Cybersecurity experts Rickard Dittmer (RD) from Nixu and Ronald Pool (RP) from CrowdStrike held an interesting webinar on Endpoint, Detection and Response on March 2021. Our active attendees had some questions, so we gathered a Q&A summary for everyone to learn on the subject.
Is it possible to draw a boundary between detection capabilities of modern antivirus and EDR products? Or they mostly overlap these days?
RP: I think that there’s a large piece of overlap. If you purely look at EDR, you might want to look at the process side of things: What processes are spawning? What processes are doing what? Let's say certain DNSlookups sends queries to the internet. What are the queries doing to the registry and other files? Those kind of things. That would be pure EDR.
We at CrowdStrike use machine learning, so we take care of the file-based threads. For us, the difference is: if you've got the EDR side of the house, you get detection and response; you don't have prevention.
We have the option to enable prevention, but that pretty much means we have those capabilities of EDR. There's no other agent rolled out, there's no additional module downloaded to the endpoints. It's still that same single lightweight agent.
But now it starts preventing proactively too, so if it sees files deemed malicious by our machine learning, it will notexecute; the malicious files will be blocked before execution. If we see processes doing malicious stuff instead ofreporting it and allowing you to respond to it, we can kill those processes proactively.
So, we can replace an antivirus system. We've got plenty of customers who purely run with CrowdStrike as the EDR and antivirus solution.
In that aspect, I would say there's 100 % overlap.
Sometimes we also see customers with an antivirus that they still license for, let's say, three years. They're not going to throw that away. We tend to see that they put CrowdStrike next to it as the EDR solution and keep the traditional antivirus running. But as that end of contract term approaches, we tend to have discussions. (Okay, so there are specific use cases where you’d need traditional antivirus, or it might be smarter to have a single agent do it all.)
What is the main reason for accelerated threat growth?
RD: One of the main reasons is that we are moving towards the end of the fusion between cyber and physical crime terrorists and nation-state activities. There's not you know for criminals there's no cash available today.
I have a background working with kidnapping ransom in the physical sectors doing both maritime and with persons, art, and horses and that doesn't pay off that well today. So there's money in cybercrime.
And believe it or not, we have pretty well structured, organized crime organizations and quite well structured terrorist organizations and nation-states, of course.
It’s the money that’s driving the agenda forward for the political and terrorist agendas, unfortunately.
How does CrowdStrike address the challenge in situations where there is very low bandwidth available? Example: Shipping vessels at sea several days most likely are not interested in spending serious amounts of money on satellite bandwidth.
RP: CrowdStrike’s prevention capabilities also work offline and do not require cloud access. Only periodic access (in a port, for instance) to download a new agent would be required to stay up to date.
For the EDR bit, the sensor sends out on average 5 to 10 megabytes per day (so that is per complete 24-hour cycle), which is achievable for many low bandwidth locations, as CrowdStrike has shipping companies & offshore companies as happy customers.
There will always be situations where that’s not achievable. In that case, the sensor will cache events locally for up to approximately 2 to 3 days and then overwrite the oldest events with newer ones until it connects to the cloud again to send the built-up data out.
How do you deploy an EDR system to a, for instance, a consultancy? Could it give insights on possible lateral movement into client systems even if they could not be integrated? The value of detecting internal branches before clients are affected would be priceless, and if clients are affected, it would help in the communication.
RP & RD: We at CrowdStrike and at Nixu?? have MSSP programs, allowing a single party to manage/monitor multiple environments. Not only MSSP uses this but, for instance, also larger organizations with various operational companies.
In this case, the different companies all have their scope and visibility, but the parent company or MSSP has the overarching view and could see any trending or actions moving across environments.
We also tie in with several Network Detection & Response (NDR) vendors. We can also widen this scope to unmanaged devices, purely looking from a network traffic perspective.
Do you have examples of ROI, TCO, and other business cases/argumentation calculations or simulations?
RD: Nixu has published a whitepaper on the ROI of cybersecurity investments. We also have a tool for ABC, TCO and ROI that we use in assignments.
Watch the webinar as whole here.
Download our whitepaper on Endpoint, Detection & Response here.
Read more on Endpoint, Detection & Response: https://www.nixu.com/endpoint-cybersecurity