Corvil and Endgame: Boosting Security Analyst Productivity to Stop Targeted Attacks

Author: David Murray, Chief Business Development Officer, Corvil

The time of solely providing a constant stream of security alerts is over.  It has gone the way of the buggy whip, the mullet, and the virtual moat (firewall) or physical moat as the primary line of defense!  

Unlike the mullet, there is no party in the back for security analysts today.  There is too much for analysts to manage – the most dangerous attacks are too targeted for signature alerts to keep up, the attack surface is too large and constantly changing, and adept cyber-attackers know how to circumvent many known defenses.   In economics terms, the cost to launch a successful cyberattack is falling.  Diversity of techniques, accessibility of technologies and codebase, availability of data for successful phishing and social engineering, and diversity of motivations have all contributed to the increase in supply.   Inversely, the cost of defending against cyberattack is rising and the necessary talent to protect is in short supply.

 

Way Beyond the Basics

Analysis techniques that automate the discovery of unpatched or unprotected endpoints on the network are necessary, but not sufficient.  Good hygiene always counts as does user education.   However, companies must operate as if in a perpetual state of breach.  Analyzing how machines are communicating with others and correlating user accounts exhibiting risky behaviors that are active on those endpoints, is eminently valuable because it more effectively identifies and prioritizes risk.  Looking deep inside the riskiest machines to hunt for suspicious artifacts and other evidence of never-before-seen attacks techniques is yet another layer of a more effective protection strategy. 

Stepping back and looking at customer needs, what we see is a security analyst workflow that is manual today, and repeated again and again until their brains get numb.  Each step of the workflow answers an additional set of questions about the level of risk -  each step gathers more information and correlates it to help the analyst decide what actions he/she should take.  There are several manual workflows like this depending on infrastructure starting point. 

For example:

  1. Endpoint solution detects some new malware variant on the machine
  2. Analyst seeks information on origin through various other tools
  3. Analyst seeks information on what other machines have been in communication with that host through various other tools
  4. Analyst seeks what user accounts have been active on that machine and others, what has been communicated, etc., etc. through various other tools

Streamlining the workflow with automated data collection, analysis, correlation of information across network and endpoint surfaces, and contextual navigation for gaining more information and actioning the findings should help analysts return to business in the front.  This automated analysis can help free security analysts from the endless mire of mundane and time-consuming investigative tasks so they can focus on more complex analysis, protections, and prevention.  As Jamie Butler, CTO of Endgame, puts it “AI should be seen as a multiplier, not a silver bullet.”  While his comment specifically references machine learning approaches, it seems applicable to any set of automated analysis techniques.  Unfortunately, the data and analysis skills needed to understand time-series machine communications to track lateral user movement is totally different from the data and skills needed to hunt for exploits in machine memory or recognizing new endpoint attack tactics.

The domain expertise needed to build and optimize the automation resides in separate organizations. Advanced network communications expertise and endpoint expertise have lived in different worlds – and it has been tough to get either to work with data scientists to create analytics models that are operationally useful and with solution engineers to build platforms capable of doing the analysis at scale.  Hence Corvil’s focus on network analysis/automation and Endgame’s focus on endpoint analysis/automation. 

However, these different innovations in automated analysis must find ways to work together to be effective productivity multipliers for overworked security analysts – and that is what Corvil’s partnership with Endgame is all about.  

Today, we announced a partner and integration that ties together leaders in security analysis and protection for network and endpoint to help ease the burden for security analysts and provide a more effective visibility and protection fabric for customers.

While each organization services customers across many industries, our respective heritage in financial services and defense bring together a wealth of experiences and capabilities that are needed everywhere.   We share a commitment to empower security analysts of any skill level to do more, both extended innovations in the area of machine learning and both having introduced chatbot / virtual assistant capabilities in Endgame Artemis™ and Corvil Cara. 

While we are not advocating a return of the mullet, we are certainly providing an all-business approach to cyber protection and visibility with multipliers to elevate security analysts at all levels.   If that affords analysts a much-needed relief to party, then so much the better!