3 Ways to Speed Up Investigations with Modern DFIR

/0 Comments/in /by

A guest post by Jessica Stanford, CMO at Cado Security

When it comes to attack containment, time is of the essence. The speed at which security teams can dive deep to determine root cause and scope is essential to fully remediating an incident before it’s at risk of escalating. Delays or hurdles that prevent a thorough investigation from occurring have significant impact and leave your organization vulnerable to future breaches.

Once malicious activity is detected, security analysts need to be able to quickly understand its impact:

  • What happened?
  • When did it happen?
  • Is this the first time it happened?
  • How many machines were involved?
  • How did the attackers get in?
  • Has data left the environment?

However, using traditional digital forensics and incident response (DFIR) approaches, it can take days to weeks to manually capture and process the data needed to answer these pressing questions. To make matters worse, due to the heavy uplift and time required, incidents often get closed without digging deep enough.

That’s where the combination of the SentinelOne Singularity XDR platform and Cado Response can help — by delivering the data and context security teams need to quickly identify the root cause of incidents and enable faster response.

The SentinelOne Singularity XDR Platform provides the broad visibility needed to detect and respond to malicious activity in real-time across user endpoints, cloud workloads and IoT. Many DFIR investigations begin with a high-severity detection – SentinelOne provides best-in-class behavioral detection with Storyline, as evidenced by the 2021 MITRE Engenuity ATT&CK evaluations. SOC teams use SentinelOne to ‘stop the bleeding’ and perform automated responses, such as killing processes, quarantine a threat or rolling back the effects of ransomware.

SentinelOne Remote Script Orchestration (RSO) takes automation within incident response a step further to enable security and IT teams to remotely execute customizable remediation and response actions and to send custom scripts to one machine, a few hundred machines, or even millions of machines concurrently.

DFIR investigations take incident response a level further by analyzing additional forensic data such as memory and disk snapshots. Joint customers can use RSO to deploy Cado Response, which provides deep forensic-level analysis, enabling DFIR teams to respond to present and future cyberattacks faster.

SentinelOne and Cado Security’s joint solution enables security teams to take a modern approach to DFIR by speeding up cyber investigations in three ways.

1. Automated Capture

A forensics analysis often requires massive amounts of data. Complicating things even further, this data can live across countless regions, systems and users. Capturing, processing, and triaging the data required to conduct a detailed investigation using traditional methods is no easy task. Fortunately, automation flips the script. By automating the most tedious parts of a forensics investigation, including data capture and processing, security teams can drastically reduce the amount of time and effort that’s required to understand the root cause and impact of an incident.

2. Leverage The Cloud

As mentioned above, when it comes to forensic investigations, speed is of the essence. Forensic investigations require complete visibility, across on-premises, hybrid, and cloud environments. Gaining access to the data is step one. Then analysts need to normalize and preserve the data for an investigation. This can require extensive time and manual effort but results in no added value until the processing is complete.

Using SentinelOne, DFIR teams can gain visibility across all environments, whether they be user endpoints or enterprise workloads, whether on-premises, hybrid or in public cloud environments like Amazon Web Services. With RSO, Cado Response automatically processes data from endpoints of interest, leveraging the cloud for rapid processing of hundreds of files and systems in parallel to drastically reduce the time it takes to begin an investigation from days to minutes. The cloud enables security analysts to get access to the information they need, when they need it.

3. Managing DFIR At Scale

Using automation, RSO enables the scale and speed of deployment of forensic tools across the entire endpoint fleet to help teams manage IR processes at scale. From within SentinelOne, teams can seamlessly deploy Cado Response, view the status of script deployment, ensuring the complete forensic capture of all affected endpoints.

Capturing and processing 100% of the data from all impacted systems is a feat in and of itself, but it’s just the beginning of an investigation. Once the data is processed, security teams need to analyze it to identify the root cause and fully remediate an incident.

The challenge here is adding context and awareness to the data. Cado Response uses the power of machine learning-driven analytics and threat intelligence to correlate all systems, users, processes, files, and more. It also creates a complete timeline of events in a single pane of glass so analysts can immediately visualize the scope very quickly and seamlessly dive into important data. This enables them to conduct an investigation in aggregate rather than analyzing systems one by one.

Preventing Future Breaches

Conducting a thorough forensics investigation post breach is critical to identifying the root cause and preventing future breaches. That’s why ourCado Response’s recently announced partnership with SentinelOne is so important, as it delivers the breadth and depth security teams need to detect, investigate, and respond to incidents with unmatched speed.

SentinelOne Remote Script Orchestration (RSO) can alleviate the SOC burden for remote forensics and incident response. RSO allows customers to remotely investigate threats on multiple endpoints across the organization and enables them to easily manage their entire fleet. It lets incident responders run scripts to collect data and remotely respond to events on endpoints. Through SentinelOne’s Remote Script Orchestration (RSO) capability, security analysts can launch Cado Response to perform an in-depth forensic investigation across their SentinelOne Singularity Platform-protected endpoints in a single click, simplifying forensic data capture and accelerating triage.

Incident Responders can collect forensic artifacts, execute complex scripts and commands, install IR tools – like Cado Response – on thousands of endpoints simultaneously — Windows, Mac, and Linux, via the SentinelOne console or API. Remote Script Orchestration includes a Script Library from SentinelOne with scripts for all platforms, PowerShell for Windows, and bash scripts for Linux and macOS.

Singularity Marketplace
Extend the power of the Singularity XDR platform with our ecosystem of bite-sized, 1-click applications for unified prevention, detection, and response.

Learn More

The Cado Response platform is powered by a cloud-based architecture, which automatically scales up and down to provide rapid processing when needed and saves costs when not, drastically reducing time to evidence and time to response. The Cado Response platform simplifies investigation, enabling analysts to easily pivot across evidence items including impacted systems, users, processes, files, and more, so they can rapidly visualize incident scope.

Conclusion

With powerful remote script orchestration within the SentinelOne Singularity Platform and the cloud-native DFIR capabilities of Cado Response, incident responders have an effective toolset for collecting, analyzing, and actioning forensic data from across the endpoint and cloud workload fleet.

Learn more about SentinelOne and Cado Security in this upcoming webinar:

Automation Flips the Script: Augmenting Real-Time Detection with Modern DFIR.

Ubiquiti Developer Charged With Extortion, Causing 2020 “Breach”

/0 Comments/in /by

In January 2021, technology vendor Ubiquiti Inc. [NYSE:UI] disclosed that a breach at a third party cloud provider had exposed customer account credentials. In March, a Ubiquiti employee warned that the company had drastically understated the scope of the incident, and that the third-party cloud provider claim was a fabrication. On Wednesday, a former Ubiquiti developer was arrested and charged with stealing data and trying to extort his employer while pretending to be a whistleblower.

Federal prosecutors say Nickolas Sharp, a senior developer at Ubiquiti, actually caused the “breach” that forced Ubiquiti to disclose a cybersecurity incident in January. They allege that in late December 2020, Sharp applied for a job at another technology company, and then abused his privileged access to Ubiquiti’s systems at Amazon’s AWS cloud service and the company’s GitHub accounts to download large amounts of proprietary data.

