How Effective are Endpoint Security Solutions at Detecting and Preventing Malware?

[Sherman Chu 8]

First off, I am in no way shape or form an expert in this.

While a majority of EDR nowadays tout that they have the ability to detect and block malware based on behavior, I am still skeptical that such tools can efficiently help with preventing malware such as Trickbot from successful installation. 

Does anybody who have more experience help shed some light on this matter? I know that this may be a loaded question and may contain a lot of caveats and qualifiers. But stripping defense-in-depth and other best practices, how much faith do y'all put into EDRs?

[Boris T 2]

check VirusTotal and decide for yourself?

[Kevin Beaumont 110]

I guess the first question is what you mean by EDR. 

My view overall is that EDR is usually anti-virus with an extra price tag. Often vendors have gone overboard with marketing to help sell the extra premium to boards. Sometimes the marketing is so overboard it’s, well, bad. 

For me: AV is great, it detects a lot of stuff. If you can afford premium features easily then great, it’s another layer of security protection. However if budgets are a concern then you risk being mis-sold a false sense of security. 

[james mckinlay 116]

most battle hardened  pentesters I know laugh at AV and EDR - they curse app whitelisting but that also fails occasionally - 

if your users are local admin, or you have unpatched priv escs its game over whatever your running 

 

BTW - did you see this - https://speakerdeck.com/tophertimzen/edr-is-coming-hide-yo-sh-t

Edited August 12, 2019 by james mckinlay

[Jon Turner 10]

Here's my 10cents. AV works, EDR a bit more so, i.e. It blocks lots if stuff and stops many bad things happening. Pen testers may laugh at it, but most organisations day to day threats are malware related not Pen testers or targeted attacks . Will it stop everything? No? Does that mean don't use it? No.  Does it mean targeted attacks won't happen? No

Would whitelisting be better? Yes. Can it be rolled out at scale? yes but never commonly happens as it's a PITA.

I seem to be saying this everyday now.. 'Don't left Perfect be the enemy of Good'. Security people seem to be amazing at letting crap happen because it's not the perfect solution.

In the medical world they use these definitions: Nice definitions

"Effectiveness :How beneficial a test or treatment is under usual or everyday conditions, compared with doing nothing or opting for another type of care.

Efficacy: How beneficial a test, treatment or public health intervention is under ideal conditions (for example, in a laboratory), compared with doing nothing or opting for another type of care.

Empirical evidence : Evidence that is based on experience (observation or an experiment) rather than on reasoning alone."

Do we have Empirical evidence that AV/EDR is effective? Yes.

We need to focus more on what's effective not what's perfect (I.e. Effectiveness v Efficacy)

 

Edited August 13, 2019 by Jon Turner
Typo

[Kevin Beaumont 110]

Yeah, I tend to not model around what pentesters say because they usually aren’t the threat scenario.

Eg if I’ve got them on the internal network and given them a laptop with admin rights and they disable security controls, I’m not that surprised - the hope would be the security controls stop the attacker gaining access to the laptop and network in the first place. 

[Kieran Grieve Combes 2]

EDR should also allow you do too things such as remote process/memory fingerprints and capture. I've seen ones that allow you to isolate a host from the network and only allow it communicate to the edr controller, you can also do more advanced forensic captures. if it's just doing av it's not edr because the response part is missing.

[Kevin Beaumont 110]

Yeah, it comes back to what people mean by EDR.  EDR has become the new thing that vendors need to sell their product, as industry people are asking for it - but everybody means something different it feels like.  

Sophos are a pretty good example of where it gets confusing.  As a customer, you have:

• Sophos Endpoint - their main product until a few years ago
• Sophos Intercept X
• Sophos Intercept X Advanced
• Sophos Intercept X Advanced with EDR

But when you've got to "Sophos Intercept X Advanced with EDR" (how is that a product name?!) it still doesn't include the EDR you're describing above, Kieran.

[james mckinlay 116]

out of the box AntiVirus does not play well with non-persistent-VDI so we opted for application whitelisting and removal of admin rights for everyone instead of ( not as well as) Antivirus.

Our monitoring tells us these were sensible choices for our environment.

 

 

[james mckinlay 116]

https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/

[Kevin Beaumont 110]

On 8/16/2019 at 2:17 PM, james mckinlay said:

out of the box AntiVirus does not play well with non-persistent-VDI so we opted for application whitelisting and removal of admin rights for everyone instead of ( not as well as) Antivirus.

Our monitoring tells us these were sensible choices for our environment.

It’s a bit of tricky risk one - it’s pretty easy to get around things like AppLocker if you know what you’re doing. You can run AV with VDI, last two jobbings have done it. That said application whitelisting is quite often more successful than AV, make of that what you will. 

[james mckinlay 116]

Just now, Kevin Beaumont said:

It’s a bit of tricky risk one - it’s pretty easy to get around things like AppLocker if you know what you’re doing. You can run AV with VDI, last two jobbings have done it. 

extrahop, senseon, vectra, bro and graylog all say that the environment is clean - it may not be - but thats alot of different ways of saying it is 

we know you can run AV in VDI we choose not to - 

[Quentyn Taylor 2]

my personal opinion - its better than nothing but dont depend on it. Too many products depend on signatures and hashes which means you dont even need to be patient zero to be totally impacted. 

 

Good for box ticking but make sure you have defence in depth - invest in more people if there is a choice 

[Daniel Cuthbert 16]

I'm going to differ here to a lot of the opinions posted: as someone who's been heavily involved in the offensive realm for a long time now, modern EDRs like Crowdstrike and Carbon Black, are annoying as hell to me when I want to be evil. As a defender, they are damn good as they force me and others to make noise and we hate noise as noise makes you know we are around.

Sure, the early ones were signature-based, did really stupid things to their agents that made it trivial to disable, perform sneak process hollowing tricks to stop you seeing me and so many others, but that isn't the case much today. I don't see them as a box ticking exercise, not at all whilst they still have a lot to do, i'm glad im not a pentester anymore 😉

[Boris T 2]

28 minutes ago, Daniel Cuthbert said:

" they are damn good as they force me and others to make noise and we hate noise as noise makes you know we are around."

must try harder! they will eventually fall too...