February 08, 2017
Endgame and Morphick: Closing the Gap in Advanced Cyber Threat Response

In my recently released book Facing Cyber Threats Head On, I spend a lot of time discussing how contemporary cyber security is just as much about stopping people (the attackers) as it is about stopping malware.  When you look at it, stopping people is a different problem and requires a different approach than stopping malware.  At the end of the day, people create and adjust strategies based on what they experience.  Computer programs do not.

To illustrate this point, let’s take a look at how we should stop a malware-based attack verse how we should stop a person-based attack.  In the case of malware, when you stop it from executing, you have effectively ended its existence.  The malware is not aware of the fact that it was stopped nor does it learn anything from the fact that it was stopped. It simply ceases to execute. 

Contrast this to a person-based attack.  When a person is stopped, they are aware of that fact.  The person can also infer things from how they were stopped and use those inferences to adjust their strategy going forward.  In other words, the person can learn and change.  Malware does not do this.

So what?  Who cares?   Well, when your entire defensive strategy is based on automatically blocking all malicious activity, you do a great job stopping malware, but you inadvertently tip your hand to the people, the attackers.  By automatically blocking a person, you allow them to learn how they were caught. You allow them to interact with your defenses in real time. You allow them to change their strategy and even test those changes until they ultimately find a way around your automated defenses. 

In a person-based attack, it is critical that the defender has the ability to strategically detect and respond to an attacker.  It is also critical that the defender has the ability to very quickly change their detection and response strategies as the attacker changes their own strategy.  Having technology that can enable a broad and dynamic detection and response strategy paired with capable analysts that can direct that strategy is ultimately how people-based attacks need to be addressed.

This is where the Morphick + Endgame Managed Endpoint Detection and Response (EDR) partnership comes in.  Endgame’s EDR platform delivers unrivaled visibility and detection capabilities to Morphick analysts who are then able to create and adjust detection and response strategies based on what specific attackers are doing at specific customers.  It is this powerful combination of technology and people that has proven most effective when addressing advanced people-based attacks.

As I say in my book “we do not want to automate the decision-making process around whether or not an attacker is in the environment.  However, we do want to automate the gathering of the information that the analyst needs in order to make that decision…use of technology to increase the productivity of people in the cyber defense process is valuable.  Using technology to replace people in your cyber defense process is not.”

If you’ll be at RSA next week, be sure to swing by the Endgame booth (South Hall 1739) on the 15th at 11:00. I’ll be presenting, “Facing Cyber Threats Head-On” and handing out signed copies of my book as well.