough, the report goes on to say that even after a breach has been identified, it takes an average of 66 days to contain the issue.
Forget about malware prevention for a moment. Prevention is obviously a critical aspect of effective security, but the two statistics above speak to the two most significant gaps in traditional endpoint security, namely:
- Lack of visibility
- Lack of operational control
Lack of Visibility
Average time to identify is so high because many organizations are still relying on tools that leave them blind to any endpoint activity that doesn’t trip a signature-based alarm. Attackers constantly test new techniques to better understand the limitations of AV better than anyone, and they masterfully exploit those blind spots to evade antivirus and remain undetected for weeks or months.
Once the security or IT team finally detects a breach, they are forced to use other products, such as network traffic logs, to fill in the visibility gaps and determine root cause of the breach.
The good news is that this visibility problem is already starting to be addressed. While traditional antivirus is almost entirely focused on binary prevention against known malicious files, next-gen antivirus (NGAV) and endpoint detection & response (EDR) products are increasingly coming together to provide advanced prevention and visibility in a single tool. This gradual evolution has been completely necessary to give organizations the ability to better understand and defend against techniques that often evade traditional AV.
Lack of Operational Control
The real concern here should be around the two-plus months that it takes, on average, for a breach to be contained once it has already been identified.
That containment and remediation process is generally a weeks-long fire drill from discovery, triage, root cause, containment, creation of a full remediation plan, executive approval, and days of lost productivity due to travel or having endpoints shipped to HQ in order to create disk images of compromised machines, make updates, close remaining gaps, test fixes, etc. And within each step in that process lies varying steps of automation and orchestration between different teams within the organization.
But why? Why is it that, once the security team has uncovered IOCs and done research to understand the scope of the attack, that you wouldn’t want an administrator to immediately begin capturing detailed forensic data and remediating the problem?
According to the Ponemon study, and likely any executive you ask, doing so would drastically minimize risk of further damage caused by the attacker. It would also significantly decrease the amount of time and money spent on travel for staff or shipping of machines. It’s a no-brainer, except for one small problem.
“The faster the data breach can be identified and contained, the lower the cost.” – The Ponemon Institute 2017 Cost of Data Breach Study.
The average security team doesn’t have a tool in their stack that gives them the ability to take operational action and remediate issues remotely. Because these teams aren’t given the tools needed to directly remediate issues associated with a breach, organizations are forced to create cumbersome processes (like the one above) that rely on multiple siloed tools, dispersed teams, and far too many red-eye flights.
So How Do We Fix This Problem?
While it’s absolutely a step in the right direction, it’s clear that the additional visibility provided by most NGAV solutions just isn’t enough. Without the ability to take immediate action as soon as a breach is confirmed, organizations are forced to incur significant costs on remediation processes that may leave them as sitting ducks for weeks and months.
All the while, the adversary likely recognizes that they’ve been found and has the opportunity to cover their tracks or perform more drastic actions while they still have one foot in the door.
This is the exact problem that we were addressing at Carbon Black when we built Live Response functionality into our cloud-based endpoint security platform. Live Response provides administrators with a secure remote shell into any protected endpoint to perform memory dumps, delete files, kill processes, or run scripts for comprehensive remediation in minutes.
This solution provides security teams with one of the fastest way to investigate attacks, collect forensic data, and remediate breaches no matter where the compromised endpoints are located, helping to eliminate uncertainty and greatly reduce any downtime that results from an attack.
And what makes this even more powerful is that it sits on our cloud-based security platform alongside advanced prevention and detection functionality, giving SecOps teams a single console that gives them what they need to do their jobs.
It is exactly this type of consolidated security platform that allows individual teams to eliminate weeks-long remediation processes, and allows us as an industry to drastically reduce the average time-to-identification and time-to-contain breaches.
Want to learn more about how Carbon Black’s next-gen AV and EDR solution has the combined power of prevention, detection, response, and operations in a single cloud-based platform? Join our weekly demo of Cb Defense to learn how you can remediate attacks with Live Response.