The Importance of “Forensic” Capabilities When Choosing an Endpoint Protection Provider

This blog was originally published on CyFIR.com and has been reposted as-is here following eSentire’s acquisition of CyFIR Inc. in June 2021. As of the date of the acquisition, no changes have been made to the content below.

Do you really know what happened during that data breach? In this post, CyFIR Chief Product Officer John J. Irvine and World Wide Technology (WWT) Global Director of Security Sales Chris Konrad explain what to look for when searching for an Endpoint Detection and Response software solution.

In today’s market for Endpoint Detection and Response (EDR) solutions, vendors are defining “forensics” based upon their own product’s capabilities. The industry is awash with sales pitches from all manner of EDR vendors using similar terminology to refer to underlying technology with vastly different capabilities.

Digital “Fingerprints”

Many of today’s digital forensic practitioners begin their careers in law enforcement. Before “Incident Response” was a buzzword included on every IT professional’s resume, most digital forensics casework supported the investigation and prosecution of crimes. To do so, digital forensic examiners would pore over a hard disk—often with rudimentary, low-level tools—for days, weeks, or even months. Examiners would scour disks looking for hidden partitions, host protected areas, or other spots that craftier suspects would use to hide their data from Johnny Law. When investigators found files of note, they would render them down to hash values (a digital “fingerprint” as it’s often called) to prove their uniqueness or to track their movements between systems or individuals. Investigators could recover fragments of files deleted long ago from the hard disk, often finding a crucial piece of evidence. Forensics was, and continues to be, an often difficult and time-consuming set of processes that can yield unimaginable results—IF you’re willing to put in the time and effort.

Marketing Hype vs. Reality

Today, the EDR marketing landscape could easily lead purchasers into the belief that “AI will save us all” or that “machine learning keeps your network safe.” Many vendors are selling the myths of the “unbreachable perimeter” or the “find all evidence button,” and telling weary, underfunded CISOs that their tools not only will stop attacks, but also provide a “forensics component” in case something evil should get through their defenses.

If you’re looking at one of the ever-present meatball charts that compare different vendors’ tools against each other, you’ll often find that antivirus, patch management, continuous monitoring, or other capabilities under the EDR heading will have a proud dot in a row called “Forensics” (often from an up-charged component). As a CISO, you can purchase one of these tools and check-off “Allows a user to perform a digital examination on a computer or network” from your readiness list, right? I wish it were that simple.

When evaluating the “forensic capability” of a cybersecurity product, you need to ask the vendor some direct, pointed questions to learn what that specific vendor defines forensics to be. Finding and deleting the offending file is only part of the job; understanding the attack vector, reviewing the data exfiltrated, and quantifying the damage done are equally important in handling a breach and in preventing future attacks. Without knowing what went wrong, how can you be sure that you’ve taken the appropriate measures to stop it from happening again?

Ask the Right Questions

When considering an EDR solution, ask the following questions before making your decision:

Question: Can an authorized member of my security team navigate to the hard disk structure on an endpoint to look at the content of individual files?

Why you care: Attacks often leave behind forensic evidence that is critical in the discovery of the type and amount of data that has potentially been exfiltrated from your organization. If you can’t find and view the content of the exfiltration files, you might not have accurate information regarding the size or scope of a breach.

Question: Can I pull running processes individually out of memory for external review, or at a minimum, can I use your tool to extract live RAM remotely for the entire machine?

Why you care: Strategic or advanced attacks may use custom-crafted malware that might be able to defend itself from antivirus engines or even automated sandboxes. Sometimes a manual breakdown of a malicious program’s capabilities is the only way to know the potential extent of any damage it caused, and to do that, you must be able to isolate and extract the process from live memory.

Question: How many endpoints can I search at once now that I know what I’m looking for?

Why You Care: Many tools that search remote endpoints are limited to searching only a few at a time through a round-robin scripting method. If you have a lot of time and money, that’s fine. If you’re short on either, look for tools where searching the endpoints happens simultaneously instead of five or ten at a time.

Question: Can I look through the raw data on the hard disk remotely and recover deleted files?

Why you care: Deleted malware, erased exfiltration files, and other items hidden from normal view of the operating system can provide critical evidence as to the scale and effectiveness of a breach. Without the capability to directly access a disk and recover deleted information, you’re likely to miss the whole picture. If you can’t do it remotely, you’re going to pay your employees (or a contractor) a lot of money to visit your individual locations and make copies of hard disks for later analysis.

Question: Can your solution help me with attackers who are “living off the land” or using fileless attacks? 

Why You Care: Many platforms sold under the EDR banner are strongly based in their antivirus or continuous monitoring roots. While they may flag malicious activity in the form of a trojan or virus, they often miss the use of legitimate administrative tools by a bad actor. As a use case, ask how the solution being presented can help identify someone doing evil by using stolen legitimate credentials and standard administration tools, and more importantly, make them show you.

Once you start digging with questions like these (and making the sales engineer pitching the product a little uncomfortable), you’ll find that the term “forensics” is being redefined by each individual software vendor for their own convenience—and a tick-mark on that meatball chart. If you have any doubt, find an old-school cop who has been doing digital forensics for twenty years and ask them if they consider “Tool X” to be forensically sound. Believe me, they’ll know the difference.

Still Need Help? Consider WWT's Advanced Technology Center

Another resource for CISOs to consider is WWT’s Advanced Technology Center (ATC), which provides a platform for technology professionals to stay up-to-date with market innovations and receive assistance when comparing available technology options. The ATC connects industry professionals across technology verticals to collaborate on topics such as infrastructure design, regulatory compliance, and how to integrate virtual and physical environments. It also tests and simulates the performance of hundreds of products, making it easier for CISOs to identify what solution(s) are right for their own environment.