Sharp’s indictment doesn’t specify how much data he allegedly downloaded, but it says some of the downloads took hours, and that he cloned approximately 155 Ubiquiti data repositories via multiple downloads over nearly two weeks.

On Dec. 28, other Ubiquiti employees spotted the unusual downloads, which had leveraged internal company credentials and a Surfshark VPN connection to hide the downloader’s true Internet address. Assuming an external attacker had breached its security, Ubiquiti quickly launched an investigation.

But Sharp was a member of the team doing the forensic investigation, the indictment alleges.

“At the time the defendant was part of a team working to assess the scope and damage caused by the incident and remediate its effects, all while concealing his role in committing the incident,” wrote prosecutors with the Southern District of New York.

According to the indictment, on January 7 a senior Ubiquiti employee received a ransom email. The message was sent through an IP address associated with the same Surfshark VPN. The ransom message warned that internal Ubiquiti data had been stolen, and that the information would not be used or published online as long as Ubiquiti agreed to pay 25 Bitcoin.

The ransom email also offered to identify a purportedly still unblocked “backdoor” used by the attacker for the sum of another 25 Bitcoin (the total amount requested was equivalent to approximately $1.9 million at the time). Ubiquiti did not pay the ransom demands.

Investigators say they were able to tie the downloads to Sharp and his work-issued laptop because his Internet connection briefly failed on several occasions while he was downloading the Ubiquiti data. Those outages were enough to prevent Sharp’s Surfshark VPN connection from functioning properly — thus exposing his Internet address as the source of the downloads.

When FBI agents raided Sharp’s residence on Mar. 24, he reportedly maintained his innocence and told agents someone else must have used his Paypal account to purchase the Surfshark VPN subscription.

Several days after the FBI executed its search warrant, Sharp “caused false or misleading news stories to be published about the incident,” prosecutors say. Among the claims made in those news stories was that Ubiquiti had neglected to keep access logs that would allow the company to understand the full scope of the intrusion. In reality, the indictment alleges, Sharp had shortened to one day the amount of time Ubiquiti’s systems kept certain logs of user activity in AWS.

“Following the publication of these articles, between Tuesday, March 30, 2021 and Wednesday March 31, [Ubiquiti’s] stock price fell approximately 20 percent, losing over four billion dollars in market capitalization,” the indictment states.

Sharp faces four criminal counts, including wire fraud, intentionally damaging protected computers, transmission of interstate communications with intent to extort, and making false statements to the FBI.

News of Sharp’s arrest was first reported by BleepingComputer, which wrote that while the Justice Department didn’t name Sharp’s employer in its press release or indictment, all of the details align with previous reporting on the Ubiquiti incident and information presented in Sharp’s LinkedIn account. A link to the indictment is here (PDF).

The Complete Guide to Understanding Apple Mac Security for Enterprise | Read the Free Ebook

/0 Comments/in /by

SentinelOne is delighted to release its third, comprehensive Mac-focused ebook for enterprise security teams, the Complete Guide to Understanding Apple Mac Security for Enterprise.

Following on from How To Reverse macOS malware and A Guide to macOS Threat Hunting & Incident Response, our latest macOS ebook is an all encompassing guide to the native security technologies built-in to macOS: how they work, where they fail, what they protect against, and what they don’t.

Who is the macOS Security Ebook For?

The SentinelOne Complete Guide to Understanding Apple Mac Security for Enterprise is an essential reference for anyone needing to understand the strengths and weaknesses of the security controls built into Apple Macs and the macOS platform.

The guide covers macOS right up to and including the latest release of macOS 12 Monterey and answers many common questions asked by system administrators and security teams managing Mac devices, including:

  • How secure are Macs by design?
  • Are third-party AV security controls required on macOS?
  • What kind of security software works best on macOS?
  • Which approaches to macOS security are the most effective?
  • What sort of threats do businesses with macOS fleets face in 2021?

What Will You Learn from the macOS Security Ebook?

In the guide, you’ll find detailed sections on areas such as:

  • Architecture & Codesigning: Does the new M1 architecture provide increased security over Intel machines? Is it still possible to run unsigned malicious code on macOS Monterey on both of these architectures?
  • Gatekeeper: How easy is it for malware or malicious insiders to circumvent Gatekeeper’s controls? Are these bypasses used by in-the-wild malware?
  • Notarization & OCSP: What do these technologies achieve, and what are their limitations? How does malware circumvent these checks?
  • XProtect and MRT: How do these technologies work on modern versions of macOS, how can you test if they are protecting against specific kinds of malware, and how effective are they?
  • TCC Privacy controls: How well does TCC protect sensitive data on a Mac, and in what situations does TCC fail to work?

What Kind of Malware Threats Target macOS?

Throughout, the guide discusses the Mac’s built-in security technologies with references to real, in-the-wild malware such as XCSSET, Shlayer, Bundlore, Adload and others, describing exactly how security breaches can occur on systems that remain unprotected by additional security controls.

XCSSET malware tries to social engineer victims for additional privileges

Administrators and security teams charged with protecting macOS endpoints will learn about vulnerabilities in Apple’s platform that can be and are used by threat actors to compromise Mac devices, circumvent code signing requirements, beat Gatekeeper, bypass OCSP and Notarization, and defeat TCC privacy protections.

Learn How to Test Mac AV Software

SentinelOne’s Complete Guide to Understanding Apple Mac Security for Enterprise also includes sections on how to test security products against known malware samples, and what to look out for when evaluating third-party security products for Mac. Learn why, for example, a revoked code signature does not mean your Macs are protected from a particular malware family.

Only last month, we saw how a new targeted threat, macOS.Macma, was able to beat Apple’s on-device security and yet was easily detected by third-party behavioral engines like SentinelOne.

SentinelOne’s behavioral AI detects macOS.Macma on execution without pre-defined signatures

This guide also explains, with examples, how Mac admins can test for themselves whether the Mac’s own AV tools, XProtect and MRT (Malware Removal Tool), have been updated to protect against a particular threat or not. Learn how to test which malware you are protected from, and which you are not.

Why You Should Read the macOS Security Ebook

Apple Mac computers are increasingly common in today’s enterprise. Despite its shared Unix heritage with Linux, Apple’s macOS is idiosyncratic, as are the attack vectors that it is susceptible to, and the security implications of running a fleet of Macs in the enterprise is not widely understood. This is true even more so now that Apple has moved away from Intel architecture to its own implementation of ARM, ‘Apple silicon’.

Throughout this ebook, we illustrate areas where Macs face security risks by referencing real, in-the-wild malware that we have seen emerge or adapt in the last 12 to 18 months,

It’s vital that enterprise security teams managing a fleet of Macs are up-to-date with just how the latest threats can and do target the macOS platform.

This guide will help security teams bridge the gap and understand how best to protect Macs in the enterprise.

The Complete Guide to Understanding Apple Mac Security for Enterprise
Learn how to secure macOS devices in the enterprise with this in-depth review of the strengths and weaknesses of Apple’s security technologies.

Read Now

Kids’ Fire Truck Beds For Future Firefighters!

