In the Lustrum Cyber Talk with our Chairman Jan De Blauwe, Marc Goodman looked back on the past five years' technology evolution through a unique wide-angle lens of cybercrime.
Endpoint Detection & Response and the Feedback Loop – Webinar 25 November 2020
25 November 2020 – Cyber Security Coalition
Absence of evidence is not evidence of absence! This aphorism is more than ever valid in Cyber Security, people stating that they never had a breach probably simply do not know that they have been breached.
This presentation given by Luk Schoonaert – Director of Technology @ Exclusive Networks, Value Add Distributor of Emerging Technologies – elaborates on detection techniques and best practices in order to increase incident detection rates and collecting evidence. The importance of detection capabilities on the endpoints (EDR) is explained certainly given the fact that the visibility on network level is decreasing ironically enough due to security evolutions resulting in more and more encrypted network traffic. And moreover, thanks to EDR, response actions (isolation, cleaning) will be much easier since most EDR agents offer this possibility.
But if you want to detect something, you have to know what to look for! If you are only looking for Indicators Of Compromise (IOC), you are looking for artefacts: presence of known malware (signature based) and connections to malicious sites. You are not only reactive but will also miss a lot that is not in your signature or malicious sites databases. A complementary and even better way of working is TTP’s: Tactics, Techniques and Procedures. In an nutshell, TTP is about Behaviour Analysis searching for typical behaviour of intruders but also searching for deviations from the baseline. Machine learning and automation (SOAR) are emerging capabilities in helping here finding the bad guys.
Another dimension in Detection and Response is pro-active versus reactive. Traditional Incident Response is reactive: it is responding to a PIVOT triggered by an alert or an incident. On the other hand, when using Threat Hunting Capabilities, there is no alert, you are looking for a PIVOT, pro-actively. And thanks to a feedback loop, security architects get relevant threat intelligence from security operations to build risk models to evolve the infrastructure, operational capabilities and the overall security posture. And last but not least, to conclude, do not forget to include your business stakeholders in the feedback loop! At the end of the day, the business is responsible for the risk management and has to be in the loop in order to guarantee security by design!
Other blog posts
In this webinar Nataliia Bielova and Cristiana Teixeira Santos decipher EU legal requirements on consent and analyze the technical means available to verify compliance of cookie banners.
Cyber Talk: How to implement a Coordinated Vulnerability Disclosure Policy/Bug Bounty Programme for your organization? – 26 November 2020
This webinar helps you understand the key elements to implement a Coordinated Vulnerability Disclosure Policy supported by a bug bounty programme, whether you work for a corporation, nonprofit, open source project, or public entity.
In this webinar Semetis demystified Internet cookies and provided clarity about their working. They also provided an insight into a future without (third party) cookies.
In this webinar Marc Wouters presents the NIS supervisory strategy for Digital Service Providers. The mission of the FPS Economy is to create the conditions for a competitive, sustainable and balanced operation of the goods and services market in Belgium.