Endgame Arbiter®: Solving the 'Now What?' Problem

Many security products provide a never-ending stream of alerts, and fail to provide the necessary context and capabilities to support the next stage of analysis. For an analyst to grasp the implications and take action, more context is required, such as the severity and confidence of the alert, was it targeted, and whether it is an anomaly or has previously occurred.  At Endgame, our focus on the user at every aspect of development ensures we move past this bare minimum of providing an alert, and instead fully augments the speed, scope, and skills available for secondary analyses. This is especially evident in our latest release, Endgame Arbiter®, our cloud-based threat analysis platform that automates many of the key analytic pain points while providing additional context and insight into the data.

As a solutions provider working with customers and practitioners for over twenty years, I understand the constraints and the difficulty customers encounter daily. Every feature that goes into the Endgame platform is evaluated for its impact to improve the scope, speed, and skills of our customers. Endgame Arbiter® is the latest validation of this approach, providing customers the necessary range of information and capabilities required to take action, without having to hire a large staff of expert reverse engineers. Below are some of the key pain points addressed and capabilities provided within Endgame Arbiter®.

 

Problem: Overcoming Alert Fatigue

Every day, overworked security analysts must make the decision whether to investigate the root cause of an event or move on to incoming alerts.  Analysts decide on the spot if an alert requires digging deeper, or if they should focus on managing the onslaught of inbound alerts from their dozens of security products. There simply are too many alerts that it is impossible for even the best resourced team to conduct due diligence every time there is an event.

Solution

As the CTO of an endpoint security product, one of my top priorities is to provide relevant and actionable alerts, limiting the deluge of alerts instead of augmenting it. With this in mind, many features have been built into Endgame that enable alert triage with with ease, including alert outlier analysis, investigation prioritization with MalwareScore™, one-click retroactive whitelisting, Endgame Resolver™ attack visualization, and Endgame Artemis® guided response actions. These features accelerate the time it takes to triage an alert and elevate the ability for lower tiered analysts to participate in the triage process. But how do analysts make the determination to leverage these features? These are all essential capabilities, but more is required to enable analysts to quickly distinguish between alerts that require immediate attention and those that don’t take priority.

Enter Endgame Arbiter®, a cloud-based threat analysis platform that automates advanced attack analysis, such as determining file reputation or attack type, to reveal unknown threats across the entire enterprise. For any alert, Arbiter conducts robust analysis consisting of first party intelligence, algorithmic and third-party reputation checks. Arbiter also makes a near-real-time decision about the severity of an alert and funnels that information back into the Endgame UI, giving the analyst the necessary additional information required to take the next steps in the triage process.

 

 

Problem: Data is Left Behind

Once a prevention alert occurs, security teams often operate in a "lights out" mode, moving on to other alerts without additional analysis taking place. This ignores a potential treasure trove of post-compromise adversarial behavior that could inform future defenses. Today's adversaries are not easily deterred, and operate in the gaps of enterprise security. While a prevention alert may have stopped a serious potential compromise, there is no assurance that the attacker won’t try again with different modes of compromise but the same post-compromise behavior. How can this intelligence about what would have happened inform future indicators for broader enterprise analysis?

Solution:

Endgame Arbiter® was built to extract the full lifecycle of the attack and inform future defenses through our malware detonation and analysis sandbox. Proprietary introspection software analyzes the detonation of a malicious file in a safe, contained environment managed by Endgame. In a few minutes, indicators are extracted for quick pivoting through Endgame Artemis® to determine the full extent of the breach. Arbiter goes well beyond IOC extraction by also looking for the characteristics of attack, similar to the tradecraft protections in the autonomous Endgame agent protecting against targeted attacks.

 

 

Problem: Playing Nicely with Others

Security stacks constantly evolve. New products are continually added (and hopefully removed), new integrations must be built, requiring new training and workflows, and it never ends. Security teams need products that not only fit into current and future workflows, but also actually enhance workflows instead of forking the process into YAT (yet another tool).

Solution:

Endgame Arbiter®  was designed to integrate with  the constantly expanding security stack and the ever expanding set of issues. When a new security product detects new problems, it can easily integrate with Endgame Arbiter®. If a file is detected in another solution, Arbiter's upload feature extends the analysis capabilities beyond the alerts in the Endgame platform.

 

 

Endgame Arbiter®

Arbiter is another example of how the Endgame platform leverages technology to augment, facilitate and expedite the workflow for security teams.  It was built to smartly inform alert responses and remediation, while also gathering intelligence that is often cast aside, and ensuring interoperability as the security stack evolves.  We  aim to deliver the best possible product and workflow to solve our customer’s key pain points. Endgame Arbiter® contains custom-built, proprietary technology, with many benefits including:

  • A sandbox built on top of a hypervisor, allowing us to stop many sandbox evasion techniques that focus on common sandbox indicators.
  • A sandbox that only reports the true execution of the malicious behavior. Many other sandboxes “trace” an entire operating system or an entire tainted process instead of just the malicious pieces that were introduced.
  • A sandbox that accurately represents enterprise environments. Many sandboxes still utilize Windows XP. Instead, we control the OS for detonation to better mimic real-world environments.
  • Accurate IOC extraction. Our sandbox outperforms commonly available sandboxes.
  • Easy integration with Endgame developed tradecraft analytics.
  • Data protection as the ultimate endgame. Endgame Arbiter® never provides files to any third-party sites or shares information with others. Our technology ensures the best possible analysis with complete control of the data. ​

Endgame consistently delivers scope, speed, and skills with every new feature. Arbiter exemplifies these three values.

  • Scope: Dynamic analysis beyond the traditional IOC detection, digging deep into the tradecraft techniques found in the MITRE ATT&CK™ Matrix.

  • Speed: Seamless platform integration provides near-instant answers to security teams’ questions like "should I investigate this alert" and "what WOULD have happened if this file ran" in time to stop damage and loss.

  • Skills: Not every organization can afford to staff a malware analyst. Endgame Arbiter® can augment those teams by providing automated malware analysis. Arbiter also accelerates analysis for teams with the skilled personnel.

The addition of Arbiter to the Endgame platform accelerates and elevates our users beyond anything else in the market.