/0 Comments/in /by

Many children love to play firefighters, but it’s not just about pretending to fight fires. Firefighters are also responsible for saving people’s lives and keeping their communities safe. If you have a son or daughter who loves pretend play, why not encourage their interest in saving lives? Wouldn’t you feel better knowing that when they do fall asleep in a comfortable firetruck bed, they’ll be ready for any emergency?

A firetruck bed can open up a wide range of imaginative play experiences for your children. And having a child who is interested in becoming a firefighter one day will definitely benefit them in the future.

So here are some fun, creative firetruck beds for your children to enjoy!

Kidkraft Fire Truck Toddler Bed

This bright red wooden firetruck bed will be a hit with any boy or girl who loves all things emergency service. It’s the perfect size for toddlers, and it has everything they need to feel safe at bedtime. Because of this, this Kidkraft fire truck bed is absolutely worth considering if your children are between 15 months and 8 years old.

The Kidkraft Fire Truck Toddler Bed makes moving from a cot to a regular bed as simple as possible. It’s low enough to the ground so that children can get in and out with ease.

The design of this fire truck bed is very impressive. It can be set up in just minutes, and it looks great in any bedroom. As with all Kidkraft products, their fire truck beds are made of top-quality materials safe for children.

Because of its size, this fire truck bed is also excellent value for money. It’s the best option available in terms of price per quality! If you have little boys or girls who love to play firefighters at home, then the Kidkraft Fire Truck Toddler Bed is a safe choice.

Just keep in mind that the mattress does not follow the bed’s height, so you’ll have to buy it separately. However, this fire truck bed fits most crib mattresses.

DHP Junior Silver Metal Loft Bed with White Slide and Fire Department Curtain Set

This is the perfect gift for the firefighter in training! It’s ideal for children between 4 and 12 years old. The bed is designed to look like a fire truck, complete with a ladder and a slide.

This loft bed is very stable, so you don’t have to worry about it swaying while your children are playing. It’s a wise choice if you want something that will last for years! One of the most impressive things about this fire truck bed is its versatility. No matter how many times your children play with it, they’ll always find new things to do.

This is a good-looking bed that will get your children excited about going to sleep. It’s big enough for kids who weigh more than 50 pounds, and the ladder is sturdy yet comfortable.

The DHP Junior Fire Truck Loft Bed is straightforward to set up, which is something all parents are looking for. It comes with the necessary tools required to ensure that the construction process goes smoothly.

If you’re looking for a fire truck bed and slide combo, this is the way to go. It’s exceptionally well-built, and it comes with everything your children need to have fun while getting comfortable at night.

Delta Children Wood Toddler Bed, Nick Jr. PAW Patrol

If your children are Paw Patrol fans, they’ll definitely love this bed! This bed will also be perfect for any kid who dreams of being a firefighter when they grow up. Perhaps they’ll even want to become a fireman just like Marshall, the lead character in the Paw Patrol series.

This toddler bed is very durable, and it’s great for children who are between 15 months and 7 years old. It has all the features they need to feel secure in their room, and it’s an enjoyable way for them to master going from a cot to a bed.

The Delta Children PAW Patrol Wood Toddler Bed is very safe because of its low height. The slats are low enough so that your children can get in and out of bed on their own. It’s double-sided, so there are no sharp edges.

The construction of this fire truck toddler bed is made to last. It has a very smooth finish, and it’s sturdy enough to support kids who weigh up to 50 pounds!

If you have a Paw Patrol fan at home, the Delta Children PAW Patrol Wood Toddler Bed is a wise choice. It’s a great bed that will last for years, and it’s perfect for children who are transitioning to a regular bed.

Why kids’ would like to be a firefighter when they grow up?

Kids often want to be firefighters when they grow up because firefighters are the guardians of our cities and towns. As well as rescuing people from danger, firefighters also ensure that everyone follows fire safety rules.

Firefighters usually spend their days at the fire station, for it’s here that all communication happens between stations and other emergency services. In the event of an emergency, firefighters take action. They drive their fire engines to where they’re needed and rescue the people who need to be saved.

Firefighters are also responsible for putting out fires with their hoses or extinguishers. Sometimes, they must use special apparatus like backpacks that hold water to choose exactly where and how to use the water. Using cool-looking equipment is probably another reason why kids want to be a firefighter.

More importantly, firefighters also work with other emergency services like police and ambulance officers to reduce accidents and injuries.

Firefighters need to be brave and responsible, and they must always do their best even when there’s a risk of danger. They may have been born with characteristics such as these, or they may learn them as they grow up.

My child wants to become a firefighter – what can I do?

If you’ve noticed that your child is interested in becoming a firefighter when they grow up, that shouldn’t come as a surprise. Letting your children know about the duties of firefighters and showing them fire trucks and other emergency vehicles will help them prepare for a future career.

It’s also okay to let your children play with toy fire trucks and equipment. It will help them imagine being a firefighter when they grow up, and it will help them prepare as well. Just be sure that the toys are appropriate for their age and sturdy enough to withstand hours of play.

To inspire your children to become a firefighter when they grow up, it’s also a good idea for you to know more about the job. In addition, you should join fire safety campaigns in your neighborhood and city.

By showing your support for firefighters, teaching your kids about fire safety, and joining campaigns to educate everyone on how to prevent fires, you’re helping the next generation realize their dream.

The post Kids’ Fire Truck Beds For Future Firefighters! appeared first on Comfy Bummy.

Proactive Attack Surface Management for AWS Workloads with Amazon Inspector and SentinelOne

/0 Comments/in /by

For the last decade, digital transformation has been fueled primarily by the adoption of cloud services which provide unmatched agility and reduced time to market when compared with legacy on-premises infrastructure. Most organizations have invested in public and hybrid cloud architectures to stay competitive, with nearly 94% of organizations using at least one cloud service. The COVID-19 pandemic has only accelerated plans to move to the cloud as security, high-priority and IT teams scaled to meet the demand for IT resources for a remote workforce.

Agile development practices that emphasize iteration and speed can overwhelm security teams who are not prepared to secure workloads as fast as they are created. This friction between DevOps and SecOps creates bottlenecks and an incentive for development teams to circumvent security and governance processes. As a result, there are often blind spots for security teams tasked with keeping cloud environments secure.

Cloud Misconfigurations on the Rise

Governance of workloads is often performed once when the workload is deployed, or sometimes not at all. And the specific configuration of workloads is inconsistent, with many instances deployed without critical controls. According to the State of Cloud Security 2021 report, misconfigurations remain the number one cause of cloud breaches.

Over 36% of organizations have suffered a cloud security leak or a breach in the last year, and 80% believe they are vulnerable to a breach related to a misconfigured cloud resource.

Under the AWS Shared Responsibility Model, the customer is responsible for configuring resources so that they are secure. While cloud adoption is rising, legacy security tooling designed for on-premises environments has failed to keep up and is not suited for cloud environments. One such technology is traditional vulnerability scanning and assessment tools, which rely heavily on on-premises appliance deployments and bandwidth-heavy scanning. This approach is insufficient for security teams looking to embrace the cloud with the confidence of knowing that their critical applications and services are configured in a secure manner.

