Stop me if you've heard this story before...
Three blind men are traveling down the road to visit a friend. On the way, they encounter an elephant. Not being able to see it, they each stopped and felt the elephant to figure out what sort of creature it was. The first one grabbed the trunk and thought it was like a snake. Another touched the tusk and thought it was similar to a spear. The third one felt the leg and compared the creature to a giant tree. Each man came away with a very different conclusion of what the creature was. So confident was each in their own observation, and so assured that they knew what the creature was, they started arguing among themselves. Finally, their friend met them on the road and stopped their arguing. This wise friend was asked to settle the argument once and for all. She said, "Each of you only felt a small part of the creature. To understand what it really is you must combine your knowledge together to learn the whole truth."
When I think of this story and how each person focused on just one aspect of the elephant (thereby missing the larger picture), it reminds me of how many organizations I speak with commonly approach endpoint security. For example, when asked about endpoint threats, people immediately think of viruses or malware. For compliance and protection, organizations routinely deploy antivirus or antimalware agents onto endpoints. Here, the strategy for a multitude of organizations remains simply "setting and forgetting" this type of preventive endpoint technology. The frequent assumption here is that there's only one way to protect an endpoint.
Well, preventive technology, just like an elephant's trunk or tusk, is simply one part of endpoint security. Did you know that 70-90% of malware samples are unique or targeted to an organization? What should an organization do about those malware attacks that antivirus or antimalware can't detect (either because it doesn't have the signature, the right model, or the right detection capabilities)? What about non-malware threats? How about stolen credential usage? Memory-resident attacks? Good applications doing bad things? Inappropriate PowerShell usage? How about "endpoints" that live in the cloud? Fundamentally, this frequent overreliance on endpoint protection platforms prevents organizations from seeing the bigger picture and puts the entire organization at higher security risk.
Here, at RSA, we are committed to helping organizations recognize that larger picture, see everything, and accelerate their threat detection and response capabilities. Today, endpoint security cannot be solely about detecting and stopping just malware. Our solution, RSA NetWitness® Endpoint, helps organizations by continuously monitoring all endpoints (from laptops to servers and virtual machines in the cloud) to better detect, analyze, and identify zero-day, unique and targeted threats, and even "file-less", non-malware attacks that other endpoint security solutions miss.
Since your standard endpoint defense looks for known malware, or perhaps the odd binary on an endpoint, these solutions are blind to other methods of attack. However, instead of employing signatures or easily-thwarted preventive models, RSA NetWitness Endpoint leverages behavior-based detection for both suspicious attacks and user-initiated events. Building on this foundation, RSA NetWitness Endpoint further applies blacklisting, whitelisting, community reputation, threat intelligence, and even live memory analysis in its continuous threat analysis. By bringing these multiple detection methodologies together, RSA NetWitness Endpoint can more rapidly and more accurately identify suspicious and malicious threats, enabling 3X faster incident response.
By leveraging RSA NetWitness Endpoint as a core part of their endpoint security strategy, all those previously-blind organizations making their way down the road to security are finally able to see the entirety of these elephant-sized threats for what they actually are...and, ultimately, are much safer for it.
Author: David D'Aprile
Category: Archive, Threat Detection and Response, Blog Post
Keywords: Behavior-Based Analytics, Cybersecurity, Edr, Endpoint Detection and Response, Incident Response, Malware, Non-Malware, Powershell, Ransomware, RSA Netwitness, RSA NetWitness Endpoint, Threat Detection