Endpoint Forensics Will Become a Mainstream Cybersecurity Technology

Threats, compliance, and legal requirements driving forensics into the mainstream

I’ve written blogs in the past with titles like, “big data security analytics is inevitable.” Yes, I know this reads like a sound bite, but I truly believe that we need to collect, process, and analyze terabytes of real-time and historical data in order to detect stealthy cybersecurity events and adjust our security controls accordingly. My conviction around big data security analytics goes beyond opinion alone. According to ESG research, 24% of enterprise organizations (i.e. more than 1,000 employees) collect at least 26TB of security data per month. Additionally, 44% of enterprises believe that their current level of security data capture and processing would qualify as “big data” today while another 44% believe that their security data capture and processing levels will qualify as “big data” within the next 2 years. In spite of this inevitable push toward big data security analytics however, many organizations remain blind to what’s happening in one obvious IT domain – endpoints. Ironic but true. For example, ESG asked security professionals to point out areas of endpoint monitoring weaknesses. Here’s what we learned: • 41% have a weakness with monitoring, “applications installed on each device” • 36% have a weakness with monitoring, “suspicious/malicious network activities (from endpoints)” • 36% have a weakness with monitoring, “downloads/execution of suspicious/malicious code” • 28% have a weakness with monitoring, “local storage of sensitive data” Yes, I realize that there are a lot of reasons why we don’t do a good job with endpoint monitoring – multiple tools, limited resources, sporadic network scans, etc. Rationale aside, many organizations have an endpoint visibility hole that remains big enough to drive a truck full of malware through. So what’s needed? Real-time endpoint forensic data capture and analysis. Common wisdom is that endpoint forensics is wildly expensive and reserved for super geeks but this is no longer true. Tools are getting smarter and cheaper all the time. What’s more, they can be very effective. For example, Guidance Software’s EnCase Analytics can tell you all the processes running on endpoints at a given time, pinpoint processes often used in polymorphic malware, and then identify specific processes that deviate from normal behavior. This type of information can really help CISOs discover cybersecurity problems more efficiently -- and the data really isn’t captured or analyzed by any other tools. In the recent past, endpoint forensics was an afterthought. Once you were breached, you called HB Gary, IBM, or Mandiant and gave them carte blanche to your network. Given today’s threat landscape, this type of a posteriori strategy makes no sense. My guess is that some type of lightweight endpoint forensic data capture and analysis technology will become mainstream over the next few years. Meanwhile, large enterprises that really care about cybersecurity aren’t waiting around; they are already moving down the endpoint forensics path as quickly as they can.

Cybersecurity market research: Top 15 statistics for 2017