Even organizations that have a vulnerability scanning tool deployed to their cloud environments often struggle in three areas:

  • Observability: Ingesting infrastructure vulnerability data and correlating with EDR telemetry from within the application workload
  • Operationalize: Visualize the most critical vulnerabilities to prioritize remediation
  • Actionability: Performing remediation across the cloud environment at scale

Cloud-Native Approach to Vulnerability Assessment

Vulnerability assessment for AWS workloads hasn’t been straightforward until now, with the launch of Amazon Inspector.

Amazon Inspector is a vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. With a few clicks in the AWS management console, you can enable Inspector across all accounts in your organization. Once enabled, Inspector automatically discovers all running Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (ECR) at any scale and immediately starts assessing them for known vulnerabilities.

An Inspector risk score is created for each finding by correlating Common Vulnerabilities and Exposures (CVE) information with factors such as network access and exploitability. This score is used to prioritize the most critical vulnerabilities to help increase remediation response efficiency.

All findings are aggregated in a newly designed Inspector console and pushed to AWS Security Hub and Amazon EventBridge to automate workflows. Vulnerabilities found in container images are sent to Amazon ECR for resource owners to view and remediate. With Inspector, even small security teams and developers can ensure infrastructure workload security and compliance across your AWS workloads.

Inspector creates a list of prioritized findings for security teams to prioritize remediation based on the impact and severity of vulnerabilities. These reports can provide valuable insights into opportunities for security and cloud teams to reduce their overall cloud attack surface.

SentinelOne Integration for Amazon Inspector

Today, we are delighted to introduce the SentinelOne Integration for Amazon Inspector, which provides support for Amazon Inspector findings with the SentinelOne Data Platform. The SentinelOne Data Platform is a massively scalable, cloud-native logging and analytics platform built on AWS that is designed to ingest, normalize, correlate, and action limitless datasets.

SentinelOne integrates with Amazon Inspector to provide unified visibility of vulnerabilities within AWS infrastructure.  SentinelOne ingests Amazon Inspector findings from Amazon EventBridge and correlates against logs from additional security and DevOps data sources. The SentinelOne Data Platform provides powerful querying and threat hunting features to make searching and pivoting within the datasets simple for security and cloud teams.

The SentinelOne Data Platform provides powerful querying and threat hunting features

Within SentinelOne, analysts can use prebuilt dashboards to view high priority vulnerabilities from Amazon Inspector. Data from Inspector is enriched with links to view additional information about CVEs from the MITRE National Vulnerability Database. With this data, analysts can view the most common vulnerabilities within their environment, the most severe, and additional context about a given CVE from a single pane of glass.

Sorting and view vulnerabilities is easy in the Inspector

When a vulnerability needs to be remediated, the SentinelOne Data Platform’s alerting is ready with native support for AWS Lambda, EventBridge, SQS, and SNS — allowing you to not only identify issues quickly but accelerate vulnerability remediation.

By interacting natively with AWS, you can leverage existing remediation patterns and curate them, if needed, to fit your business rules.

Leverage existing remediation patterns to fit your business rules

Bridging Workload Protection and Vulnerability Assessment

Vulnerability management is a crucial activity for maintaining good security hygiene. While prioritizing and remediating vulnerabilities will go a long way towards reducing the total attack surface, legacy custom applications lifted and shifted to the cloud may not be able to be updated fast enough to address open vulnerabilities. Regardless of the application, workloads within cloud environments should have measures to protect, detect and respond to active threats from vulnerabilities that may have been exploited.

Cloud VMs, cloud instances, and containers are just as vulnerable to known vulnerabilities, zero-day attacks, and malware as user endpoints.  Runtime protection, detection, and response are critical to effective cloud workload security.  Singularity Cloud Workload Security includes enterprise-grade protection, EDR, and Application Control to secure your cloud apps wherever they run. Our Linux Sentinel and Windows Server Sentinel deliver runtime security for VMs, and our Kubernetes Sentinel provides runtime security for managed and self-managed Kubernetes clusters.

A single, resource-efficient, Sentinel agent delivers autonomous runtime protection, detection, and response across the hybrid cloud estate. SentinelOne brings runtime security to Amazon EKS, Amazon EKS Anywhere, Amazon ECS, and Amazon ECS Anywhere, with automated kill and quarantine, application control, and complete remote shell forensics.

SentinelOne Singularity uses Behavioral AI to evaluate threats in real-time, delivering high-quality detections without human intervention. Our solution automatically correlates individual events into context-rich Storylines™ to reconstruct the attack and easily integrates threat intelligence to increase detection efficacy. Analysts can remediate all affected endpoints and cloud workloads with a single click, without the need to write any new scripts, simplifying and reducing mean time to respond.

Preserving the immutable state of production cloud workloads is a key control to protecting them against malware like crypto-jacking coin miners and zero-day attacks.  All expected processes are defined within the workload image.  When a change is to be made, instead of updating an image already in production, DevOps decommissions the old and releases a new image.

The SentinelOne Application Control Engine prevents your workload from being hijacked by rogue processes by automatically detecting and killing any executable not found in the image, reducing the possibility of a successful vulnerability exploit.

With SentinelOne Integration, customers can unify cloud workload protection with vulnerability insights from Amazon Inspector. Context-rich EDR telemetry can be queried alongside vulnerability information from Amazon Inspector, giving security analysts a single dataset for identifying open vulnerabilities and detecting successful vulnerability exploits.

Conclusion

Using SentinelOne Integration to connect Amazon Inspector findings with cloud-native protection for AWS workloads, organizations can use best-in-breed solutions to identify vulnerabilities proactively and detect and respond to active exploits of vulnerable applications. Together, security and DevOps teams can innovate rapidly, securely and embrace cloud adoption with confidence.

To learn more about SentinelOne for AWS, visit s1.ai/AWS.

Magical Christmas for your kids? Here’s what you need!

/0 Comments/in /by

Hey, Moms and Dads! Good news for you: Santa’s on his way! He’ll be here any minute now, and you don’t need to worry about your children waiting patiently for him. And while we wait, why not get ready and implement the Christmas spirit in your home already now?

Christmas time is magical, indeed! It’s the most wonderful time of the year when everyone has that warm-fuzzy feeling inside them. It’s also a time for sharing and caring, as well as spending some family time together. Everything can become magical when you put the right effort into it! Here are some tips to help you make this Christmas truly remarkable for your kids!

1. Let there always be light!

With cold weather outside, it’s essential that you make the atmosphere inside as cozy and warm as possible to give your kids a good start to the day. Start with some colorful lights to brighten up the house!

Cozy lights are easily accessible, and they don’t have to break your bank either. You can find them in all shapes and sizes, so there’s definitely something for everyone!

Our personal favorite are LANFU LED Icicle Lights; they make your house look like it’s decorated with sparkly icicles! These outdoor Christmas lights have eight different modes – with just one button, you may alter them. The ambiance of the lights in various situations changes to suit your moods, making you feel warm and cheerful.

