People, Process! EDR Technology?

Posted by Madeline Lee   |   July 19, 2018

By Jason Mueller, Senior Sales Engineer at CounterTack

 Endpoint detection and response

We’ve all heard this statement over and over: “The threat landscape has evolved, and attackers are more capable than ever.” While that statement is somewhat true, and I’ll leave that for you to debate, the underlying problem to adequately defend against adversarial attacks is a direct result of a lack of skill set and preparation. Truth be told, tools developed by vendors 10 years ago are just as capable today as they were then. Notice that I said tools and not prevention capabilities. It is important to distinguish between the two as there has been a monumental shift in prevention leveraging machine learning and artificial intelligence. I’m referring to log aggregation/correlation, malware analysis, forensic gathering and open-source threat intelligence.

endpoint security

So how do we address the skills gap? First and foremost, only those who are genuinely interested in technology and embody what it means to be a hacker need apply. Yes, you can earn a healthy income in cyber security but it won’t last long if you don’t have the passion and the critical thinking necessary to consistently ask yourself WHY. Having an analytical mindset is one of the most critical traits required for defenders. It’s not good enough to simply understand capabilities within products, you must constantly be asking yourself why these capabilities exist in the first place. Also, having foundational knowledge before stepping into the role of a network defender or threat analyst is considered table stakes. There are far too many that believe by taking a SANS course or earning a certification will fill the void. While those are important, it’s more important that you have a background in IT administration and/or operations.

Great, I have the skills. Now what? Both Lockheed Martin and MITRE have assisted over the years by providing a framework to assist defenders: The Cyber Kill Chain, developed by Lockheed Martin, utilizes a simple to understand model that identifies what attackers must accomplish to achieve their objective.

cyber security

MITRE introduced the ATT&CK framework not too long after the Cyber Kill Chain was developed. Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.


Given that these models were developed years ago, it’s shocking how many organizations don’t train their personnel to adopt the attacker mentality to better understand their mindset. The notion of tossing more money at the problem by adopting “bleeding edge” technology to solve problems has left many organizations with a major gap: properly trained defenders with clearly defined processes. Although not all blame falls on the victim, there are many vendors who are new to the space claiming to solve all their problems where even the most seasoned security teams have a hard time distinguishing fact from fiction. Ultimately it is the responsibility of those entrusted to protect sensitive data to have the skills necessary to do so as technology will fail at some point. Code is human derived and susceptible to exploitation.

Which leads me to my last point, technology. Over the years I’ve had the privilege of working for some of the most well-respected cyber security companies in the world. All of them shared a common problem, trust. All too often organizations are being sold a vision instead of a fix or a fix based on a vision. The old adage “people buy from people they like” is somewhat true but more so that they buy from people they trust. Being able to sift through the noise and marketing circus has become a challenge in itself which is why organizations need to properly test capabilities prior to adopting them.

Here at CounterTack we have always welcomed the try-and-buy approach through no charge proof-of-concepts. We believe the only way to truly understand what will and won’t work is by thoroughly testing vendor claims against real world scenarios. It also allows an organization to assess what skills are needed to operationalize the technology. If a security team is either minimally skilled or manned, a managed services approach allows organizations to offload the responsibility and liability to highly skilled practitioners while they can focus efforts elsewhere. Being that EDR requires a particularly diverse and seasoned skill set, there has been a recent shift in what was once managed in-house now being outsourced to MDR (managed detection and response) companies. With service level agreements and proven success, organizations can employ trust in companies such as GoSecure (recently acquired by CounterTack) to defend against adversarial threats and protect intellectual property with persistence and dedication. After all, defenders need to get it right all the time whereas an attacker only needs be right once to deliver a crippling blow to an organization’s reputation.  

As the annual BlackHat conference is weeks away, prepare yourself as a consumer to challenge vendor claims. The parties are fun, there will be a plethora of vendor swag and the sensory overloaded booths in the expo hall will have dizzying effects. But remember to pause and ask yourself why this is all taking place: to buy your trust or to earn it? Once it is over and you return home, you don’t want to be the one holding the bag because you were “sold” on the art of the possible without properly vetting.

Speaking of BlackHat, be sure to visit CounterTack at booth 958 to learn more about how we are the leading provider of Predictive Endpoint Security for enterprises!

Topics: malware, cybersecurity, endpoint security, CounterTack, EDR, MDR, blogs

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all