Reading Room

Clients and Endpoints

Featuring 22 Papers as of March 10, 2021

• Remote Workforce Impact on Threat Defenses SANS.edu Graduate Student Research
  by Sean Goodwin - March 10, 2021 

  As organizations embrace remote work, the defensive security posture needs to be re-examined to effectively address threats while facing new or different constraints and tools. This paper investigates the prevention and detection control effectiveness against the known adversary Tactics, Techniques, and Procedures (TTPs) documented within the MITRE ATT&CK (R) taxonomy in a remote working (work from home, WFH) environment.

  •  Overview
  •  Download

• ---

• Using Deep Instinct for Cyberthreat Prevention Analyst Paper (requires membership in SANS.org community)
  by Jake Williams - January 29, 2021 

  • Associated Webcasts: How to Stay Ahead of Cyberthreats
  • Sponsored By: Deep Instinct

  Although not an endpoint detection and response (EDR) tool, Deep Instinct does provide some features that stray into the EDR space and takes a fundamentally different approach to detection than traditional EPP. This paper reviews this platform and highlights use cases as applicable.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Transforming Detection and Response: A SANS Review of Cortex XDR Analyst Paper (requires membership in SANS.org community)
  by Matt Bromiley - May 4, 2020 

  • Associated Webcasts: Transforming Detection and Response: A SANS Review of Cortex XDR
  • Sponsored By: Palo Alto Networks

  To help their teams detect and respond to the ever-growing list of security threats, many organizations have turned toward endpoint detection and response (EDR) platforms within their environment. This product review explores the intuitive and insightful security platform Cortex XDR, provided by Palo Alto Networks. A platform designed to help decrease the time an organization needs to detect and respond to threats, Cortex XDR brings multiple data sources together, including network, endpoint and cloud, to assist analysts in performing enterprise investigations.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• How to Leverage Endpoint Detection and Response (EDR) in AWS Investigations Analyst Paper (requires membership in SANS.org community)
  by Justin Henderson - March 9, 2020 

  • Associated Webcasts: How to Leverage Endpoint Detection and Response (EDR) in AWS Investigations
  • Sponsored By: AWS Marketplace

  Endpoints are moving past EC2 virtual machines, and it is imperative for EDR solutions to evolve and support this evolution. This paper illustrates how to leverage endpoint detection and response (EDR) in Amazon Web Services (AWS) to achieve a higher standard of security while simplifying management overhead. Discover how to use EDR solutions to add thousands of host-based observables for threat hunting, auto-scale threat detection across cloud endpoints and integrate a cloud access security broker (CASB) to extend protection to cloud apps.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Device Visibility and Control: Streamlining IT and OT Security with Forescout Analyst Paper (requires membership in SANS.org community)
  by Don Murdoch - August 12, 2019 

  • Associated Webcasts: Visibility for Incident Response: A Review of Forescout 8.1
  • Sponsored By: Forescout Technologies BV

  Forescout's latest iteration of its eponymous platform builds on the product's long-standing reputation for handling network admission controls, and adds multifaceted IT/OT network device visibility and control. In this review, SANS analyst and instructor Don Murdoch delves deep into how Forescout can help organizations gain greater visibility into the devices on the network, through device discovery, auto classification, risk assessment and automating security controls.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Why Traditional EDR Is Not Working - and What to Do About It Analyst Paper (requires membership in SANS.org community)
  by Jake Williams - June 27, 2019 

  • Associated Webcasts: Why Traditional EDR Is Not Working--and What to Do About It
  • Sponsored By: Mcafee LLC

  EDR, or endpoint detection and response, promises to revolutionize the way security analysts neutralize attacks. Unfortunately, EDR has not always lived up to the promised hype. This paper examines the challenges of traditional EDR platforms, and suggests what you can do to overcome them for effective EDR implementation. Paper includes a checklist of considerations for selecting and deploying an EDR platform.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• How to Build an Endpoint Security Strategy in AWS Analyst Paper (requires membership in SANS.org community)
  by Thomas J. Banasik - June 27, 2019 

  • Associated Webcasts: How to Build an Endpoint Security Strategy in AWS
  • Sponsored By: AWS Marketplace

  Endpoint security is the cornerstone of any successful cloud migration. This paper details how to build an endpoint security strategy that uses a defense-in-depth architecture to protect cloud assets, as well as implement key endpoint security capabilities such as EDR, UEBA and DLP solutions. It also explains synchronization with AWS services for a comprehensive view that increases visibility when combatting threats.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• JumpStart Guide for Endpoint Security in AWS Analyst Paper (requires membership in SANS.org community)
  by David Hazar - June 19, 2019 

  • Associated Webcasts: JumpStart Guide for Endpoint Security in AWS
  • Sponsored By: Optiv AWS Marketplace

  Endpoint security is a key component of any cybersecurity program, but some organizations struggle with extending this program component to cloud workloads. This paper provides guidance on the key issues to consider when choosing an endpoint security solution for integration on the AWS platform and suggests a process for making that important decision.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Passive Isn't Good Enough: Moving into Active EDR Analyst Paper (requires membership in SANS.org community)
  by Justin Henderson - May 17, 2019 