2. Create a cozy atmosphere for your kids

The fireplace is a perfect centerpiece for creating a warm and welcoming environment in your home. With some help from today’s technology, you don’t need to worry about fire being dangerous for children – you can now get electric fireplaces!

An electric fireplace gives you warmth and coziness while increasing the overall aesthetics of your home. It creates a Christmas feeling without any smoke or fuss that comes with real fireplaces. Flames look super realistic too!

What else? Add some Christmas-themed decorations to make it even cozier. You could also spoon up some hot chocolate or other winter-themed drinks with your kids while you enjoy some nice music in the background. If you’re looking for an excellent way to start this day, then nothing can go wrong with listening to Christmas carols or singing together!

3. Involve the whole family in decorating

Let’s be honest here: who doesn’t like getting dressed up on Christmas? But don’t forget that the fun must not only be for the kids! Let them help you out in decorating, too!

Having them be involved in making the house look nice will also give them self-confidence and pride for their home. They’ll always have the memories of getting home Christmas-ready.

Christmas-themed chair covers are a great way to give your kids the ability to help you out. They are effortless to put on but give a strong effect!

You can choose from many different styles of chair covers for your home so that the kids will love the process even more! They’re inexpensive, unlike other decorations, but they surely add a lot of flavor to any interior. Here are some excellent examples!

Jhua Christmas Back Chair Covers (Set of 3)

The Christmas tree, snowflake, gnome elf pattern on the linen dining chair covers to match the holiday season. This Christmas-themed red, white, and green color will brighten up your day.

Linen and plaid cloth are used to make those chair back covers, which are long-lasting, wear-resistant, and pleasant to the touch.

CCINEE Christmas Chair Covers Santa Claus Hat (Set of 6)

Your kids will love these chair covers! They are made of the highest quality of fabric, making them super soft and comfortable to use. The Christmas chair back coverings are designed with a red Santa Claus hat and a white plush pom-pom on the top. It’s a lovely touch to your dining area. Cute and fun!

WYSRJ Christmas Chair Back Cover for Dining Room (Set of 6)

Three different styles of Christmas chair covers in one pack: Santa, Reindeer, and a Snowman. The set of 6 covers is a fantastic value for this purchase price. Cute and functional! These chair covers can make your interior look very stylish and festive. It’s a great addition to the holiday table!

4. Let’s bake some cookies!

There’s nothing more welcoming in a home than the smell of freshly baked cookies! But your kids will have even more fun if they get to help you out in making them, too! Also, this way, you can be sure that the ingredients are healthy and natural.

If you’re planning on baking some gingerbread cookies, then your house will smell like Christmas for sure. Your kids will also remember this day as a special family moment, and the time they got to spend with you making those tasty treats!

5. Climb into the Christmas spirit with some special activities

It’s important to take your kids out of the house for a while so they can get back all their energy. Down at the park, you could organize some snowman contests or have them build a snow fort!

Taking a walk is a great way to connect with nature and let your kids enjoy the outdoors. They will love walking across a snowy field, especially if there’s some freshly fallen snow from last night! You can even take a hiking trip if you need some outdoor adventure. Don’t forget to take an outdoor chair if your kids need some rest!

Kids’ outdoor chairs are specially designed to stand the test of time. They are comfortable, lightweight, and waterproof, making them perfect for use outside in any weather conditions.

Coleman Kids Quad Chair is a staple in this category. It comes at a low price, but it will definitely make your kids’ time outside extra comfy! It is so great that we wrote an entire article about it – Coleman Kids Quad Chair review!

6. Don’t forget to have a heart-to-heart talk with your kids

What’s the best way to understand what your kid is thinking? By asking them questions! This can be especially helpful in case one of them is feeling lonely since it’s Christmas. You could also ask about their wishes for this year so you can try to make them come true! Also, remind them that they are exceptional and that you love them very much.

7. Relax and enjoy the holiday spirit!

Christmas is a festive time of year, so it’s not wrong to relax and have some fun together with your family! For example, watching Christmas movies on TV could be a great way to finish this special day together. You can also try playing some board games together, like Jenga for instance. The important thing is to make sure that your kids are happy and safe! After all, this time should be all about your family!

The post Magical Christmas for your kids? Here’s what you need! appeared first on Comfy Bummy.

The Good, the Bad and the Ugly in Cybersecurity – Week 48

/0 Comments/in /by

The Good

Thankfully, law enforcement is giving cybercriminals plenty to reflect on again this week with more arrests in the Ukraine. Five members of the so-called “Phoenix” hacking group, living in Kharkiv and Kyiv, were arrested by the SSU (Security Service of Ukraine), which continues to do great work harvesting bad guys.

The Phoenix operation specialized in acquiring remote access to accounts of mobile device users and stealing credentials for their e-payment or bank accounts. The criminals would then sell obtained data and account details to interested buyers. The group employed tried-and-tested phishing templates to lure device users into giving up their credentials. Fake Apple and Samsung login portals are a common example of said lure. In addition, the arrested individuals also reportedly contracted out their hacking services to other parties for as little as $100 to $200 a time.

The five individuals will be subject to charges under Article 361 of the Criminal Code of Ukraine.

These arrests are just the latest in a series of law enforcement actions against cybercriminals in the Ukraine. The country has been cracking down on ransomware, money laundering and DDoS attacks recently, and long may it continue!

The Bad

Earlier this week, users of Microsoft Defender for Endpoint got an unfortunate surprise. Following the installation of recently released security updates from Microsoft (KB5007206 and KB5007205), some systems were left with a non-functional install of Microsoft Defender on Windows Server Core, finding that after the patch was installed, Microsoft Defender services failed to startup, potentially leaving machines at risk.

At the time of writing, there is no official fix or workaround for this issue, should you encounter it. That said, Microsoft has been quoted as stating “We are working on a resolution and will provide an update in an upcoming release”.

Meanwhile, a novel malware has been discovered that embeds its payload in crontabs, thus earning itself the moniker “CronRAT”. The RAT (Remote Access Trojan) is specific to Linux and is engineered to detect and skim credit card data from relevant payment servers.

According to researchers, this RAT makes use of crontabs with dates that will never execute to hide and obfuscate malicious code. The payloads are further obfuscated via base64. Once reconstructed, the payload is able to execute the code generated from the specially-crafted task names, then contacts the C2 and runs additional commands.

Once active, the RAT essentially allows full control of the host. The SentinelOne platform is capable of detecting and preventing malicious behaviors associated with CronRAT.

The Ugly

High-value bio-manufacturing targets are at the heart of this week’s ugly story. Reports of a new malware dubbed “Tardigrade” have emerged, which appears to be part of active campaigns hitting bioeconomy facilities.


Source

According to reports from BIO-ISAC, one incident involving Tardigrade occurred in the Spring of 2021 and another in October 2021. The targeted facilities were not named. Attributed to an unknown APT actor, these attacks are just the latest targeting the bioecomomy. The researchers say that attacks are ongoing and that they disclosed details of the campaign to help the industry protect itself.

