5 Habits of Highly Effective Endpoint Threat ProtectionNovember 18, 2015

© 2015 Forrester Research, Inc. Reproduction Prohibited 2

tripwire.com/blog

@cindyv

cvalladares@tripwire.com

forrester.com

@rholland

rholland@forrester.com

Cindy Valladares Rick Holland

© 2015 Forrester Research, Inc. Reproduction Prohibited 3

Endpoint security has been in drought conditions for years

© 2015 Forrester Research, Inc. Reproduction Prohibited 4

But now the rain is finally coming!

© 2015 Forrester Research, Inc. Reproduction Prohibited 5

Endpoint investment is increasing

Source: Forrester’s Business Technographics® Global Security Survey, 2015Note: Values may not equal 100% due to omission of “don’t know” responses

© 2015 Forrester Research, Inc. Reproduction Prohibited 6

5 Habits of Highly Effective Endpoint Threat Protection1. Buyers must first live off the land

2. Prevention isn’t dead, but you must fall back to detection

3. This adversary isn’t going to hunt itself

4. Small footprint is required

5. Visibility isn’t enough, action is required

© 2015 Forrester Research, Inc. Reproduction Prohibited 7

asdf› asdf

#1 Buyers must first live off the land

© 2015 Forrester Research, Inc. Reproduction Prohibited 8

Expense in Depth

© 2015 Forrester Research, Inc. Reproduction Prohibited 9

Where do you get diminishing returns on investments?

© 2015 Forrester Research, Inc. Reproduction Prohibited 10

Living off the land› Before you invest in any capabilities

maximize all existing capabilities first› Look to existing vendors before adding

new vendors to your portfolio› Investment in new technologies and

vendors is legitimate, once appropriate due diligence is conducted first

© 2015 Forrester Research, Inc. Reproduction Prohibited 11

#2 Prevention isn’t

dead, but you must

fall back to detection

© 2015 Forrester Research, Inc. Reproduction Prohibited 12

Targeted-Attack Hierarchy of Needs

© 2015 Forrester Research, Inc. Reproduction Prohibited 13

NIST Cybersecurity Framework

© 2015 Forrester Research, Inc. Reproduction Prohibited 14

#3 The adversary isn’t going to hunt itself

© 2015 Forrester Research, Inc. Reproduction Prohibited 15

Solutions must posses ability to hunt› Need the ability to ingest

Threat intelligence feeds

Internally sourced threat intelligence

› Proactively hunt for threat indicators› Manual hunting is bare minimum

requirement, programmatic ability to ingest bulk indicators via API is preferred

© 2015 Forrester Research, Inc. Reproduction Prohibited 16

Hunting at scale, when one Vin Diesel isn’t enough

© 2015 Forrester Research, Inc. Reproduction Prohibited 17

#4 A small footprint is required

© 2015 Forrester Research, Inc. Reproduction Prohibited 18

When was the last time you heard anyone say that they have a “large footprint?”

© 2015 Forrester Research, Inc. Reproduction Prohibited 19

Small footprint required › Transparent user experience required› Transparent administration experience

required › Be careful of “yet another agent

syndrome”› Look at the size of the agent and the

percentage of CPU utilized› Kernel or user space? Operating within

the kernel can be dangerous

© 2015 Forrester Research, Inc. Reproduction Prohibited 20

#5 Visibility isn’t enough, action is required

© 2015 Forrester Research, Inc. Reproduction Prohibited 21

Automate as much as possible

© 2015 Forrester Research, Inc. Reproduction Prohibited 22

Crawl, walk, run with automation › Automation doesn’t have to sacrifice

legitimate traffic› Human intervention required for

automation until confidence is built› Enrichment can be automated› Automation from endpoint, to identity

to network devices

© 2015 Forrester Research, Inc. Reproduction Prohibited 23

Wrap up – vendor selection

© 2015 Forrester Research, Inc. Reproduction Prohibited 24

Wrap up – vendor selection

© 2015 Forrester Research, Inc. Reproduction Prohibited 25

5 Habits of Highly Effective Endpoint Threat Protection1. Buyers must first live off the land

2. Prevention isn’t dead, but you must fall back to detection

3. This adversary isn’t going to hunt itself

4. Small footprint is required

5. Visibility isn’t enough, action is required

26

Habit #1: Buyers Must Live Off the LandBe the Bear Grylls of Infosec

More than 10 Million Endpoints Deployed The most comprehensive data collection capabilities on the planet

Every change on every asset, including who made the change

Comprehensive asset, application and vulnerability discovery

Secure and reliable log collection

Asset tagging, automated actions, correlation

What Could You Build?

27

Habit #2: Prevention Isn’t Dead, Fall Back to DetectionPrevention and Detection

Shrink the Attack Surface

Identify Suspicious Changes

28

Habit #3: This Adversary Isn’t Going to Hunt ItselfSupport for Hunting

IoCs

Custom IoCs

29

Habit #4: Small Footprint is RequiredThe Smallest Footprint is The Agent You Already Have

9,000+ Customers

10,000,000Assets

96+ Countries

Tripwire is used by: 90% of the Top 10 Utilities 80% of the Top 10 Global Retailers 70% of the Top 10 Global

Telecommunications Firms More than 50% of the Fortune 500

30

Habit #5: Visibility Isn’t Enough, Action is RequiredFrom Visibility to Action

Integrate to Enterprise Workflow

Increase/Decrease Monitoring

Run an Executable

Investigate

31

Cindy Valladares Rick Holland

tripwire.com/blog

@cindyv

cvalladares@tripwire.com

forrester.com

@rholland

rholland@forrester.com