Tarlogic presents an EDR evaluation methodology from the perspective of a Threat Hunting service
This EDR evaluation methodology allows for the analysis of more than 60 functions of EDR solutions to determine their suitability for providing a proactive Threat Hunting service
Tarlogic Security presented a new EDR evaluation methodology from the perspective of a Threat Hunting service at the XVIII STIC Conference of the CCN-CERT. This tool has been designed by the BlackArrow division of the cybersecurity company to analyze which EDR solutions are best suited to Tarlogic’s proactive Threat Hunting model and contribute to the improvement of essential technology when detecting and responding to threats in business environments.
Julio Jairo Estevez and Alberto Terceiro, Threat Hunters at BlackArrow, shared with EDR developers, researchers and Threat Hunting professionals the keys to an EDR evaluation methodology that is already being used to analyze the solutions with the highest penetration in the market and with which 90% of companies work.
As with previous Tarlogic research, all documentation on this EDR assessment methodology has been published openly on GitHub.
In addition, our company’s Threat Hunting professionals are actively collaborating with EDR solution vendors to evaluate these technologies and continuously contribute to their improvement.
EDRs are the antivirus of this era for enterprises
Just as a few years ago, it was unthinkable for companies not to have computer antivirus protection, but nowadays, EDRs are essential to safeguard large companies and small and medium-sized enterprises against malicious actors.
In fact, in a way, EDR solutions are an evolution of antivirus, a tool that helps companies cope with an increasingly complex and dangerous threat landscape. In the current context, not only are there more advanced threats, but it is also becoming easier and easier to trigger cyberattacks against companies because there is a black market for malware or ransomware. Having the knowledge and resources to design and launch these cyberattacks is no longer necessary: they can be purchased from third parties and simply propagated.
What are EDR solutions for? This technology is key to monitoring a company’s technological infrastructure, detecting threats and generating telemetry. As such, these solutions enable experienced professionals such as Threat Hunters to continuously analyze an organization’s assets, prevent incidents and deal with them should they occur.
The experience of BlackArrow’s Threat Hunting and Red Team teams shows that advanced malicious actors can evade the detection controls of EDR solutions. However, the most advanced EDRs can record all information about any activity.
So, even if a malicious actor could evade an EDR’s detection technology and prevent it from launching security alerts, the product records all the telemetry that Threat Hunters need to analyze to detect malicious activity and understand the techniques, tactics and procedures of hostile actors.
Why does a methodology need to evaluate EDRs from the Threat Hunters’ perspective?
EDR solutions are one of the weapons available to a Threat Hunting team to detect and respond to security incidents that companies may experience.
However, not all EDR solutions have the same characteristics. Therefore, Threat Hunting services must analyze their performance to know how each solution adapts to their Threat Hunting model and to be able to homologate the services with different products.
For this reason, Tarlogic professionals have continuously analyzed our customers’ various EDR solutions to check how the Threat Hunting service behaves when using them.
Based on this experience accumulated over the years and the knowledge acquired, an EDR evaluation methodology has been developed from the perspective of a Threat Hunting service that allows:
- Objectivize and empirically capture the EDR analysis carried out.
- Continuously evaluate each EDR solution.
- Analyze the evolution of the various products over time.
- Compare the different EDR solutions with each other.
- Show the results of the evaluations performed by the Threat Hunters in a simple and clear way through a numerical scoring system and graphs.
How does the EDR evaluation methodology work?
To carry out these tasks, the EDR evaluation methodology from the perspective of a Threat Hunting service is structured around seven major categories that bring together 65 characteristics that must be analyzed in each solution:
- Telemetry.
- Query language.
- Administrative tools.
- Features.
- API.
- User Interface (UI).
- Results obtained in MITRE Engenuity. This tool measures the technical capabilities of EDR solutions by subjecting them to various advanced persistent threat scenarios.
In addition, the methodology differentiates between critical and normal functions to give more relevance to the former. For example, in the case of telemetry, the average time it takes for telemetry to arrive from the time it is generated to the console is considered a critical function of EDRs. In contrast, the ability to schedule tasks is a normal function.
Also, a rating system was designed for each function, ranging from one to five, to evaluate so that the highest rating is given when an essential function has been properly implemented in an EDR solution.
In this way, scoring each product based on its ability to improve Threat Hunting services is possible.
Helping EDR vendors to refine their technologies further
The EDR evaluation methodology designed by BlackArrow’s Threat Hunters is a living and evolving project.
This analysis tool makes it possible to periodically evaluate EDR solutions to see if new features have been implemented and can adapt to changes and innovations in the cybersecurity field.
To further enrich this EDR evaluation methodology, Tarlogic professionals will continue to work with manufacturers whose products have already been analyzed and are open to collaborating with other manufacturers, as well as with researchers and the rest of the cybersecurity community.
Thus, after the presentation of the EDR evaluation methodology by Julio Jairo Estévez and Alberto Terceiro, constructive contacts were established with various manufacturers of EDR solutions to collaborate in improving an essential technology to protect companies and carry out proactive Threat Hunting services.