The Tardigrade malware loader (similar in some ways to Smoke Loader) was used to distribute and launch ransomware within the target environment. The Tardigrade loader allowed the attackers to establish access and move laterally as needed. The malware communicates with its C2 via encrypted channels and can automatically spread to adjacent network resources. When environments are targeted with Tardigrade, any destructive payload can be employed very rapidly. Phishing is the main vector for attack, with some indication that USB devices may be employed for physical penetration of air gapped systems.

BIO-ISAC has released recommendations which include phishing awareness training, reviewing network segmentation, testing of offline backups, and using behavioral detection. The researchers point out that “While many malware systems are polymorphic, this system seems to be able to recompile the loader from memory without leaving a consistent signature”.

The SentinelOne platform detects and prevents behaviors and artifacts associated with the Tardigrade malware.

The Internet is Held Together With Spit & Baling Wire

/0 Comments/in /by

A visualization of the Internet made using network routing data. Image: Barrett Lyon, opte.org.

Imagine being able to disconnect or redirect Internet traffic destined for some of the world’s biggest companies — just by spoofing an email. This is the nature of a threat vector recently removed by a Fortune 500 firm that operates one of the largest Internet backbones.

Based in Monroe, La., Lumen Technologies Inc. [NYSE: LUMN] (formerly CenturyLink) is one of more than two dozen entities that operate what’s known as an Internet Routing Registry (IRR). These IRRs maintain routing databases used by network operators to register their assigned network resources — i.e., the Internet addresses that have been allocated to their organization.

The data maintained by the IRRs help keep track of which organizations have the right to access what Internet address space in the global routing system. Collectively, the information voluntarily submitted to the IRRs forms a distributed database of Internet routing instructions that helps connect a vast array of individual networks.

There are about 70,000 distinct networks on the Internet today, ranging from huge broadband providers like AT&T, Comcast and Verizon to many thousands of enterprises that connect to the edge of the Internet for access. Each of these so-called “Autonomous Systems” (ASes) make their own decisions about how and with whom they will connect to the larger Internet.

Regardless of how they get online, each AS uses the same language to specify which Internet IP address ranges they control: It’s called the Border Gateway Protocol, or BGP. Using BGP, an AS tells its directly connected neighbor AS(es) the addresses that it can reach. That neighbor in turn passes the information on to its neighbors, and so on, until the information has propagated everywhere [1].

A key function of the BGP data maintained by IRRs is preventing rogue network operators from claiming another network’s addresses and hijacking their traffic. In essence, an organization can use IRRs to declare to the rest of the Internet, “These specific Internet address ranges are ours, should only originate from our network, and you should ignore any other networks trying to lay claim to these address ranges.”

In the early days of the Internet, when organizations wanted to update their records with an IRR, the changes usually involved some amount of human interaction — often someone manually editing the new coordinates into an Internet backbone router. But over the years the various IRRs made it easier to automate this process via email.

For a long time, any changes to an organization’s routing information with an IRR could be processed via email as long as one of the following authentication methods was successfully used:

-CRYPT-PW: A password is added to the text of an email to the IRR containing the record they wish to add, change or delete (the IRR then compares that password to a hash of the password);

-PGPKEY: The requestor signs the email containing the update with an encryption key the IRR recognizes;

-MAIL-FROM: The requestor sends the record changes in an email to the IRR, and the authentication is based solely on the “From:” header of the email.

Of these, MAIL-FROM has long been considered insecure, for the simple reason that it’s not difficult to spoof the return address of an email. And virtually all IRRs have disallowed its use since at least 2012, said Adam Korab, a network engineer and security researcher based in Houston.

All except Level 3 Communications, a major Internet backbone provider acquired by Lumen/CenturyLink.

“LEVEL 3 is the last IRR operator which allows the use of this method, although they have discouraged its use since at least 2012,” Korab told KrebsOnSecurity. “Other IRR operators have fully deprecated MAIL-FROM.”

Importantly, the name and email address of each Autonomous System’s official contact for making updates with the IRRs is public information.

Korab filed a vulnerability report with Lumen demonstrating how a simple spoofed email could be used to disrupt Internet service for banks, telecommunications firms and even government entities.

“If such an attack were successful, it would result in customer IP address blocks being filtered and dropped, making them unreachable from some or all of the global Internet,” Korab said, noting that he found more than 2,000 Lumen customers were potentially affected. “This would effectively cut off Internet access for the impacted IP address blocks.”

The recent outage that took Facebook, Instagram and WhatsApp offline for the better part of a day was caused by an erroneous BGP update submitted by Facebook. That update took away the map telling the world’s computers how to find its various online properties.

Now consider the mayhem that would ensue if someone spoofed IRR updates to remove or alter routing entries for multiple e-commerce providers, banks and telecommunications companies at the same time.

“Depending on the scope of an attack, this could impact individual customers, geographic market areas, or potentially the [Lumen] backbone,” Korab continued. “This attack is trivial to exploit, and has a difficult recovery. Our conjecture is that any impacted Lumen or customer IP address blocks would be offline for 24-48 hours. In the worst-case scenario, this could extend much longer.”

Lumen told KrebsOnSecurity that it continued offering MAIL-FROM: authentication because many of its customers still relied on it due to legacy systems. Nevertheless, after receiving Korab’s report the company decided the wisest course of action was to disable MAIL-FROM: authentication altogether.

“We recently received notice of a known insecure configuration with our Route Registry,” reads a statement Lumen shared with KrebsOnSecurity. “We already had mitigating controls in place and to date we have not identified any additional issues. As part of our normal cybersecurity protocol, we carefully considered this notice and took steps to further mitigate any potential risks the vulnerability may have created for our customers or systems.”

Level3, now part of Lumen, has long urged customers to avoid using “Mail From” for authentication, but until very recently they still allowed it.

KC Claffy is the founder and director of the Center for Applied Internet Data Analysis (CAIDA), and a resident research scientist of the San Diego Supercomputer Center at the University of California, San Diego. Claffy said there is scant public evidence of a threat actor using the weakness now fixed by Lumen to hijack Internet routes.

“People often don’t notice, and a malicious actor certainly works to achieve this,” Claffy said in an email to KrebsOnSecurity. “But also, if a victim does notice, they generally aren’t going to release details that they’ve been hijacked. This is why we need mandatory reporting of such breaches, as Dan Geer has been saying for years.”

But there are plenty of examples of cybercriminals hijacking IP address blocks after a domain name associated with an email address in an IRR record has expired. In those cases, the thieves simply register the expired domain and then send email from it to an IRR specifying any route changes.

While it’s nice that Lumen is no longer the weakest link in the IRR chain, the remaining authentication mechanisms aren’t great. Claffy said after years of debate over approaches to improving routing security, the operator community deployed an alternative known as the Resource Public Key Infrastructure (RPKI).

“The RPKI includes cryptographic attestation of records, including expiration dates, with each Regional Internet Registry (RIR) operating as a ‘root’ of trust,” wrote Claffy and two other UC San Diego researchers in a paper that is still undergoing peer review. “Similar to the IRR, operators can use the RPKI to discard routing messages that do not pass origin validation checks.”

However, the additional integrity RPKI brings also comes with a fair amount of added complexity and cost, the researchers found.

