Abstract image of a woman sitting on books and studying on a laptop

Three Considerations To Amplify Your Detection and Response Program

Morphick, profile picture
Morphick

This document discusses three key challenges in enhancing detection and response programs, focusing on advanced tactics, analytical methods, and detection strategies. It emphasizes the need for improved visibility and behavioral detection beyond traditional methods and advocates for integrating technology with intelligence-driven tradecraft. The proposed solutions include layered behavioral prevention and continuous monitoring to effectively address evolving cyber threats.

Technology
Related topics:
Network Security
1 of 21
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Three Considerations To Amplify Your Detection and Response Program with Mark Dufresne and David Lavinder Confidential and Proprietary
Who Are We? Mark Dufresne (@mark_dufresne) Endgame - Director of Threat Research and Adversary Prevention David Lavinder (@dllavinder) Morphick - Vice President, Threat Intelligence Prior: 13 years at NSA, Operations Chief for Offensive and Defensive Cyber Ops Prior: 7 years as Air Force Digital Network Intelligence Principal Intelligence Analyst Confidential and Proprietary
Topics §  3 Key Challenges to a Detection and Response Program –  Advanced TTPs –  Analytical Tradecraft –  Detection Methodologies §  The Morphick / Endgame Approach –  Beyond IOC/Signature Detection –  Uncovering the Full Story –  Integrated Prevention, Detection, and Response Confidential and Proprietary
Advanced TTPs §  New Attacks > Existing Defenses –  Paradigm Shift – Attackers are People §  Designed to defeat off-the-shelf defense –  Advanced Evasion Techniques –  Custom rolled malware Confidential and Proprietary §  In-memory Attacks –  DLL side-loading –  Malware-less attacks §  Malicious use of Admin Tools –  Powershell –  WMI
The Analytical Tradecraft Gap Confidential and Proprietary
The Detection Problem The technology problem: §  Limited enterprise-wide visibility §  Complex tools that don’t work well together §  Static defenses that do not adapt §  Difficult to deploy and maintain solutions §  SOC analyst talent shortage §  Alert fatigue §  Fighting an asymmetric battle §  Unprepared for an incident The people problem: Confidential and Proprietary
So What Do I Need? The right tradecraft armed with The right technology Confidential and Proprietary
The Right Technology §  Detection –  Beyond IOC/Signature-based detection §  Visibility –  Enabling visibility and rapid detection of unknown advanced attackers §  Prevention –  Automatically protecting against the vast majority of malicious activity Confidential and Proprietary
Beyond IOC/Signature-Based Detection §  Signatures (IOCs) aren’t enough §  Attackers adjust tools and tradecraft §  Attackers cycle infrastructure §  Attackers live off the land Good for pivoting. Bad foundation for protection. WHAT ABOUT THE UNKNOWN? Confidential and Proprietary
So What Should I Do Instead? 10 Confidential and Proprietary §  Focused on behaviors/techniques §  At each stage off the attacker lifecycle §  Layered and working together You need a different method of detection
But EVERYONE is Saying “Behavior” 11 Confidential and Proprietary §  NGAV – malware and exploit prevention §  But what about bypass and file-less attacks? Only part of the problem §  Both EDR and NGAV are adding detection of behaviors §  Capturing process actions and writing rules (IOAs) §  Still a signature. Still brittle. Vulnerable to bypass. §  Experts needed for configuration This is still not the right mix
Gather Visibility – Endpoints and Network §  You need full visibility on system events and other data –  Persistence –  Processes –  Network –  Users –  More §  A mountain of data doesn’t do you much good without analytics –  Endgame provides sophisticated analytics to guide the hunt –  Chatbot guides users through the hunt –  Robust API allows for flexible and powerful access and enrichment Confidential and Proprietary
Gather Visibility - Memory §  Memory is a permissive environment for attackers. Why? –  Memory analysis doesn’t scale –  Need to know what you are looking for (search based) –  Until now… §  Endgame technology –  Patent-pending technology detects stealthy adversaries in memory in seconds, at scale –  Detects process hollowing, thread hijacking, module hiding, and much more §  Precise identification of suspicious memory and remediation §  Follow on analytic actions such as extraction of IOCs Confidential and Proprietary
Behavioral Preventions §  Exploits – Hardware and Software approaches §  Macros – Detecting malicious execution of macros §  Malware – Machine learning (Malwarescore™) §  Kernel-level technique preventions –  Atomic-level system state in the presence of malicious behaviors –  More than streaming rules. Simple configuration, inline and hardened. §  Ransomware Layered prevention minimizes adversary’s capability to entrench Much more than traditional AV Confidential and Proprietary
The Right Tradecraft §  Analytical Pivoting –  Discovering unknowns from knowns, across the kill chain §  Generate Threat Intelligence –  Extract as much intel from a positive detection event as possible §  Harden Defenses –  Update defenses with new intelligence Confidential and Proprietary
Visibility Across the Kill Chain §  A security analyst’s job doesn’t END at detection, it BEGINS there §  Take that single detection event and explore the kill chain –  How did it get here? –  What was it going to do next? Confidential and Proprietary
Visibility Across the Kill Chain §  A security analyst’s job doesn’t END at detection, it BEGINS there §  Take that single detection event and explore the kill chain –  How did it get here? –  What was it going to do next? Confidential and Proprietary
The Power of a Security Analyst §  Discovering unknowns from knowns –  Identifying missed detection opportunities §  Telling the whole story –  Tracing an event to earlier kill chain steps §  Then BUILD IT BACK IN §  The analysis tradecraft is getting lost amongst all the tools §  Visibility is key, but good tradecraft unlocks the power of that visibility Confidential and Proprietary
SOLUTION §  Combination of Technology and Tradecraft Technology provides layered behavioral prevention Technology provides visibility and access Tradecraft finds the remaining adversary Tradecraft hardens defenses Confidential and Proprietary
Managed Endpoint Detection and Response (MEDR) §  Continuous Endpoint Threat Monitoring & Advanced Prevention §  Full Attack Cycle Threat Detection §  Proactive, scalable Threat Hunting §  Detailed Forensic Investigation and Threat Validation §  NSA-CIRA Accredited Incident Response Services Best in-class Tech, Wrapped in Best in-class Service Confidential and Proprietary
Interested in learning more? Come see us at RSA §  Endgame Booth, South Hall #1739 §  Morphick Booth, North Hall #5004 Schedule a Demo §  Endgame –  Ashwini Almad –  AAlmad@Endgame.com §  Morphick –  Tom Doepker –  Tom.Doepker@Morphick.com Confidential and Proprietary