  • Associated Webcasts: Passive Isn\'t Good Enough: Moving into Active EDR
  • Sponsored By: SentinelOne

  Endpoint detection and response (EDR) technologies focus on identifying anomalous activity at scale, but are often constrained by delayed analyses. Endpoint protection platforms (EPP) can manage aspects of endpoint security, but often lack enterprise class detection and reporting capabilities. Which leads us to the most recent addition to the endpoint protection arsenal--active endpoint detection and response, which boasts real-time analysis capabilities as compared to traditional passive EDR.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Essential Requirements for Cloud-Based Endpoint Security Analyst Paper (requires membership in SANS.org community)
  by Barbara Filkins - September 11, 2018 

  • Sponsored By: Carbon Black

  Next-generation endpoint security (NGES) strives to combine prevention, detection, response and IT operations into a single platform, allowing for the consolidation of the endpoint footprint while substantially increasing endpoint protection. For those ready to replace their traditional antivirus with NGES, SANS has developed this evaluation guide for assessing NGES tools against your organization's requirements before making capital investments in NGES.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Understanding the (True) Cost of Endpoint Management Analyst Paper (requires membership in SANS.org community)
  by Matt Bromiley - July 30, 2018 

  • Associated Webcasts: Understanding the True Cost of Endpoint Management
  • Sponsored By: IBM

  In this paper, we review the challenges in dealing with complex, ever-changing environments and offer suggestions and recommendations in effective endpoint management. Additionally, we discuss enterprise security as it relates to endpoint management and examine the benefits of integrating endpoint management into your security posture.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Endpoint Protection and Response: A SANS Survey Analyst Paper (requires membership in SANS.org community)
  by Lee Neely - June 12, 2018 

  • Associated Webcasts: It Starts With The Endpoint: Part 1 of the SANS 2018 Endpoint Security Survey Results Endpoint Detection and Response: Part 2 of the SANS 2018 Endpoint Security Survey Results
  • Sponsored By: Forescout Technologies BV Mcafee LLC OpenText Inc. CrowdStrike, Inc. VMWare Carbon Black Endgame Malwarebytes

  Respondents have a vested interest in improving visibility, detection and response through more automated, integrated endpoint protection, detection and response technologies. In this survey, 84% of endpoint breaches included more than one endpoint. Desktops, laptops, server endpoints, endpoints in the cloud, SCADA and other IIoT devices are being caught in the dragnet of multi-endpoint breaches. Read on for more detail, best practices and advice.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• An Evaluator’s Guide to Cloud-Based NGAV: The SANS Guide to Evaluating Next-Generation Antivirus Analyst Paper (requires membership in SANS.org community)
  by Barbara Filkins - March 26, 2018 

  • Associated Webcasts: Moving Endpoint Security to the Cloud: Replacing Traditional Antivirus
  • Sponsored By: VMWare Carbon Black

  The coupling between NGAV and cloud-based analytics is here. The dynamics of cloud-based analytics, which allow for near-real-time operations, bring an essential dimension to NGAV, disrupting the traditional attack model by processing endpoint activity as it happens, algorithmically looking for any kind of bad or threatening behavior, not just for malicious files. This paper covers how cloud support for NGAVs is changing the game and how to evaluate such solutions.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Pinpoint and Remediate Unknown Threats: SANS Review of EnCase Endpoint Security Analyst Paper (requires membership in SANS.org community)
  by Jake Williams - March 15, 2018 

  • Associated Webcasts: Pinpoint and Remediate Unknown Threats: SANS Review of EnCase Endpoint Security 6
  • Sponsored By: OpenText Inc.

  With the increasing prevalence of security incidents, security teams are learning quickly that the endpoint is involved in almost every targeted attack. EnCase Endpoint Security aims to help security teams focus on the most critical incidents and avoid costly data breaches. In this review, SANS analyst Jake Williams shares his tests of EnCase Endpoint Security version 6.02 and how it performs.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• 2017 Threat Landscape Survey: Users on the Front Line Analyst Paper (requires membership in SANS.org community)
  by Lee Neely - August 14, 2017 

  • Associated Webcasts: Security Whack-a-Mole: SANS 2017 Threat Landscape Survey Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
  • Sponsored By: Qualys Mcafee LLC FireEye Cylance

  Endpoints-and the users behind them-are on the front lines of the battle: Together they represent the most significant entry points for attackers obtaining a toehold into the corporate network. Users are also the best detection tool organizations have against real threats, according to the 2017 SANS Threat Landscape survey. Read on for more detail on the types of attacks occurring and their impact on organizations and their security.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Next Generation Endpoint Protection – CIS Control 8, Malware Defense Effectiveness, Performance Metrics and False Positive Rates SANS.edu Graduate Student Research
  by Dean Sapp - June 20, 2017 

