Adversaries’ changing tactics enable them to stay ahead. In the past, many have relied on brute force to break down defenses and infiltrate organizations, or exploited vulnerabilities in perimeter firewalls, software, and hardware to gain a foothold in their desired target environment.

This kind of attack chain may progress from initial access, to discovery, to privilege escalation, to credential access, to lateral movement before the adversary achieves an impact. Because this type of infiltration and attack progression involves several steps, it may take a while to complete and as a result, give defenders more time to learn about, and respond to, the threat.  

Today’s adversaries have evolved their tactics and techniques to accelerate their attacks. They now focus on using identities to infiltrate targets and facilitate attack progression through lateral movement and privilege escalation. This eliminates several steps in the attack chain because an intruder who already has legitimate credentials can skip straight to lateral movement and more quickly have an impact without alerting the victim to their malicious activity. It takes far longer to detect and respond to identity-based attacks than it does to discover more traditional malware-based attacks.

Attackers are increasingly attempting to accomplish their goals with legitimate credentials and built-in tools — an approach known as “living off the land” — in an effort to evade detection by legacy antivirus tools. This trend is growing more popular: the 2022 CrowdStrike Global Threat Report found out of all detections indexed by the CrowdStrike Security Cloud in the fourth quarter of 2021, 62% were malware-free, another sign adversaries are trying to succeed without writing malware to the endpoint.

This reliance on credentials has led to the rise of access brokers as key components of the eCrime threat landscape. Adversaries are increasingly communicating with one another and selling “access”, or username/password pairs, to one another in order to facilitate criminal activity. The CrowdStrike Intelligence team has analyzed access brokers’ advertisements and found they sell entries to organizations from at least 30 different sectors, demonstrating any industry can be a target.

Breakout time is one metric that reflects how attackers are moving with greater speed and purpose. This metric refers to the amount of time it takes an adversary to move laterally from an initially compromised host to another host in the victim environment. CrowdStrike’s analysis of hands-on eCrime intrusion activity in 2021 revealed the average breakout time is only 1 hour and 38 minutes — a very short window for defenders to respond.

Last year’s noPac exploit exemplifies how modern attacks are accelerating. In mid-December 2021, a public exploit that combined two critical Microsoft Active Directory design flaws was released. This exploit allowed the escalation of privileges of a regular domain user to domain admin, which enables a malicious actor to launch multiple attacks, such as domain takeover or a ransomware campaign. Around the time noPac was disclosed, Researchers at Secureworks demonstrated how to exploit these flaws to gain domain privileges in just 16 seconds.

Defending Against Swift and Subtle Attacks

These identity-centric attacks have become a core component of today’s breaches, including several high-profile attacks. Not only does this technique allow adversaries to move quickly; it also lowers the cost of their operations — obtaining legitimate credentials is significantly cheaper than buying zero-day exploits or launching a custom supply-chain attack.

Identity attacks are extremely hard to detect. When valid employee credentials have been compromised and an adversary is acting as that user, it’s often very tough to differentiate between the typical behavior of the employee, and that of the attacker, if you’re using traditional security tools and practices.

Even a well-designed IT environment can fall victim to the weaknesses of relying on credentials without strong identity protection. Any account, whether it belongs to an IT admin, employee, third-party vendor, or a customer, can provide an attack path. As more employees have fully transitioned to remote work, the attack surface of many organizations has expanded and driven the need for a strong and flexible identity security solution.

Identity is one component within a broader security platform. To create the strongest level of protection, organizations must create a strategy that encompasses endpoint security, IT security, cloud workload protection and container security, in addition to identity protection. An identity security solution must also integrate with existing identity and access management (IAM) tools and processes, as well as a Zero Trust architecture.

A comprehensive identity security strategy will improve an organization’s visibility of credentials in a hybrid environment and allow them greater insight into their behavior, risk, and deviations. It will also enhance detection and defense of lateral movement, and strengthen the security of privileged users to protect against actions like privilege escalation and account takeover.

Speed often dictates success or failure — especially in cybersecurity, where stealthy attacks can unfold in a matter of hours and have devastating consequences. Security teams of all sizes and industries must invest in agility for their strategic decision-making by automating prevention, detection, investigation, and response workflows with integrated cyber threat intelligence.

The post The Need for Speed: How Identity Compromise Accelerates Attacks appeared first on eWEEK.

As attacks grow in scale and sophistication, even more painstaking work is needed on the backend for SOC analysts to piece together the full scope of incidents and their protracted trails of lateral movement across every vector and touchpoint. Siloed detections simply don’t cut it anymore.

If we haven’t hit a breaking point yet, it’s clear that we’re rapidly approaching one. In the CrowdStrike 2021 Global Security Attitude survey, close to half (47%) of the 2,200 surveyed IT security practitioners reported that one of their primary challenges in carrying out effective detection and response is the growing number of siloed security tools in their environments (see Figure 1). Ultimately, security teams feel these adverse effects as their visibility gaps widen, and triage and remediation workflows ebb in efficiency.

