Endgame announced on Oct. 31 that it is launching Total Attack Lookback, a capability that enables organizations to look back through 120 days of forensic information.
The forensic information that Endgame stores includes multiple types of operating system events such as file, process and network events. The forensic data can be used to help identify assets and users that might be impacted by a given attack path.
“Endgame knows that although many people like to claim it, prevention is not perfect,” Jamie Butler, chief technology officer at Endgame, told eWEEK. “It is critical to have an ability to look back in time, at least as far back as the mean time to detect and do so in a way where the customer can control where their data lives.”
Endgame provides a converged endpoint security platform that has three core tiers. The Endpoint Agent sits on endpoints, while the Endgame Operations Platform provides an interface for agent management and EDR (endpoint detection and response) workflows. The third tier is Endgame Global Services, which provides a common interface for event data and contextual information.
“The addition in the new release is the addition of Total Attack Lookback into Endgame Global Services and customers’ own data analysis systems,” Butler said.
Engame chose the 120-day period to give organizations enough data to work with for threat hunting. A September 2018 report from SANS found that the dwell time that attackers are resident in a network averages above 90 days.
Butler explained that endpoint data is collected from Endgame’s kernel driver and not Microsoft’s Event Trace for Windows (ETW).
“The challenge is we have seen an increase in adversaries attacking ETW to destroy or modify the data,” he said. “Endgame knows that data integrity and authenticity are vital to analysts, so we gather our data from our kernel driver and enrich and store the data in a protected area separate from ETW.”
Simply collecting data often isn’t enough for threat hunting, which is where data enrichment comes in play. Endgame provides several enrichment capabilities that provide additional context and correlation to data collected from the endpoint agent. Butler said that one enrichment that Endgame offers is netflow information on network traffic.
“We can count packets in the kernel and not only tell an analyst that communication happened, but also how much data was sent or received,” Butler said. “For example, we can detect command and control and show the analyst that data was sent to the controlling system.”
Visualization is another key element in helping to provide additional value to the Total Attack Lookback forensic data. Butler explained that the Endgame Resolver is the graphical layer that is placed on top of the Total Attack Lookback collected data to show the full extent of the attack in one screen.
“Analysts can easily pivot on any item to respond, like retrieving a file from a creation event or killing a process in an execution event,” he said. “In addition to this visualization layer we also make the data available in a card view and we allow for easy export in industry standardized JSON.”
Artemis
The data collected and available in Total Attack Lookback can also be queried via Endgame’s Artemis Intelligent Assistant. Butler noted that Artermis first launched in Endgame’s platform in 2017 as a tool to help security and operations teams.
“Artemis uses a natural language interface to streamline workflows for interacting with endpoint data,” he said. “Artemis is a layer on top of the EQL language that allows for complex analysis of the Total Attack Lookback data with no training required.”
EQL is Endgame’s event query language, which provides a scripting interface to help look for suspicious activity. Butler said that EQL is a way to identify indicators of attack across disparate data types. Now with the Total Attack Lookback feature, he said EQL gains the power to operate on information from systems that may be offline or systems that are destroyed.
Looking forward, Butler said Endgame will continue to improve its technology to help make it easier for analysts and cyber-security professionals.
“What’s next for Endgame is accelerating adoption of the converged EPP/EDR product by providing a platform that is easily accessible and operational by analysts of all skill levels,” he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.