Clients and Endpoints
Featuring 22 Papers as of March 10, 2021
-
Remote Workforce Impact on Threat Defenses SANS.edu Graduate Student Research
by Sean Goodwin - March 10, 2021As organizations embrace remote work, the defensive security posture needs to be re-examined to effectively address threats while facing new or different constraints and tools. This paper investigates the prevention and detection control effectiveness against the known adversary Tactics, Techniques, and Procedures (TTPs) documented within the MITRE ATT&CK (R) taxonomy in a remote working (work from home, WFH) environment.
-
Using Deep Instinct for Cyberthreat Prevention Analyst Paper (requires membership in SANS.org community)
by Jake Williams - January 29, 2021- Associated Webcasts: How to Stay Ahead of Cyberthreats
- Sponsored By: Deep Instinct
Although not an endpoint detection and response (EDR) tool, Deep Instinct does provide some features that stray into the EDR space and takes a fundamentally different approach to detection than traditional EPP. This paper reviews this platform and highlights use cases as applicable.
-
Transforming Detection and Response: A SANS Review of Cortex XDR Analyst Paper (requires membership in SANS.org community)
by Matt Bromiley - May 4, 2020- Associated Webcasts: Transforming Detection and Response: A SANS Review of Cortex XDR
- Sponsored By: Palo Alto Networks
To help their teams detect and respond to the ever-growing list of security threats, many organizations have turned toward endpoint detection and response (EDR) platforms within their environment. This product review explores the intuitive and insightful security platform Cortex XDR, provided by Palo Alto Networks. A platform designed to help decrease the time an organization needs to detect and respond to threats, Cortex XDR brings multiple data sources together, including network, endpoint and cloud, to assist analysts in performing enterprise investigations.
-
How to Leverage Endpoint Detection and Response (EDR) in AWS Investigations Analyst Paper (requires membership in SANS.org community)
by Justin Henderson - March 9, 2020- Associated Webcasts: How to Leverage Endpoint Detection and Response (EDR) in AWS Investigations
- Sponsored By: AWS Marketplace
Endpoints are moving past EC2 virtual machines, and it is imperative for EDR solutions to evolve and support this evolution. This paper illustrates how to leverage endpoint detection and response (EDR) in Amazon Web Services (AWS) to achieve a higher standard of security while simplifying management overhead. Discover how to use EDR solutions to add thousands of host-based observables for threat hunting, auto-scale threat detection across cloud endpoints and integrate a cloud access security broker (CASB) to extend protection to cloud apps.
-
Device Visibility and Control: Streamlining IT and OT Security with Forescout Analyst Paper (requires membership in SANS.org community)
by Don Murdoch - August 12, 2019- Associated Webcasts: Visibility for Incident Response: A Review of Forescout 8.1
- Sponsored By: Forescout Technologies BV
Forescout's latest iteration of its eponymous platform builds on the product's long-standing reputation for handling network admission controls, and adds multifaceted IT/OT network device visibility and control. In this review, SANS analyst and instructor Don Murdoch delves deep into how Forescout can help organizations gain greater visibility into the devices on the network, through device discovery, auto classification, risk assessment and automating security controls.
-
Why Traditional EDR Is Not Working - and What to Do About It Analyst Paper (requires membership in SANS.org community)
by Jake Williams - June 27, 2019- Associated Webcasts: Why Traditional EDR Is Not Working--and What to Do About It
- Sponsored By: Mcafee LLC
EDR, or endpoint detection and response, promises to revolutionize the way security analysts neutralize attacks. Unfortunately, EDR has not always lived up to the promised hype. This paper examines the challenges of traditional EDR platforms, and suggests what you can do to overcome them for effective EDR implementation. Paper includes a checklist of considerations for selecting and deploying an EDR platform.
-
How to Build an Endpoint Security Strategy in AWS Analyst Paper (requires membership in SANS.org community)
by Thomas J. Banasik - June 27, 2019- Associated Webcasts: How to Build an Endpoint Security Strategy in AWS
- Sponsored By: AWS Marketplace
Endpoint security is the cornerstone of any successful cloud migration. This paper details how to build an endpoint security strategy that uses a defense-in-depth architecture to protect cloud assets, as well as implement key endpoint security capabilities such as EDR, UEBA and DLP solutions. It also explains synchronization with AWS services for a comprehensive view that increases visibility when combatting threats.
-
JumpStart Guide for Endpoint Security in AWS Analyst Paper (requires membership in SANS.org community)
by David Hazar - June 19, 2019- Associated Webcasts: JumpStart Guide for Endpoint Security in AWS
- Sponsored By: Optiv AWS Marketplace
Endpoint security is a key component of any cybersecurity program, but some organizations struggle with extending this program component to cloud workloads. This paper provides guidance on the key issues to consider when choosing an endpoint security solution for integration on the AWS platform and suggests a process for making that important decision.
