Last Updated on June 29, 2021
A big tradeoff with today’s threat detection/response tools, like intrusion detection & response, endpoint detection & response (EDR), network detection and response (NDR) or extended detection & response (XDR), is how much automation they offer—and what risks are associated with turning on that automation for your organization specifically.
Human-supported threat analysis adds cost, but also reduces the fallout from non-optimal decisions made and actions taken programmatically. How do you know what mix of automation and human-supported services is right for you?
To share expert guidance on this hot topic and other prevalent questions around EDR and related solutions, Chris Nyhuis, President and CEO at Vigilant, joined a recent episode of The Virtual CISO Podcast. Hosting the show is John Verry, Pivot Point Security’s CISO and Managing Partner.
John queries: “So, current-gen EDR… [is it] like old-school intrusion detection, which would just make noise? Version intrusion prevention, which would actually block an action? Does EDR take action directly? If so, what type of action? Or does it alert, and work in concert with a SOC [Security Operations Center] or a SIM [Security Information Management]? Or somebody who sees the information that the EDR forwarded?”
“It depends,” replies Chris. “Because when you take the person out of the scenario, security for you is really just guesswork. And you’re hoping that this technology guesses well enough.”
“If you think about it in terms of your own life, would you attach a mechanism to your heart that would guess whether or not you’re healthy and then make a totally uninvestigated decision, and then take action?” hypothesizes Chris. “Probably not, if it was life-or-death for you. And the thing you have to really realize as an organization is [security] is life-or-death for your organization. You can make a lot of really bad financial decisions and recover from that over years… but security you can’t.”
Chris continues: “So, the reason I say, ‘It depends,’ is because if it’s a threat that’s kind of like an on/off switch, if it does this, do this, right? … That becomes what we would consider [automated] prevention, where you detect something and you automatically shut it down.
“If you’re in a scenario where your risk of shutting down that communication is low, then ‘intrusion prevention automatic’ is not necessarily high-risk for you, and the risk of not shutting that potential threat down is higher. But if you’re in a banking scenario, where if communication was shut down, you might lose a billion dollars in transactions, that causes an issue.
“So, organizations have to really look at the security that they put in place, look at the risk over the thing they’re protecting, and it has to be granular. Because security can’t be one size fits all. It has to be built for you. You have to look at that risk and ask, ‘What do I want to do automatically? And then what do I need to involve people in?’
“The other aspect of that… We’ve had major incidents, where we’ve gone in and there’s a nation state coming through a company that picks up trash, right? You would never think they’d be involved in a nation state to nation state war, but they bounce through that organization, and back out to another company. If their detection automatically just stopped things, well now you just destroyed evidence, you just destroyed maybe a potential ability to understand how someone got in all these things,” Chris points out.
If you need to up your security game and are considering EDR/NDR technology, don’t miss this podcast episode with Chris Nyhuis from Vigilant.