NSS Labs released the results of its Advanced Endpoint Protection (AEP) v2.0 Group Test last month, providing insight into the security efficacy, visibility, and value of 20 endpoint product vendors.

Endpoint security technology remains a focal point for most enterprises. Despite the importance of AEP products, which are protection based, there remains a need for the detection, forensics, and continuous monitoring capabilities that are found in dedicated forensic endpoint products. This product category, also called endpoint detection and response (EDR), is marketed for its granular endpoint visibility and is often used by incident response (IR) teams (in contrast to endpoint protection products, which are most often used by desktop teams).

Enterprise Requirements for EDR

Forensics provide substantial value to enterprises with the resources (and skill sets) to utilize the information. IR teams can have quite diverse needs and the content they require depends on the maturity of their organization’s IR program.

Forensic investigation often requires details such as:

• Source of the infection – For example, is the threat web-based? And if so, what is the source IP?
• File metadata – A copy of the malicious file (along with the hash of the file, if available)
• Host impact – File system changes, registry changes, processes, privileges manipulation, etc.
• Lateral infection and outbound callback – Was data exfiltrated, and if so, when? What is the callback IP?

IR teams may also require other information on the threat, such as severity and recent appearances, in order to prioritize response actions and reduce time to remediation. Threat hunting teams generally share the same needs but can go even further, often demanding an investigative workflow on top of robust threat details.

While these forensic details might be considered “noise” by an organization’s desktop protection management team, they are part of daily life for an IR team member.

The Future of EDR

EDR products support the enterprise in its quest to understand how a threat bypasses adjacent security controls and what its impact is on local systems. The purpose of these products is to facilitate and accelerate incident response, which is often a tedious process. IR requires forensic skills and experience to understand threat incidents, i.e., Why did it happen and how can we remediate it?

While it is NSS’ position that the bulk of endpoint security work will be handled by AEP products for the next three to five years, a clear use case remains for products dedicated solely to forensic visibility and threat detail post-execution. To that end, NSS is building an EDR test methodology that focuses on products that offer only detection and forensic capabilities.

Mike Spanbauer is vice president of research strategy at NSS Labs. He is a recognized leader in security and infrastructure technologies, creating research that combines years of testing experience with analysis of the world’s leading security companies, products, and markets. He regularly provides security commentary in publications such as CSO, Dark Reading, InfoSecurity Magazine, Reuters, TechTarget, and ZDNet.

Jason Pappalexis is managing director of the NSS Labs Enterprise Architecture Research Group. He has worked with endpoint protection products for more than 18 years and has held roles in the IT security industry that include administration, architecture, field engineering, and product testing.