-
Passive Isn't Good Enough: Moving into Active EDR Analyst Paper (requires membership in SANS.org community)
by Justin Henderson - May 17, 2019- Associated Webcasts: Passive Isn\'t Good Enough: Moving into Active EDR
- Sponsored By: SentinelOne
Endpoint detection and response (EDR) technologies focus on identifying anomalous activity at scale, but are often constrained by delayed analyses. Endpoint protection platforms (EPP) can manage aspects of endpoint security, but often lack enterprise class detection and reporting capabilities. Which leads us to the most recent addition to the endpoint protection arsenal--active endpoint detection and response, which boasts real-time analysis capabilities as compared to traditional passive EDR.
-
Essential Requirements for Cloud-Based Endpoint Security Analyst Paper (requires membership in SANS.org community)
by Barbara Filkins - September 11, 2018- Sponsored By: Carbon Black
Next-generation endpoint security (NGES) strives to combine prevention, detection, response and IT operations into a single platform, allowing for the consolidation of the endpoint footprint while substantially increasing endpoint protection. For those ready to replace their traditional antivirus with NGES, SANS has developed this evaluation guide for assessing NGES tools against your organization's requirements before making capital investments in NGES.
-
Understanding the (True) Cost of Endpoint Management Analyst Paper (requires membership in SANS.org community)
by Matt Bromiley - July 30, 2018- Associated Webcasts: Understanding the True Cost of Endpoint Management
- Sponsored By: IBM
In this paper, we review the challenges in dealing with complex, ever-changing environments and offer suggestions and recommendations in effective endpoint management. Additionally, we discuss enterprise security as it relates to endpoint management and examine the benefits of integrating endpoint management into your security posture.
-
Endpoint Protection and Response: A SANS Survey Analyst Paper (requires membership in SANS.org community)
by Lee Neely - June 12, 2018- Associated Webcasts: It Starts With The Endpoint: Part 1 of the SANS 2018 Endpoint Security Survey Results Endpoint Detection and Response: Part 2 of the SANS 2018 Endpoint Security Survey Results
- Sponsored By: Forescout Technologies BV Mcafee LLC OpenText Inc. CrowdStrike, Inc. VMWare Carbon Black Endgame Malwarebytes
Respondents have a vested interest in improving visibility, detection and response through more automated, integrated endpoint protection, detection and response technologies. In this survey, 84% of endpoint breaches included more than one endpoint. Desktops, laptops, server endpoints, endpoints in the cloud, SCADA and other IIoT devices are being caught in the dragnet of multi-endpoint breaches. Read on for more detail, best practices and advice.
-
An Evaluator’s Guide to Cloud-Based NGAV: The SANS Guide to Evaluating Next-Generation Antivirus Analyst Paper (requires membership in SANS.org community)
by Barbara Filkins - March 26, 2018- Associated Webcasts: Moving Endpoint Security to the Cloud: Replacing Traditional Antivirus
- Sponsored By: VMWare Carbon Black
The coupling between NGAV and cloud-based analytics is here. The dynamics of cloud-based analytics, which allow for near-real-time operations, bring an essential dimension to NGAV, disrupting the traditional attack model by processing endpoint activity as it happens, algorithmically looking for any kind of bad or threatening behavior, not just for malicious files. This paper covers how cloud support for NGAVs is changing the game and how to evaluate such solutions.
-
Pinpoint and Remediate Unknown Threats: SANS Review of EnCase Endpoint Security Analyst Paper (requires membership in SANS.org community)
by Jake Williams - March 15, 2018- Associated Webcasts: Pinpoint and Remediate Unknown Threats: SANS Review of EnCase Endpoint Security 6
- Sponsored By: OpenText Inc.
With the increasing prevalence of security incidents, security teams are learning quickly that the endpoint is involved in almost every targeted attack. EnCase Endpoint Security aims to help security teams focus on the most critical incidents and avoid costly data breaches. In this review, SANS analyst Jake Williams shares his tests of EnCase Endpoint Security version 6.02 and how it performs.
-
2017 Threat Landscape Survey: Users on the Front Line Analyst Paper (requires membership in SANS.org community)
by Lee Neely - August 14, 2017- Associated Webcasts: Security Whack-a-Mole: SANS 2017 Threat Landscape Survey Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
- Sponsored By: Qualys Mcafee LLC FireEye Cylance
Endpoints-and the users behind them-are on the front lines of the battle: Together they represent the most significant entry points for attackers obtaining a toehold into the corporate network. Users are also the best detection tool organizations have against real threats, according to the 2017 SANS Threat Landscape survey. Read on for more detail on the types of attacks occurring and their impact on organizations and their security.