“Operational and legal implications of potential malfunctions have limited registration in and use of the RPKI,” the study observed (link added). “In response, some networks have redoubled their efforts to improve the accuracy of IRR registration data. These two technologies are now operating in parallel, along with the option of doing nothing at all to validate routes.”

[1]: I borrowed some descriptive text in the 5th and 6th paragraphs from a CAIDA/UCSD draft paper — IRR Hygiene in the RPKI Era (PDF).

Further reading:

Trust Zones: A Path to a More Secure Internet Infrastructure (PDF).

Reviewing a historical Internet vulnerability: Why isn’t BGP more secure and what can we do about it? (PDF)

The Best Animal Chairs for Kids

/0 Comments/in /by

Children of all ages can benefit from adding a chair to their bedroom, playroom, or dorm. There are many factors parents should consider when choosing an appropriate seating option for kids, including safety and comfort levels. Animal chairs are not only adorable – but they also add color and character to any space. Whether your child is just starting on their own or growing up into a teenager, You can purchase animal chairs in various styles to suit any size and decor.

1. Animal Adventure | Sweet Seats | Teal Unicorn Children’s Plush Chair

If your child loves unicorns, this teal plush chair is the perfect addition to their bedroom. The soft beige head of the unicorn features a mane and wings that truly stand out against its vibrant color scheme.

Your little one will fall in love with this eye-catching piece from Sweet Seats. Featuring a comfortable and plush cushion seat, this chair is sure to become one of your child’s favorites. This piece, along with other Sweet Seats animal chairs, can be purchased from Amazon.

2. DEMDACO Polly Pink Puppy Large Children’s Plush Stuffed Animal Chair

If your child loves puppies, then this piece from DEMDACO should be added to their collection. The plush, upholstered puppy features a pink and brown color scheme and a sturdy base that can withstand significant weight.

Like other animal chairs from DEMDACO, this chair is an outstanding option for kids of all ages. This piece can be purchased from Amazon.

3. Soft Landing | Sweet Seats | Premium Monkey Children’s Plush Chair

If your child loves monkeys, they’ll fall in love with this plush piece from Sweet Seats. The adorable design features a monkey face and eyes on one side of the chair and a comfy back cushion. Your little one will love curling up in this cute seat to read or relax after a long day of play.

4. Delta Children Cozy Children’s Chair – Fun Animal Character, Panda

This fun, white, black and pink chair will fit perfectly with your little girl’s princess room. The rectangular design is attractive and straightforward yet still includes a cute panda smile. Your daughter will love curling up in this adorable piece for storytime or simply to relax after a long day of play.

5. Fantasy Fields – Happy Farm Animals Hand Crafted Kids Wooden Chair – Piggy

Although this piece is not plush, it is just as adorable for your child’s bedroom. The smiling pig design makes the perfect addition to a farm-themed room or any place where your little one needs a comfortable seat.

What to Look for in a Good Animal Chair

While there are many animal chairs out on the market today, it can be challenging to find one that is both safe and comfortable for your child. Here are a few things you should look for when shopping around:

Safety first

Your child’s safety comes first! The most important thing to look for in an animal chair is its safety rating. While most chairs on the market today come with a safety rating, you should always check to make sure that it matches your child’s age and weight. If you are concerned about your child using the chair unsupervised, look for pieces that have safety restraints included.

Design

Another essential thing to look for in an animal chair is a comfortable design. Children can get bored and frustrated if the seating options they have available are uncomfortable or impossibly small. Look for animal chair designs that include larger dimensions and a soft cushion seat to keep your child comfortable and happy throughout their playtime.

Practicality

The best animal chairs are those that you can use for more than just a play piece. Some of the most popular styles on the market today include storage options, extra seating, and even reading stands to make these pieces practical additions to any child’s room or play area.

Additional Features

More and more animal chairs are equipped with additional features to make them even more exciting for children. Some of the most popular add ons include sounds, lights, and music players that allow your child to become part of a fun adventure while sitting in their new chair. If your child loves these types of activities, look for an animal chair equipped with these features.

How to Keep Your Child’s Animal Chairs and Children’s Chair Covers Clean

Just like any other piece of furniture or toy, your child’s animal chairs and children’s chair covers will need regular cleaning to keep them looking great for years to come. Fortunately, most products on the market today are made from low-maintenance materials and can be easily wiped clean with a damp cloth. If your child’s chair cover is machine washable, always check the manufacturer’s care instructions before washing to ensure that you are using the best cleaning methods possible.

Where to Buy Animal Chairs for Kids

There are dozens of different places to purchase animal chairs for kids online and in stores near you. When looking for a retailer, keep in mind that not all of them will offer the same quality or customer service level. Here at Comfy Bummy, we chose to partner with Amazon.com because we feel they offer the best ratio between price and quality.

Final Thoughts on Animal Chairs for Kids

If your child loves bright and colorful furniture, animal chairs are sure to be some of their favorite pieces in the home. These fun pieces come in different colors and styles, so you should have little trouble finding something that meets your needs. Animal chairs can also help keep kids entertained throughout their playtime. Look for new animal chair covers to help make your little one’s bedroom more exciting.

The post The Best Animal Chairs for Kids appeared first on Comfy Bummy.

EDR vs Enterprise Antivirus: What’s the Difference?

/0 Comments/in /by

EDR, or Endpoint Detection and Response, is a modern replacement for Antivirus security suites. For decades, organizations and businesses have invested in Antivirus suites in the hope of solving the challenges of enterprise security. But as the sophistication and prevalence of malware threats has grown over the last ten years, so the shortcomings of what is now referred to as “legacy” Antivirus have become all too apparent.

In response, some vendors re-thought the challenges of enterprise security and came up with new solutions to the failures of Antivirus. How does EDR differ from Antivirus? How and why is EDR more effective than AV? And what is involved in replacing your AV with an advanced EDR? You’ll find the answers to all these questions and more in this post.

What Makes EDR Different from Antivirus?

In order to adequately protect your business or organization against threats, it is important to understand the difference between EDR and traditional or “legacy” Antivirus. These two approaches to security are fundamentally different, and only one is appropriate for dealing with modern threats.

Features of Antivirus

Back in the days when the number of new malware threats per day could comfortably be counted in a spreadsheet document, Antivirus offered enterprises a means of blocking known malware by examining – or scanning – files as they were written to disk on a computer device. If the file was ‘known’ to the AV scanner’s database of malicious files, the software would prevent the malware file from executing.

The traditional Antivirus database consists of a set of signatures. These signatures may contain hashes of a malware file and/or rules that contain a set of characteristics the file must match. Such characteristics typically include things like human-readable strings or sequences of bytes found inside the malware executable, file type, file size and other kinds of file metadata.

Some antivirus engines can also perform primitive heuristic analysis on running processes and check the integrity of important system files. These “after-the-fact” or post-infection checks were added to many AV products after the flood of new malware samples on a daily basis began to outstrip AV vendors’ ability to keep their databases up-to-date.

In light of growing threats and the declining efficacy of the Antivirus approach, some legacy vendors have tried to supplement Antivirus with other services such as firewall control, data encryption, process allow and block lists and other AV “suite” tools. Generically known as “EPP” or Endpoint Protection Platforms, such solutions remain based at-heart on a signature approach.

