Cybersecurity in a SIEM-less World: Part II
In a previous article, I discussed the potential shortcomings of traditional Security Information and Event Management (SIEM) solutions, particularly for SMBs. These solutions are cumbersome, and they lack flexibility. They’re the very definition of tool sprawl. Fortunately, organizations are looking for alternatives in a blend that combines managed network security monitoring tools with endpoint detection and response (EDR) capabilities.
Why Are Organizations Turning to These Solutions Specifically?
EDR is all the rage. It’s popular because it focuses on endpoint devices like workstations and servers. As explained by the Center for Internet Security, the EDR agent collects technical data from each endpoint on which it’s deployed, and it then sends that information back to a local server, cloud, or a vendor (in instances where it’s a managed solution). The resulting analysis can reveal suspicious activity that could be indicative of a threat. If it identifies a threat, the EDR platform issues an alert that administrators can view and choose to act upon.
That said, EDR has its own set of challenges. First, organizations can’t put an EDR agent on all their assets. Few if any EDR platforms cover assets like legacy systems, third-party tools, or Internet of Things (IoT) devices. All this falls under infrastructure that infosec teams just can’t control with an endpoint agent. Subsequently, security teams need to be able to use EDR with their traditional endpoint devices, but they also need to have an independent set of eyes for monitoring traffic between devices and out to the Internet with all other systems.
Second, many digital attacks have evolved beyond the endpoint. While there are plenty of attacks that begin by infecting an endpoint and moving into other environments, there are also other campaigns that don’t involve the endpoint at all. This makes EDR useless in those attacks—even in instances where those tools are using machine learning (ML).
“While machine learning-based (ML) tools can add a level of capability, they still depend on threat profiles, manual labeling, and legacy signatures to detect and stop threats, all which must be updated regularly,” explained Forbes.
Finally, some attackers have begun using techniques that can help them to bypass EDR solutions. Back in March 2021, for instance, Dark Reading reporting on a weakness involving many EDR platforms’ use of “hooking” for behavioral analysis on endpoint devices. The issue is that those hooks occur at a System Call (syscall) interface, or a place with which users can interact. Attackers can use this to bypass the EDR tools’ detection and remediation efforts for the purpose of infecting devices with malicious code.
Acknowledging the drawbacks of tools, many organizations are combining EDR with network detection and response (NDR) that can see traffic between endpoints as well as cover devices where an EDR agent is not possible. This combo can act as a DIY SIEM alternative for those that implement them. Organizations just need to be sure that they’re balancing both sides of the detection-and-response equation.
Where This Leaves Organizations
A combination of EDR and network monitoring can help those who can’t manage a SIEM with their environments. Spoiler alert: Sentinel IPS fits into this equation. Our Outpost can help customers hide their perimeter by preventing attackers from conducting reconnaissance, identifying misconfigurations and other weaknesses that malicious actors could use to gain access to the network, as well as reduce the firewall’s workload. This happens all while our MNDR solution adds internal visibility into digital threats like phishing scams, malware, and ransomware. With that visibility, internal teams can quickly identify infected devices, fix misconfigurations, and prioritize vulnerabilities for remediation. They can also rest assured that their systems are under the watchful eye of a 24/7 security team that can help with support, troubleshooting, and research.
Drop the SIEM and embrace network detection and response.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.