Figure 1. Too many disparate security tools hamper detection and response

This is exactly where extended detection and response (XDR) comes into play. XDR unlocks value across your entire security ecosystem. The raw potential for XDR to transform and holistically up-level security teams far exceeds the current value that disconnected security tools deliver when kept as standalone items. In other words, when you transition to XDR, the ROI of every system you connect rises along with it. 

Five Steps to Kick-start Your Move to XDR

Transitioning to XDR is not as easy as a snap of the fingers — but it shouldn’t be too far removed from that either. Whether you’re just starting out with endpoint detection and response (EDR) or already operate a highly mature security organization, there are practical steps you can take right now to begin your transition to XDR. We lay out five of these below.

Step #1: Recognize You’re Not Starting from Scratch

Unlike many other new security technologies, XDR is additive. Security teams that have (or plan to build) a strong security foundation through EDR have already taken their first step to XDR. This is because XDR is an extension of EDR — i.e., XDR leverages and expands on existing EDR concepts, processes and best practices — and uses it as an efficient starting place with much of the extraneous noise that you’d typically expect from massive data aggregation already natively filtered out.

As a result, EDR data becomes the primary focal point to coalesce additional security telemetry and workflows from systems and applications across an organization’s technology ecosystem. 

The simplicity XDR brings to your security operations is how easily it unifies threat detection and response workflows across your security and IT systems. Even if you’re a brand-new CISO running a newly formed security program, you can still approach and plan for XDR as part of your endpoint security strategy—baking in XDR as the underlying, connective framework that links together all things detection and response.

Step #2: Demystify XDR with Concrete Use Cases

XDR is still a new and ambitious security concept. Before you pull the XDR cart too far ahead of the horse, make sure your team and influential business stakeholders are all onboard as well. To make XDR more real for them, illustrate the possibilities that XDR brings in terms of the new and improved security use cases that it will enable, including the following examples: 

• Improve the fidelity of alerts with correlated, cross-domain data
• Detect advanced threats that siloed security systems can often miss
• Execute response actions without having to pivot across products

Step #3: Prioritize Plans That Streamline Analyst Workflows

Do you notice a common trend in the three example use-cases listed above? It’s that the primary security value they deliver all stems back to operational efficiency and speed. Though XDR can generate business value in many ways, prioritize the XDR initiatives that most dramatically accelerate and improve the quality of your team’s day-to-day work.

This approach pays several dividends. Not only do operational efficiency improvements lead to some of the largest ROI gains of technology adoption projects, they’re also some of the most tangible for your team. The faster and more efficient work they produce can lead to tertiary benefits, such as higher job satisfaction, reduced analyst burnout and improved staff retention.

Step #4: Take Advantage of Your Existing Security Stack

Extensibility is the fundamental value driver for XDR. XDR shouldn’t require you to replace or add a number of additional tools to your security stack. In fact, quite the opposite. XDR should enable you to keep your existing tools and extend their value through tighter integration, automation and analytics with the endpoint security work you already perform.

With the massive — and still growing — set of systems, applications, networks and identities that exists across every organization, prioritization and elevation of the most important domains is critical for XDR to succeed. For this specific reason, CrowdStrike established the CrowdXDR Alliance to ensure that XDR is architected right and with the right outcomes across the most relevant and critical domains. 

Identify the security solutions that are primed to take advantage of an XDR integration, and stagger your approach. You may have many security solutions that fit the bill. But whether you opt to extend XDR first to your secure email gateway or to your cloud workload protection platform (CWPP), focus on bringing in the right supplemental data that will add rich context to your EDR correlations and that will align nicely with the operational priorities outlined in earlier steps. 

Step #5: Prioritize Fidelity from the Get-Go

XDR should solve for the alert fatigue problem plaguing security teams today — and it should do so starting from Day One. The primary purpose of XDR is to cut down on alert noise and simplify overly complex and resource-intensive alert configuration processes. If XDR cannot accomplish either without significant time and expertise allocated to tailor detections properly, why even pursue it? You’re right back at square one with a legacy SIEM tool attempting to boil the ocean of security data.

This is why XDR must tip the detection and response efficiency scale back in your favor. It’s simple: You send the data to your XDR solution, it handles the rest — including all initial and ongoing data mapping, correlation and automation necessary to operate it. With this approach in place, you elevate the value of fidelity and minimal tuning to XDR, making them core requirements as opposed to long-term objectives that may or may not ever be achieved.

How to Kick-start Your Journey to XDR

Download our XDR white paper, Making the Move to Extended Detection and Response (XDR), and prepare your team for the move from EDR to XDR.

The post Five Steps to Kick-start Your Move to XDR appeared first on eWEEK.

The environments that many organizations operate and defend are substantially different from those of a decade ago. Now, they include a growing cloud ecosystem alongside on-premise resources—all of which must be monitored, scanned, and controlled.

Agent-based security aims to accomplish this by placing an agent on every host. In the on-premise world, this approach can provide sufficient coverage of corporate endpoints and enable organizations to monitor workloads without interruption. IT and security teams also need to prevent unauthorized access to file directories, detect malware, and block suspicious endpoints and images, and agent-based solutions enable this level of protection as well. 

