Behavior Monitoring in Endpoint Protection Platform

Question

There are some EPP solutions that are considered very innovative (Crowdstrike, SentinelOne...) for the use of Behavior Monitoring. What is the difference with more standard EPP solution (ex. Symantec Endpoint Protection) that have also some behavioral monitoring capabilities?

Answer 1

Generically, an EDR-EPP combination such as the ones you describe will assign a threat score based on machine learning, statistical techniques, and a variety of known badness factors, such as enrichments from machine-readable threat intelligence (which can, in turn, also be informed by machine learning, reinforcement learning, and statistical techniques).

I would say the primary variables that lead to a higher threat score (and this changes over time), would be Prevalence factorization, such as through a large customerbase, but also specific to each's environment(s).

Combined with spawning numerous processes, levering LOLbins in unusual/outlier ways, and other combinatorials (not too too many packaged Portable Executables will lever kernel timing functions and also have access to the camera, microphone, and network stacks -- only implants typically display ALL of this activity at once). Those combinatorials typically are referenced through function (API) analysis, and their associated imports. Anti-detection, system querying, anomalous in-binary values, and certain memory-handling conditions are supplementary to the above.

Please ask deeper questions on the above and I can provide deeper answers.

Answer 2

Crowdstrike and Sentinel one use EDR or Endpoint Detection and Response, Symantec EEP, Mcafee need a central server to help make the decision of the response. This can hampen decision times (by seconds) but with Malware this can make the difference between a compromise or not.

Symantec uses IOA's and heuristics to detect events. Crowdstrike uses IOA's IOC's and Machine Learnt data. SentinelOne uses IOA's IOC's and Machine Learnt data.

The problem with older type AV (like SEP) is that an attacker could be in the network for days or weeks before they detonate any malware or attack. Most NGAV's should catch this reconnaissance if its out of the normal.