Skip to content Skip to sidebar Skip to footer
Home Resources Blog Endpoint Detection & Response and the Feedback Loop – Webinar 25 November 2020

Endpoint Detection & Response and the Feedback Loop – Webinar 25 November 2020

2 minutes reading time

Endpoint Detection & Response and the Feedback Loop – Webinar 25 November 2020

Absence of evidence is not evidence of absence! This aphorism is more than ever valid in Cyber Security, people stating that they never had a breach probably simply do not know that they have been breached.

This presentation given by Luk Schoonaert – Director of Technology @ Exclusive Networks, Value Add Distributor of Emerging Technologies – elaborates on detection techniques and best practices in order to increase incident detection rates and collecting evidence. The importance of detection capabilities on the endpoints (EDR) is explained certainly given the fact that the visibility on network level is decreasing ironically enough due to security evolutions resulting in more and more encrypted network traffic. And moreover, thanks to EDR, response actions (isolation, cleaning) will be much easier since most EDR agents offer this possibility.

But if you want to detect something, you have to know what to look for! If you are only looking for Indicators Of Compromise (IOC), you are looking for artefacts: presence of known malware (signature based) and connections to malicious sites. You are not only reactive but will also miss a lot that is not in your signature or malicious sites databases. A complementary and even better way of working is TTP’s: Tactics, Techniques and Procedures. In an nutshell, TTP is about Behaviour Analysis searching for typical behaviour of intruders but also searching for deviations from the baseline. Machine learning and automation (SOAR) are emerging capabilities in helping here finding the bad guys.

Another dimension in Detection and Response is pro-active versus reactive. Traditional Incident Response is reactive: it is responding to a PIVOT triggered by an alert or an incident. On the other hand, when using Threat Hunting Capabilities, there is no alert, you are looking for a PIVOT, pro-actively. And thanks to a feedback loop, security architects get relevant threat intelligence from security operations to build risk models to evolve the infrastructure, operational capabilities and the overall security posture. And last but not least, to conclude, do not forget to include your business stakeholders in the feedback loop! At the end of the day, the business is responsible for the risk management and has to be in the loop in order to guarantee security by design!

About the author
Christian Mathijs

Christian Mathijs

Business Development Manager
Join our podcast
Please choose your preferred listening platform and language

Spotify

EN

FR

NL

Apple

EN

FR

NL

Join our newsletter

Cyber Pulse keeps you up-to-date on the latest cybersecurity news, community actions and member stories.