RSAC 2017 Trends: The Endpoint Agent Convergence is Upon Us

RSAC is the industry mecca for security pros looking to keep up to speed with the trends in information security and for companies showcasing their innovations. This year’s conference attracted over 43,000 attendees and featured two exhibition halls jam-packed with hundreds of security vendors. Wandering the halls of RSAC this year, there was a lot of expected marketing hype and some compelling trends that emerged; some of them I saw coming, others, were surprising. 

Here are my observations from the conference on the real trends to look out for to help you cut through the hype and better secure your enterprise:

The Convergence

The endpoint agent convergence, much predicted, is now coming to fruition. Once you make it past the marketing, Endpoint Detection and Response’s (EDR) big improvement to enterprise security is filling the need for centralized endpoint logging and historical search (for response and root cause analysis). The behavior signatures they employ are a nice feature but realistically, at best, its only incrementally better than anti-virus (AV) heuristic signatures. Of course, with server-side analytics you get to analyze more hosts together which gives some non-trivial advantages.

EDR is absolutely needed for most organizations. Right now companies also need AV and may only want centralized logging and search provided by EDR. In turn, EDR vendors have adopted AV-replacement en mass to target the $5-10B AV market while legacy AV vendors have begun slowly adopting EDR feature sets.

This is only the start of endpoint vendor consolidation. I met more than one rep at EDR vendors who are having a hard time differentiating or can't live up to their marketing. Perhaps due to ineffective marketing/messaging in the first case, poor engineering focus or failure to scale in non-homogeneous environments in the second. But don't get me wrong, it's still a hot space and many of these vendors are growing but a handful of leaders are emerging way ahead of the pack. 

Don't count the little guys out though. A lot of the small emerging vendors I saw have a cool widget, promising non-standard approach, or a few technical features no one else has. I predict we're going to see mergers to strengthen suite differentiation in the war between EDR leaders and incumbent AV vendors.

Machine Learning AV Comes Into Its Own

The AI Machine Learning detection trend, derided by practitioners due to the excessive hype, is showing strong use cases that make sense. Sure, its efficacy hasn't proven to be more than incrementally better, and the approach is fraught with its own maturity challenges such as file/attack type coverage. Regardless of these challenges and even without improved efficacy, ML-powered AV is changing the game. For me, it all revolves around this old version, no updates test; the so called "Holiday Test" being adopted by testing and analyst companies.
Basically, this test uses an old version of the AV, with no cloud connectivity or recent signature updates, to see how it fares against the latest threats/attacks/exploits. ML-powered AVs fair pretty decently in these tests while threat intel, reputation, signature reliant products fall off drastically. In my opinion, this is the best and perhaps only reliable way to test "zero day" detection rates and a real reason to adopt ML detection on the endpoint.

AV-Test, NSS Labs, Gartner and other industry experts have really grasped onto this test, much to the chagrin of incumbent vendors and others who use cloud-based analysis. To me, unless they have a good reason for doing so, those who use cloud-based machine learning are either hiding something or trying to manage maturity and false positives.

My own company made this initial choice with our Infocyte HUNT product as early forms of our ML model had high false positive rates and needed to be tuned. As of this year, we now trust it being deploy directly on the endpoint. Being a product focused on post-breach hunt and incident response, we have a different model and higher tolerances since we don't block, and hunting what automated defensive products miss demands casting a wide net.

Security Analytics

At last year's RSA and Black Hat USA, startups in the user behavior analytics space got quite a lot of hype. My personal experience with them, and the experience of the customers and hunt teams I work with, has been that they are still immature. Some people suggest they need to be more focused in their use case.

 "...Stand-alone, broad-based analytics solutions have plateaued," said Glasswing Ventures' Rick Grinnell. He expects to see analytics offerings be either extremely focused on a single use case, or integrated into a broader platform, such as security incident and event management (SIEM)."

Still others I talked to thought they just need better users. In the climate of reduced skill sets and manpower shortages in organizations these days, I doubt that one is going to be solved by anything other than outsourcing.

Everybody is a Hunter Now

Threat hunting was all the rage with security vendors across the board; whether they focus on log analysis, EDR, user behavior analytics (UBA) or incident response. As a company with a specialized focus in the area of proactively hunting for post-compromise malware and threats, I feel it’s important for users to understand the difference between a tool that can be leveraged vs. a tool built and spec'd for the job.

Sure, there are certainly many existing SOC activities that could fall within the umbrella of threat hunting. These activities include historical log analysis, batch alert analysis, and scripted endpoint queries; so long as the activity is focused on discovering missed attacks or low and slow threats already in the network - you are hunting. And sure, some of these activities can certainly be performed by tools on hand (think Splunk, ELK, Hadoop, etc.). But for those of us who have spent any significant amount of time doing this in a large network, or training others to do it, we know there is a better, more efficient path requiring a dedicated tool or platform designed for the job.

Think of it this way; both a hammer and a nail gun fair similarly in a single nail test, but it's pretty obvious what the professional is going to use when (s)he has a house to build. The point I make here is that not all the products claiming to be useful in threat hunting are actual "hunt" products/platforms, and more importantly, nor are they efficient.

A true hunt product is one that is focused on the post-breach scenario (whether proactively hunting for unknown threats or performing triage during incident response). It either makes existing data/logs more useful specifically for this purpose or enable you to scalably and effectively interrogate possibly compromised devices directly using forensic state or artifact analysis. True hunt products introduce and automate a methodology and workflow that is field proven, in Infocyte’s case through years hunting in military networks. They are far easier to use than just doing raw historical searches against EDR and proxy logs, and far more scalable, effective, and sustainable than using those tired old endpoint scripts your predecessor wrote 4 years ago. 

That’s why Infocyte HUNT is built for specifically hunting. It doesn’t take the one solution fits all approach, but fits in with your existing security stack instead of competing with it. And its agentless footprint doesn’t crowd the endpoint 24/7. Learn more about Infocyte’s agentless endpoint hunting technology to find out why we’re the easiest and fastest way to detect post-compromise infections.