  The Center for Internet Security (CIS) Critical Security Controls v6.1 is comprised of battle tested and prioritized security controls that significantly reduce the risk to businesses from cyber breach. Endpoint security is the primary objective of Control eight, Malware Defenses which will be analyzed in this study. (Manage Cybersecurity Risk with the CIS Controls). This paper details a handful of real-world testing scenarios to determine which Next Generation Endpoint Security (NGES) products have the greatest effectiveness in blocking file based malware from executing, including freshly minted zero-day variants that have been repacked so they have unique hashes. In addition to measuring efficacy in blocking malware, this paper includes a secondary scope to examine the system resource consumption introduced by these products to give the reader a better understanding of the business impact these products have on the overall end-user experience. A tertiary scope analyzes the false positive rate of NGES with respect to common administrative tools used regularly by IT practitioners on the Microsoft Windows 10 Enterprise and Windows 2012 R2 Server platforms.

  •  Overview
  •  Download

• ---

• A New Era in Endpoint Protection Analyst Paper (requires membership in SANS.org community)
  by Dave Shackleford - April 26, 2017 

  • Associated Webcasts: A New Era in Endpoint Protection: A SANS Product Review of CrowdStrike Falcon Endpoint Protection
  • Sponsored By: CrowdStrike, Inc.

  Conventional antivirus solutions aren’t keeping pace with today's threats. There's a lot of fear, uncertainty and doubt around replacing antivirus with next-generation antivirus solutions, particularly in legacy environments. Learn what NGAV actually is; where it fits into the IT infrastructure; and how to easily utilize CrowdStrike's Falcon cloud-based services against a variety of threats first-generation AV normally wouldn't catch. SANS analyst Dave Shackleford explains and presents his findings.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Next-Gen Endpoint Risks and Protections: A SANS Survey Analyst Paper (requires membership in SANS.org community)
  by G. W. Ray Davidson, PhD - February 27, 2017 

  • Associated Webcasts: Next-Gen Endpoints Risks and Protections: A SANS Survey Part 1: New Devices and Risks Next-Gen Endpoints Risks and Protections: A SANS Survey Part 2: Next-Gen Protection and Response
  • Sponsored By: Guidance Software Sophos Inc. Carbon Black IBM Malwarebytes Great Bay Software

  Results of this survey suggest that we may need to broaden the definition of an endpoint to include users, as the two most common forms of attack reported are directed at users. Lack of adequate patching programs also results in endpoint compromises, despite reported centralized endpoint management. Results also point to the need for improved detection, response, automation of remediation processes.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Out with the Old, In with the New: Replacing Traditional Antivirus Analyst Paper (requires membership in SANS.org community)
  by Barbara Filkins - November 2, 2016 

  • Associated Webcasts: Ready to Replace AV? Criteria to Evaluate NGAV Solutions
  • Sponsored By: Carbon Black

  Research over the past 10 years indicates that traditional antivirus products are rarely successful in detecting smart malware, unknown malware and malware-less attacks. This doesn’t mean that antivirus is “dead.” Instead, antivirus is growing up. Today, organizations look to spend their antivirus budget on replacing current solutions with next-generation antivirus (NGAV) platforms that can stop modern attacks. This paper provides a guide to evaluating NGAV solutions.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Intelligent Network Defense Analyst Paper (requires membership in SANS.org community)
  by Jake Williams - September 8, 2016 

  • Associated Webcasts: Intelligent Network Security
  • Sponsored By: ThreatSTOP

  When an army invades a sovereign nation, one of the defenders’ first goals is to disrupt the invader’s command and control (C2) operations. The same is true when cyber attackers invade your network. Network defenders must prevent adversary communication, stopping the attack in its tracks while alerting the incident response (IR) team to the point of compromise and nature of the attack. Read on to learn more.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Endpoint Security through Device Configuration, Policy and Network Isolation by Barbara Filkins and Jonathan Risto - July 15, 2016 

  Sensitive data leaked from endpoints unbeknownst to the user can be detrimental to both an organization and its workforce. The CIO of GIAC Enterprises, alarmed by reports from a newly installed, host-based firewall on his MacBook Pro, commissioned an investigation concerning the security of GIAC Enterprise endpoints.

  •  Overview
  •  Download

• ---

• Success Rates for Client Side Vulnerabilities by Jonathan Risto - June 14, 2016 

  The user is the weakest link in the computer security chain. From clicking on links that they shouldn to having weak passwords, it generally comes down to the end user doing something they shouldn . If the user runs a piece of malware or opens an infected file, will it always lead to a compromise? This paper plans to test if client-side exploits will always function or if there are additional factors to consider when dealing with these vulnerabilities and associated exploits. Is the Common Vulnerability Scoring System (CVSS) score enough to determine if a particular vulnerability is more critical than another and should be remediated sooner than another? This testing will be accomplished through the use of freely available exploitation software (e.g. Social Engineering Toolkit, Metasploit) in a closed testing environment.

  •  Overview
  •  Download

• ---

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.