Features of EDR

While the focus of all AV solutions is on the (potentially malicious) files that are being introduced to the system, an EDR, in contrast, focuses on collecting data from the endpoint and examining that data for malicious or anomalous patterns in real time. As the name implies, the idea of an EDR system is to detect an infection and initiate a response. The faster an EDR can do this without human intervention, the more effective it will be.

A good EDR will also include capabilities to block malicious files, but importantly EDRs recognize that not all modern attacks are file-based. Moreover, proactive EDRs offer security teams critical features not found in Antivirus, including automated response and deep visibility into what file modifications, process creations and network connections have occurred on the endpoint: vital for threat hunting, incident response and digital forensics.

Pitfalls of Antivirus

There are many reasons why Antivirus solutions cannot keep up with the threats facing enterprises today. First, as indicated above, the number of new malware samples seen on a daily basis is greater than the number any human team of signature writers can keep up with.

Given that AV solutions must necessarily fail to detect many of these samples, enterprises must assume that they will face a threat that the Antivirus cannot detect.

Secondly, detection via Antivirus signatures can often be easily bypassed by threat actors even without rewriting their malware. Since signatures only focus on a few file characteristics, malware authors have learned how to create malware that has changing characteristics, also known as polymorphic malware. File hashes, for example, are among the easiest of a file’s characteristics to change, but internal strings can also be randomized, obfuscated and encrypted differently with each build of the malware.

Thirdly, financially-motivated threat actors such as ransomware operators have moved beyond simple file-based malware attacks. In-memory or fileless attacks have become common, and human-operated ransomware attacks like Hive–along with “double-extortion” attacks such as Maze, Ryuk and others–that may begin with compromised or brute forced credentials, or exploitation of RCE (remote code execution) vulnerabilities, can lead to a compromise and loss of intellectual property through data exfiltration without ever triggering an Antivirus signature-based detection.

Benefits of EDR

With its focus on providing visibility to enterprise security teams, along with automated detection responses, EDR is much better equipped to cope with today’s threat actors and the security challenges that they present.

By focusing on the detection of unusual activity and providing a response, EDR is not limited to only detecting known, file-based threats. On the contrary, the primary value of the EDR proposition is that the threat does not need to be precisely defined in the way that it does for Antivirus solutions. An EDR solution can look for patterns of activity that are unexpected, unusual, and unwanted and issue an alert for a security analyst to investigate.

Moreover, because EDRs work by collecting a vast range of data from all protected endpoints, they offer security teams the opportunity to visualize that data in one convenient, centralized interface. IT teams can take that data and integrate it with other tools for deeper analysis, helping to inform the organization’s overall security posture as it moves to define the nature of potential future attacks. The comprehensive data from an EDR can also enable retrospective threat-hunting and analysis.

Perhaps one of the greatest benefits of an advanced EDR is the ability to take this data, contextualize it on the device, and mitigate the threat without human intervention. Not all EDRs are capable of this, however, as many rely on transmitting EDR data to the cloud for remote (and, therefore, delayed) analysis.

How EDR Compliments Antivirus

Despite their limitations when deployed alone or as part of an EPP solution, Antivirus engines can be useful compliments to EDR solutions, and most EDRs will contain some element of signature and hash-based blocking as part of a “defense-in-depth” strategy.

By incorporating Antivirus engines within a more effective EDR solution, enterprise security teams can reap the benefits of simple blocking of known malware and combine it with the advanced features that EDRs have to offer.

Avoiding Alert Fatigue with Active EDR

As we noted earlier, EDRs offer enterprise security and IT teams deep visibility into all the endpoints across the organization’s network, and this in turn allows for a number of advantages. However, despite these advantages, many EDR solutions are failing to have the impact enterprise security teams had hoped for because they demand a great deal of human resources to manage: resources that are often unavailable due to staffing or budget restrictions or unobtainable due to the cybersecurity skills shortage.

Instead of enjoying greater security and less work for their IT and security teams, many organizations that have invested in EDR have simply found themselves reallocating resources from one security task to another: away from triaging infected devices to triaging a mountain of EDR alerts.

And yet it doesn’t need to be like that. Perhaps the most valuable potential of EDR is its ability to autonomously mitigate threats without the need for human intervention at all. By harnessing the power of machine learning and Artificial Intelligence, Active EDR takes the burden off the SOC team and is able to autonomously mitigate events on the endpoint without relying on cloud resources.

This means threats are mitigated at machine speed – faster than any remote cloud analysis – and without human effort.

What Active EDR Means For Your Team

Consider this typical scenario: A user opens a tab in Google Chrome, downloads a file they believe to be safe and executes it. The program leverages PowerShell to delete the local backups and then starts encrypting all data on the disk.

The work of a security analyst using passive EDR solutions can be hard. Swamped with alerts, the analyst needs to assemble the data into a meaningful story. With Active EDR, this work is instead done by the agent on the endpoint. Active EDR knows the full story, so it will mitigate this threat at run time, before encryption begins.

When the story is mitigated, all the elements in that story will be taken care of, all the way to the Chrome tab the user opened in the browser. It works by giving each of the elements in the story the same TrueContext ID. These stories are then sent to the management console, allowing visibility and easy threat hunting for security analysts and IT administrators.

Upgrading Your Security with EDR

Once we see the clear advantages of an EDR system over Antivirus, what is the next step? Choosing the right EDR requires understanding the needs of your organization and the capabilities of the product being offered.

It’s also important to conduct tests, but to make sure those tests have real-world application. How will this product be used by your team in day-to-day operations? How easy is it to learn? Will it still protect your company when any cloud-services it relies on are offline or unreachable?

It’s important to consider deployment and rollout, also. Can you automate deployment across your fleet? What about platform compatibility? Does your chosen vendor give equal importance to Windows, Linux and macOS? Every endpoint needs to be protected; the ones that get left behind can provide a backdoor into your network.

Next, think about integration. Most organizations have a complex software stack. Does your vendor offer powerful but simple integration for other services you rely on?

For a more comprehensive guide on how to choose the right EDR, see the free ebook The Secrets of Evaluating Security Products.

Beyond EDR | XDR For Maximum Visibility & Integration

While Active EDR is the next step for organizations that have yet to move past Antivirus, enterprises that need maximum visibility and integration across their entire estate should be thinking about Extended Detection and Response, or XDR.

XDR takes EDR to the next level by integrating all visibility and security controls into a full holistic view of what happens in your environment. With a single pool of raw data comprising information from across the entire ecosystem, XDR allows faster, deeper and more effective threat detection and response than EDR, collecting and collating data from a wider range of sources.

SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.

Learn More

Conclusion

Threat actors have long moved beyond Antivirus and EPP and organizations need to consider that such products are no match for the threats that are active today. Even a cursory look at the headlines shows how large, unprepared organizations are being caught out by modern attacks like ransomware even though they have invested in security controls. The onus is on us, as defenders, to ensure that our security software is not only fit for yesterday’s attacks, but today’s and tomorrow’s.

If you would like to learn more about how SentinelOne can provide advanced protection for your organization, contact us or request a free demo.