With all the talk of escalating cyber warfare, the spread of counterfeit smartphones and new forms of self-replicating malware, I came away from Black Hat USA 2019 (my 15th) marveling, once more, at the panache of modern cyber criminals.
Yet, I also had the chance to speak one-on-one with dozens of security vendors who are innovating like crazy to improve security. And I came away, once again, much encouraged. I met with Kevin Simzer, for instance, Trend Micro’s chief operating officer.
Trend Micro is among the top five endpoint security vendors who’ve been in the battle since the earliest iterations of antivirus software, more than three decades ago. The company has evolved far beyond those days. They came to Las Vegas prepared to push detection and response beyond the endpoint.
While endpoint detection and response (EDR) is one of the most significant advancements made by endpoint security vendors in the past six years, enterprises need more. Companies have silos of security data that need the same type of visibility that EDR brings to the end point.
Enter Trend Micro’s new answer to the change of much needed visibility and threat alert overload. I came away from my interview with Simzer with a strong sense that they have a very comprehensive managed detection and response offering, and that even more innovation from Trend and others is assured, going forward.
For a full drill down, give a listen to the accompanying podcast. Here are my big takeaways:
Prevention vs. detection
In 2013, Gartner analyst Anton Chuvakin coined “EDR” to classify an emerging set of tools designed to go beyond signature-based antivirus software which was designed primarily to identify specific malicious binary files. Instead, EDR tools were tuned to recognize anomalous activities on endpoints, then trigger alerts that warranted further investigations.
To be sure, legacy antivirus solutions were designed in an earlier age, based on the notion of prevention, and that was a valid approach in the early 2000s. However, threat actors did not stand pat. They innovated myriad ways to get around signature-based detection.
Many attacks today begin with a targeted phishing attacks to get a toehold inside a network.
Once inside, attacks increasingly deploy so-called ‘fileless” attacks, that come and go only when a certain compromised piece of software – or firmware — is opened in memory. And they’ve become expert at stealthily manipulating built-in administration tools, such as Windows PowerShell and Windows Active Directory as part of “living off the land” attacks.
Mainstreaming EDR
EDR came along to supplement signature-based antivirus. It gave security analysts visibility into what is actually occurring on the network – and put them in a position to respond to unauthorized tasks being carried out by malware that succeeded in evading signature-based antivirus.
EDR thus gave companies a much better understanding of what actually was taking place, moment to moment, on their networks. But, of course, EDR also raised fresh challenges. More data had to be collected, stored and analyzed, ideally by experienced analysts.
What’s more, early EDR solutions were only as good as the type and quantity of data collected, and the quality of the underlying analytics. Weaker solutions tended to churn out a high number of false positives, which, in turn, exacerbated the security analyst talent shortage.
Fast forward to the present: cybersecurity vendors, generally, and endpoint security leaders, like Trend, in particular, are hustling to take full advantage of advances in cloud computing, data storage and advanced analytics. Their focus has been on making EDR functionalities more comprehensive, proactive and easy to use – and thus more mainstream.
“We’re helping our customers figure out how to better prioritize which alerts they dig into and respond to,” Simzer told me. “We want to provide the context, do all of the correlation for them and help them pinpoint the truly important alerts, so they can do the right thing.”
Telling telemetry
At Black Hat USA 2019, Trend introduced an advanced EDR offering, dubbed XDR, designed to provide detection and response capabilities across the full breadth of modern business networks.
‘X’ stands for the most extensive sets of data being collected from more protection points, Simzer told me. Trend’s new offering, he says, has been designed to centrally gather telemetry from traffic moving across email, network, endpoint, server and cloud workloads. I believe they are the first to natively combine all of these.
“We know that the number one threat vector continues to be the email environment, so if we can grab that telemetry, that’s very helpful,” he says. “We also have a really broad offering in network security . . . so that’s also another effective way of vacuuming up telemetry.”
The resulting detections are more accurate, are generated faster and provide better context than found with basic EDR.
Simzer told me Trend’s fastest growing business spins out of digital transformation, namely, helping companies secure their virtualized servers, private- public- and hybrid-cloud environments. Another priority of the company is infusing security into the development cycle of DevOps teams. They imagine a day when they invisibly secure a customers’ code from the first build. Trend Micro is addressing this now with seamless security rules that span both existing environments and new ones such as microservices, containers and serverless architectures.
“We believe strongly that with our XDR, you’ll be able to better find the needles that are in the haystack,” Simzer says.
Improved visibility and a movement to less security tools are the mantras of the moment in cybersecurity circles. That’s a very good thing. Anything we can do help companies get into a better position to proactively seek out and neutralize malicious activity hidden in the flow of ordinary business is a step in the right direction. It is even better when these benefits can be automated due to the ever prevalent cybersecurity skills gap.
Innovators are tilting the balance incrementally toward making things as secure as they ought to be. Talk more soon.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.