As Nyotron Founder and CTO Nir Gaist points out in his recent post, the “enumeration of badness” approach that cybersecurity pros and vendors have relied on for decades is no longer effective for two reasons: the amount of “badness” is practically infinite, and it’s unrealistic to detect all future “badness” based on the past. You can draw a direct line between this continued reliance on a failing security model and why so many organizations cannot detect and contain data breaches in a timely manner. According to IBM Security-Ponemon Institute 2018 Cost of a Data Breach Study, the average time to identify a data breach in the study was 197 days, and the average time to contain a data breach once identified was 69 days. It’s alarming statistics like those that have compelled security professionals to implement Endpoint Detection and Response (EDR) products in an effort to achieve better visibility into attacks that have evaded traditional security measures. Trouble is, EDR increases the burden on already-understaffed security teams but not the actual protection level.
It is important to build a multi-layered security defense, so it’s understandable why organizations will consider implementing an EDR solution. EDR functions like a security video camera installed on users’ devices to monitor and capture ever endpoint event. In most cases, this mass of events is streamed to a cloud-based big data platform that the security team can then use for threat hunting. It can also provide remediation actions like Shadow Copy (VSS) restore, process termination, device quarantine, etc.
However, the trade-offs EDR requires to realize these capabilities are significant.
First, a typical security organization will need to hire additional staff to regularly conduct threat hunting. That has proven difficult due to a severe shortage of skilled talent. When Black Hat earlier this year polled a group of IT and security professionals for its annual Black Hat USA Attendee Survey, it found that for the fourth straight year, two-thirds of respondents said they do not have enough staff to defend their organizations.
More critically, EDR by definition is a post-breach technology, meaning that the attackers have already succeeded in infiltrating the environment and likely even left with the data they were after. The visibility that an EDR tool provides is valuable, but not sufficient. Organizations require both visibility and protection.
Why PARANOID?
Nyotron’s PARANOID succeeds where EDR fails in two key areas. PARANOID provides granular visibility into the attack timelines, origin, TTPs and what the attackers attempted to accomplish and prevents the damage from occurring. No manual threat hunting sessions, or big data or heavy infrastructure or cloud connectivity required.
Here’s a quick breakdown of how PARANOID stacks up to EDR:
Evaluation Criteria | EDR | Nyotron’s PARANOID |
Detection of threats | YES | YES |
Protection from threats | NO | YES |
Not necessary to hire additional staff | NO | YES |
Air-gapped & off-line system support | NO | YES |
Eliminates the need to collect, store and manage large volumes of data | NO | YES |
Instead of chasing infinite “badness”, PARANOID focuses on the finite “good” in a form of legitimate operating system behavior. We call this approach OS-Centric Positive Security because, as Nir explained in his recent article for CyberScoop, it is possible to create a map of all legitimate OS behavior. There are a small handful of operating systems out there, and they change infrequently, especially in the way they operate with the file system and networking.
Please read additional details about PARANOID’s advantages here and how it serves to complement your existing endpoint protection technologies here, and connect with us on LinkedIn and Twitter.