-
Next Generation Endpoint Protection – CIS Control 8, Malware Defense Effectiveness, Performance Metrics and False Positive Rates SANS.edu Graduate Student Research
by Dean Sapp - June 20, 2017The Center for Internet Security (CIS) Critical Security Controls v6.1 is comprised of battle tested and prioritized security controls that significantly reduce the risk to businesses from cyber breach. Endpoint security is the primary objective of Control eight, Malware Defenses which will be analyzed in this study. (Manage Cybersecurity Risk with the CIS Controls). This paper details a handful of real-world testing scenarios to determine which Next Generation Endpoint Security (NGES) products have the greatest effectiveness in blocking file based malware from executing, including freshly minted zero-day variants that have been repacked so they have unique hashes. In addition to measuring efficacy in blocking malware, this paper includes a secondary scope to examine the system resource consumption introduced by these products to give the reader a better understanding of the business impact these products have on the overall end-user experience. A tertiary scope analyzes the false positive rate of NGES with respect to common administrative tools used regularly by IT practitioners on the Microsoft Windows 10 Enterprise and Windows 2012 R2 Server platforms.
-
A New Era in Endpoint Protection Analyst Paper (requires membership in SANS.org community)
by Dave Shackleford - April 26, 2017- Associated Webcasts: A New Era in Endpoint Protection: A SANS Product Review of CrowdStrike Falcon Endpoint Protection
- Sponsored By: CrowdStrike, Inc.
Conventional antivirus solutions aren’t keeping pace with today's threats. There's a lot of fear, uncertainty and doubt around replacing antivirus with next-generation antivirus solutions, particularly in legacy environments. Learn what NGAV actually is; where it fits into the IT infrastructure; and how to easily utilize CrowdStrike's Falcon cloud-based services against a variety of threats first-generation AV normally wouldn't catch. SANS analyst Dave Shackleford explains and presents his findings.
-
Next-Gen Endpoint Risks and Protections: A SANS Survey Analyst Paper (requires membership in SANS.org community)
by G. W. Ray Davidson, PhD - February 27, 2017- Associated Webcasts: Next-Gen Endpoints Risks and Protections: A SANS Survey Part 1: New Devices and Risks Next-Gen Endpoints Risks and Protections: A SANS Survey Part 2: Next-Gen Protection and Response
- Sponsored By: Guidance Software Sophos Inc. Carbon Black IBM Malwarebytes Great Bay Software
Results of this survey suggest that we may need to broaden the definition of an endpoint to include users, as the two most common forms of attack reported are directed at users. Lack of adequate patching programs also results in endpoint compromises, despite reported centralized endpoint management. Results also point to the need for improved detection, response, automation of remediation processes.
-
Out with the Old, In with the New: Replacing Traditional Antivirus Analyst Paper (requires membership in SANS.org community)
by Barbara Filkins - November 2, 2016- Associated Webcasts: Ready to Replace AV? Criteria to Evaluate NGAV Solutions
- Sponsored By: Carbon Black
Research over the past 10 years indicates that traditional antivirus products are rarely successful in detecting smart malware, unknown malware and malware-less attacks. This doesn’t mean that antivirus is “dead.” Instead, antivirus is growing up. Today, organizations look to spend their antivirus budget on replacing current solutions with next-generation antivirus (NGAV) platforms that can stop modern attacks. This paper provides a guide to evaluating NGAV solutions.
-
Intelligent Network Defense Analyst Paper (requires membership in SANS.org community)
by Jake Williams - September 8, 2016- Associated Webcasts: Intelligent Network Security
- Sponsored By: ThreatSTOP
When an army invades a sovereign nation, one of the defenders’ first goals is to disrupt the invader’s command and control (C2) operations. The same is true when cyber attackers invade your network. Network defenders must prevent adversary communication, stopping the attack in its tracks while alerting the incident response (IR) team to the point of compromise and nature of the attack. Read on to learn more.
-
Endpoint Security through Device Configuration, Policy and Network Isolation by Barbara Filkins and Jonathan Risto - July 15, 2016
Sensitive data leaked from endpoints unbeknownst to the user can be detrimental to both an organization and its workforce. The CIO of GIAC Enterprises, alarmed by reports from a newly installed, host-based firewall on his MacBook Pro, commissioned an investigation concerning the security of GIAC Enterprise endpoints.
-
Success Rates for Client Side Vulnerabilities by Jonathan Risto - June 14, 2016
The user is the weakest link in the computer security chain. From clicking on links that they shouldn to having weak passwords, it generally comes down to the end user doing something they shouldn . If the user runs a piece of malware or opens an infected file, will it always lead to a compromise? This paper plans to test if client-side exploits will always function or if there are additional factors to consider when dealing with these vulnerabilities and associated exploits. Is the Common Vulnerability Scoring System (CVSS) score enough to determine if a particular vulnerability is more critical than another and should be remediated sooner than another? This testing will be accomplished through the use of freely available exploitation software (e.g. Social Engineering Toolkit, Metasploit) in a closed testing environment.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.
SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.