Endpoint Protection and Response: Time to Remediation

In this article, we’ll demonstrate the actual time savings observed when using an artificial intelligence (AI)-based prevention and visibility approach to security, as compared to traditional signature-based antivirus (AV) protection in a cybersecurity lab forensic investigation.

Background

The advent of Endpoint Protection and Response (EDR) software has been a boon for traditional antivirus vendors struggling with the mass propagation of malware. This technology holds the promise of enabling a “hunt-and-kill” solution when malware evades the first-line defense of signature-based AV. At its core, EDR is focused on providing endpoint visibility and insights to help security analysts discover, investigate and respond to advanced persistent threats within an organization’s IT infrastructure.

“Implementing an EDR product can be very complex”, states NSS Labs Chief Technology Officer Jason Brvenik. As such, EDR specialists’ functional expertise includes Application Programming Interface (API) calls, data exfiltration, file system, network traffic, registry, and system and data integrity. These advanced skills required are more commonly found among more tenured cybersecurity specialists, and their time often comes at a premium price. As such, forward-thinking security minded organizations scrutinize the time spent by a senior EDR specialist, reserving their man hours for more strategic tasks, while basic security hygiene “blocking and tackling” is relegated to more junior security administrators.

So, how can an organization make the most of highly trained EDR security specialists time, while ensuring forensic security teams have the information they need to investigate malfeasant activity while preserving the integrity of the organization’s prime asset: its data?

Approach and Methodology

Recent advances in artificial intelligence-based approaches to cybersecurity point to one solution. AI cybersecurity company Cylance as such recently undertook an effort to identify tasks in a typical cybersecurity lab environment, to quantify and group them into rational batches, and to analyze the observations. Two primary methodologies were examined:

  • Virtual Machine (VM) Number 1 (an AI-based antivirus and preventative EDR solution) was equipped with an AI-based prevention solution coupled with its AI-based preventative EDR.
  • Virtual Machine Number 2 (a signature-based antivirus + EDR solution) was similarly equipped, but a configuration was applied which deliberately did not block, prevent or stop anything, but instead logged all events.

The process employed was as follows:

  • A weaponized Word document was detonated (executed) in both VMs.
  • The analyst followed and analyzed the events produced by the solutions in each VM.
  • Each step was timed and logged.

Test Results

Unsurprisingly, the VM with only monitoring enabled exhibited far more symptoms and logged far more data compared to the VM where AI-based prevention and protection was enabled.

As a result, VM Number 2 showed evidence of data loss and signs of malware code executing. Due to the evidence of lost data, a responsible security practitioner would most likely be compelled to start their formal incident response processes, including conferring with legal counsel, law enforcement and external forensics consultancies at this stage in a cybersecurity attack.

Here is a summary of the findings:

Task

AI-based Approach
(minutes)

Signature-based approach (minutes)

Analysis

2

4

Validation

41

35

Incident Response

28

93

Forensics

0

560

Remediation

51

314

Total:

122

1006

 

Even whilst both security methodologies ultimately yielded results (namely, the sequence of events was understood and some level of remediation took place), the traditional, signature-based approach not only compromised user credentials, but engaged with (in our test case) a foreign and politically unfriendly entity, requiring substantial reimaging of the affected endpoint and forensic analysis effort.

This has a quantifiable remediation time penalty, as well as untold damage to data integrity, and ultimately, the potential for damaged corporate brand equity and reputation.

Conclusion

In an era where the highest trained cybersecurity experts are chartered with forensic investigation of threats to corporate bullion, every minute counts. Leading cybersecurity practitioners are seeking novel ways to ensure their investigation time is maximized, and the dwell time of cyber threats is minimized.

Cylance is leading the charge to save this precious time by applying an artificial intelligence-based approach to both prevention and to preventative EDR techniques.