Posted: 4 Min ReadProduct Insights

Moving Beyond Traditional EDR

New times and new threats require a new approach in the way that organizations respond to threats

Cyber security often gets likened to an arms race between defenders and attackers, one side scrambling to gain advantage over the other. This competition has been on full display the last five years as organizations began to adopt Endpoint Detect and Response (EDR) solutions.

EDR emerged as a response to the increasing sophistication of cyber threats from attack groups, who began conducting more targeted attacks using tools already available on computers and leveraging scripts and shell code that run directly in memory.

This so-called ‘living off the land’ approach to incursion and lateral movement within a customer environment made it harder for organizations to detect attackers. Intruders created fewer files during the attack lifecycle, keeping most of the attacker’s tactics and techniques hidden in normal activity.

Traditional EDR tools have done a good job creating more visibility into stealthy threats and improved some aspects of remediation. At the same time, however, they have also failed to address several key challenges for customers who now face a huge surge in targeted attacks.  What is needed is a more complete approach to detection, investigation and response so organization can take a proactive approach with advanced EDR capabilities and scalable managed EDR.

Real, Actually Useful Detection

It is not enough for EDR tools to leave it to the investigator to sift through mountains of cyber data. Even the best threat hunters need support in the form of detection of advanced attack techniques, analytics that discover anomalous activity and outliers, and AI-driven analytics that benefit from the combined telemetry of thousands of customers across millions of endpoints. Tools that generate events and incidents with high false positive rates drain the resources of already strained security teams.

Rinse and Repeat

Incident responders, threat hunters and forensic experts need to be able to automate best practices, like the ones detailed in the MITRE Cyber Analytics Repository.  In addition, SOC teams need to build up their own libraries of investigation workflows so responders at all levels can benefit from the expertise of the best SOC analysts. And automating repetitive tasks boost productivity for the entire team.

Help Wanted

Customers also face a severe cyber security talent shortage that makes it difficult to hire and retain skilled investigators and threat hunters.  The ability to easily fortify existing SOC teams and add critical expertise to fill skills gaps and ensure 24 x 7 coverage improves retention and helps security teams focus on high priority incidents and initiatives.  And many organizations want the option of a fully-managed EDR with dedicated SOC analysts. When it comes to leveraging managed EDR, scale and experience matters.  Comprehensive support from an MEDR provider requires a globally available team of hundreds of highly-trained SOC analysts with extensive expertise by region and industry.  This deep expertise enhances the effectiveness of proactive threat hunting, forensic investigations and speeds the response to emerging and off-hours attacks.

Pre-breach or Post-breach, Why not both?

Traditional EDR tools have either focused on pre-breach or post-breach capabilities but, organizations need both to address current and emerging threats.  Customers require an EDR tool and managed EDR service powered by advanced tools for pre-breach and post-breach scenarios. 

Symantec EDR solution

Symantec addresses all these challenges by integrating an advanced EDR product and a
fully-managed EDR service that organizations can easily combine for increased security effectiveness. What’s more, Symantec has infused its EDR solution with the expertise of our elite attack researchers and global team of skilled SOC Analysts that ensure increased visibility into threats and precision detection of attacks.

Symantec Endpoint Detection and Response 4.0 includes:

  • Over 300 advanced attack detections ensure exposure of living off the land attack methods including MITRE Cyber Analytics.
  • Identify active adversaries with Targeted Attack Analytics that leverage advance machine learning and global intelligence.
  • Pre-built automated playbooks allow teams to quickly initiate cyber security function and leverage expert investigation methods.
  • Create custom playbooks that capture the investigation methods of experience responders, run these playbooks as custom alerts.
  • MITRE ATT&CK enrichment exposes gaps in attack lifecycle to highlight security risks and simplify security improvements.
  • Advanced pre-breach and post-breach tools ensure high levels of productivity for all analysts, from entry level all the way to advanced IR analysts.
  • Supports flexible deployment options across cloud, on-premises and hybrid for macOS, Linux and Windows systems; SEP and non-SEP endpoints.

Symantec addresses all these challenges by integrating an advanced EDR product and a
fully-managed EDR service that organizations can easily combine for increased security effectiveness.

Symantec Managed Endpoint Detection and Response includes:

  • Expert Symantec SOC analysts are assigned to every customer based on industry and region, addressing in-house skills gaps and providing critical off-hour support with 24x7 coverage across six global SOCs.
  • Managed threat hunting detects stealthy and previously unknown attacks by analyzing security logs through Symantec SOC Technology Platform big data analytics and correlating findings with the Symantec Global Intelligence Network.
  • Threat hunts are based on emerging IoCs and TTPs using the MITRE ATT&CK framework, all enhanced with human analysis
  • Critical indicators of an attack across on-premises and cloud endpoints are skillfully investigated by Symantec SOC analysts who quickly understand and act on threats
  • Symantec SOC analysts address attacks by containing compromised endpoints via pre-authorized measures (using Symantec EDR via a single agent with Symantec Endpoint Protection).
  • MEDR provides white-glove, rapid onboarding and continuous SOC team engagement via custom monthly reports, regular business reviews, Emerging Threat Reports, and 24x7 access through phone, portal, email and online chat functions.

If you found this information useful, you may also enjoy:

Symantec Enterprise Blogs

Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear

Learn how Symantec Endpoint Protection & Response (EDR) and the MITRE ATT&CK framework can expose and thwart persistent adversaries like APT28 otherwise known as Fancy Bear.

Click Here to Register for Webinar Now

About the Author

Patrick Gardner

Sr. Vice President, Email, IOT, and Advanced Threat Protection

SVP of Engineering and Product for Email, IOT, and Advanced Threat. Patrick is responsible for overseeing the research, creation, and development of new solutions enabling customers to detect and protect against advanced threats in enterprise environments.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.