In the cloud, however, agent-based security is often insufficient and more problematic than it is on-premises. This reality stems from a central challenge inherent to today’s cloud environments: the pace of change. Not only are resources routinely spun up and down, but short-lived containers and other resources must be accounted for as they pop in and out of existence. 

Complicating matters further is the fact that IT and security teams typically do not have access to, or control over, all the hosts in an environment and therefore can’t deploy agents on them. This lack of coverage creates security blind spots that attackers can exploit. Preventing these gaps, and gaining visibility into the hosts in your environment, is critical for defending the cloud.

Agent-based security can run smack into significant hurdles in complex and dynamic cloud environments. Agentless security aims to step up and fill in the gaps—but how effective is it?

What About Agentless Security?

Agentless scanning can address the aforementioned challenges and do it at scale, without affecting performance. This approach uses cloud provider APIs to deliver the visibility into the cloud environment that organizations need. Rather than installing an agent on every resource, agentless security uses the visibility of the cloud provider, allowing organizations to capture data from any workloads whether they are ephemeral or not.

One of the benefits of agentless security solutions is the lack of management and maintenance overhead. For cloud environments with a large number of assets, managing and updating agents is no small task. Services that don’t allow the installation of third-party security agents will slip under the radar. In addition, constant maintenance will be required to ensure agents can handle changes in a cloud environment. For example, with an agentless approach, there is no need to worry that an agent will not support an updated kernel and crash an application.

Agentless security has recently surfaced in cloud security discussions following news of the Log4Shell vulnerabilities disclosed in Dec. 2021. Because this issue affected countless assets and organizations, it became clear that the ability to broadly scan environments for the flaws, and ensure they were patched, was crucial in protecting organizations from exploitation. 

Why Agentless Security Isn’t Enough

However, there is more to the story. While some cloud resources can be scanned via the cloud provider’s API calls, many still require endpoint detection and response (EDR) for the cloud to provide full runtime security. For example, apps running in a serverless function such as AWS Fargate need agents to enforce security so only trusted connections are allowed, and any suspicious connections are blocked.

As workloads evolve into various types such as containers, serverless, containers-as-a-service and more, some may be scanned using an agentless approach. However, defenders still need the ability to prevent unauthorized access, prevent malware from being deployed, proactively block connections to suspicious endpoints, and block images that fail compliance from running in their prod environment. For this, an agent-based approach is essential to provide proper runtime protection.   

The bottom line is, cloud environments are dynamic and complex, as are their security needs. Modern applications are about mixed workloads, multi-cloud environments, and different runtimes. Why should one security approach be treated as the only answer to the challenges of protecting a complex environment? Sometimes, the answer is finding the best of both worlds.

A Mixed Approach Is Needed To Properly Defend The Cloud

In the face of today’s evolving threat landscape, organizations should look for a cloud-native security platform that uses agentless and agent-based scanning to meet their security needs. 

Defending the cloud requires securing a rapidly growing attack surface. IT and security teams must enforce continuous monitoring and security from the development process to runtime. Legacy security tools are of little use here because they don’t provide the granular visibility into cloud-based events that organizations need. To protect hybrid environments, IT and security leaders need cloud-native technologies and a cloud-focused mindset—both of which must be rooted in maintaining flexibility, scalability, and consistency across their IT infrastructure.

Some will say agent-based security works best in data center environments where there is less change, but will fail to meet the security needs of modern businesses in the cloud. However, an agentless and agent-based approach can work together to give security and DevOps teams flexibility to deploy the type of protection they need regardless of their environment.

At CrowdStrike, Falcon Cloud Workload Protection agents gather event data generated by endpoints and cloud workloads. Our “Falcon everywhere” approach leverages agents deployed to cloud workloads and containers, and is bolstered with cloud-native indicators of attack (IOAs), machine learning, and proactive, hands-on threat hunting.  

Falcon Horizon offers an agentless approach focused on cloud security posture management, providing visibility into potential risks and vulnerabilities, non-compliance, and control-plane protection. Falcon Horizon uses cloud-native, agentless posture management to reduce friction and complexity across multi-cloud environments and accounts. 

In addition to cloud resource discovery and identifying misconfigurations, Falcon Horizon integrates with Security Information and Event Management (SIEM) solutions to gain visibility, prioritize threats, reduce alert fatigue, and respond and fix issues faster. These capabilities are fast and easy to deploy and serve as a foundation to a strong cloud security program. Further, integration with our agent-based approach provides security teams the end-to-end protection and insights needed to respond faster and enable DevOps teams to build safely in the cloud.

Having a flexible approach to security bolstered by up-to-date, integrated threat intelligence is critical for giving enterprises the proper level of protection against today’s adversaries. With adaptable capabilities, organizations can adjust their activity to meet the needs of their environment.

The post Agentless vs. Agent-Driven Security: Why Not Both? appeared first on eWEEK.