Fidelis Blog

Comments

The Best of Both Worlds: A New Approach to Endpoint Security

There are two types of runners: long-distance runners and sprinters. Everything about them is different. Sprinters are built for power while marathoners are built for endurance. But what if you could break the mold and find all of those capabilities in a single athlete?

Endpoint detection and response (EDR) tools have faced a similar conundrum. Vendors have historically forced users to choose between architectures that were optimized for one activity at the expense of others. In short, the choices have been:

  • Optimize for Speed: These tools generally use a peer-to-peer architecture that enable endpoints to communicate with each other. The net result is fast results. When you want to ask a question of your endpoints you can get results in seconds across tens of thousands of endpoints.
  • Optimize for Detection: These tools typically stream events back from each endpoint to a centralized repository. This enables rapid real-time detection because events for every endpoint can be searched in a single repository.
  • Optimize for Forensics: These tools are architected to perform deep on-endpoint forensics.

With today’s release of Fidelis Endpoint 6.1, we’ve eliminated that forced choice. The addition of centralized events monitoring to our existing peer-to-peer query capability and rich forensics capabilities in the Fidelis agent mean users can “get it all” in a single product.

Let’s see how this plays out in a typical use case.

Step 1: Detection
Like most traditional endpoint detection and response (EDR) solutions, Fidelis Endpoint now records and stores event data in a central location. In addition to rapid detections, this accelerates the triage and validation of alerts because key event data such as files, processes, registries, network connections, URLs and DNS lookups are preserved in a centralized repository.  This historical data is untouched and can provide valuable clues to trace an alert back to its original source, whereas data on the endpoint might be erased or altered by an attacker. By tracing an attacker’s activity back to the root cause an organization is able to treat the core problem, instead of playing a constant game of whack-a-mole.

Step 2: Response
But event data only tells part of the story. Sometimes you need to reach out to your endpoints to further investigate and respond. For example, maybe you identified a vulnerability that an attacker exploited and you want to search all of your endpoints to see which ones need to be patched. Or perhaps you identified a suspicious process and you want to see what other endpoints are running it. Or maybe you want to pull a file from the Autorun directory. What if you have determined the scope of an incident and need to isolate a group of endpoints?

All of these are time consuming tasks. And endpoint solutions that stream endpoint events to a centralized repository universally fall down when it comes time for these because they are optimized for detection at the expense of rapid response. They were not built to scale and when it comes to actions they are sluggish, costly and overly complex.

With today’s release of Fidelis Endpoint 6.1, Fidelis is now the only endpoint detection and response vendor that is optimized for both detection and response. We solve this by offering a hybrid architecture that also includes peer-to-peer querying capability that is designed to quickly ingest and aggregate data.  Using this method, users get answers to their questions, like those above, in seconds (vs. days or never).

Let’s look at an example of how this plays out in real life at a U.S.-based resort. They were facing a few challenges. First, they knew attackers were in their environment but they had no visibility into how the attackers were getting in and they felt like they were chasing ghosts. They relied on a manual process for retrieving and investigating endpoints when they suspected they were compromised. And to minimize disruption to their users they had to maintain a pool of “standby machines” with their gold image loaded on them so they could swap out machines when they suspected a laptop might be compromised. The entire process was slow, ineffective and costly.

Using Fidelis Endpoint they were able to quickly validate alerts and see what other systems were compromised with a single click.  With another click they created a rule to detect if the process executes in the future and automatically isolate the endpoint.  Next, they were able to see how the attack unfolded using the process tree and determined that the root cause what due to a Java exploit.  They queried all of the endpoints to determine which machines were vulnerable.  Then, they pushed a patch down to all of the vulnerable the machines.

Going back to where we started…I’m pretty sure that if we found an individual that was both a great sprinter and a great long distance runner they’d have a lot of medals in their closet. Here at Fidelis, now that we have the industry’s first EDR product that is architected to both detect and respond faster than any other product we’re not looking to win any medals. But we’ll be happy knowing that there are more attackers on the outside looking in than on the inside looking out.

-Fidelis Cybersecurity Product Marketing Manager Jennifer Bielski

Stay up to date on all things security

Subscribe to the Threat Geek Blog