More Related Content

PDF
Dreaming of IoCs Adding Time Context to Threat Intelligence
Priyanka Aash
 
PDF
Threat Hunting 102: Beyond the Basics
Cybereason
 
PPTX
Crowd-Sourced Threat Intelligence
AlienVault
 
PPTX
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
PDF
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
HITCON GIRLS
 
PDF
Click and Dragger: Denial and Deception on Android mobile
grugq
 
PDF
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
PDF
The Rise of the Purple Team
Priyanka Aash
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Priyanka Aash
 
Threat Hunting 102: Beyond the Basics
Cybereason
 
Crowd-Sourced Threat Intelligence
AlienVault
 
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
HITCON GIRLS
 
Click and Dragger: Denial and Deception on Android mobile
grugq
 
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
The Rise of the Purple Team
Priyanka Aash
 

What's hot (20)

PDF
Opsec for security researchers
vicenteDiaz_KL
 
PPTX
The Diamond Model for Intrusion Analysis - Threat Intelligence
ThreatConnect
 
PDF
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE - ATT&CKcon
 
PDF
Analogic Opsec 101
vicenteDiaz_KL
 
PDF
TTPs for Threat hunting In Oil Refineries
Dragos, Inc.
 
PPTX
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
PPTX
Threat hunting - Every day is hunting season
Ben Boyd
 
PDF
Building a Threat Hunting Practice in the Cloud
ProtectWise
 
PPTX
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
Frode Hommedal
 
PDF
Threat Hunting
Splunk
 
PPT
An Underground education
grugq
 
PDF
What's a MITRE with your Security?
MITRE - ATT&CKcon
 
PDF
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
HITCON GIRLS
 
PPTX
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
PDF
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE - ATT&CKcon
 
PDF
Threat Intelligence Is Like Three Day Potty Training
Priyanka Aash
 
PDF
Enabling effective hunt teaming and incident response
jeffmcjunkin
 
PDF
From Theory to Practice: How My ATTACK Perspectives Have Changed
MITRE - ATT&CKcon
 
PDF
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
PPTX
Building a Successful Threat Hunting Program
Carl C. Manion
 
Opsec for security researchers
vicenteDiaz_KL
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
ThreatConnect
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE - ATT&CKcon
 
Analogic Opsec 101
vicenteDiaz_KL
 
TTPs for Threat hunting In Oil Refineries
Dragos, Inc.
 
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Threat hunting - Every day is hunting season
Ben Boyd
 
Building a Threat Hunting Practice in the Cloud
ProtectWise
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
Frode Hommedal
 
Threat Hunting
Splunk
 
An Underground education
grugq
 
What's a MITRE with your Security?
MITRE - ATT&CKcon
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
HITCON GIRLS
 
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE - ATT&CKcon
 
Threat Intelligence Is Like Three Day Potty Training
Priyanka Aash
 
Enabling effective hunt teaming and incident response
jeffmcjunkin
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
MITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
Building a Successful Threat Hunting Program
Carl C. Manion
 
Ad

Viewers also liked (12)

PPTX
Gamification of your Global Information Security Operations Center - RSA 2015
Morphick
 
PDF
Forrester Emerging MSSP Wave
Envision Technology Advisors
 
PDF
Rapid7 NERC-CIP Compliance Guide
Rapid7
 
PDF
Le gouvernement électronique au Togo : Etat des lieux et prospectives
EASY EGOV
 
PDF
Its Not You Its Me MSSP Couples Counseling
Atif Ghauri
 
PDF
To MSSP or not to MSSP IISF 2015
Paul Hogan
 
PPTX
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault
 
PPTX
#ALSummit: Accenture - Making the Move: Enabling Security in the Cloud
Alert Logic
 
PPTX
Tapping into the Growth Goldmine: Why MSPs Should Join Peer Groups
eFolder
 
PPTX
Key Ingredients for Your MSSP Offering
eFolder
 
PDF
Trustwave Cybersecurity Education Catalog
Trustwave
 
PDF
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Gabriel Dusil
 
Gamification of your Global Information Security Operations Center - RSA 2015
Morphick
 
Forrester Emerging MSSP Wave
Envision Technology Advisors
 
Rapid7 NERC-CIP Compliance Guide
Rapid7
 
Le gouvernement électronique au Togo : Etat des lieux et prospectives
EASY EGOV
 
Its Not You Its Me MSSP Couples Counseling
Atif Ghauri
 
To MSSP or not to MSSP IISF 2015
Paul Hogan
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault
 
#ALSummit: Accenture - Making the Move: Enabling Security in the Cloud
Alert Logic
 
Tapping into the Growth Goldmine: Why MSPs Should Join Peer Groups
eFolder
 
Key Ingredients for Your MSSP Offering
eFolder
 
Trustwave Cybersecurity Education Catalog
Trustwave
 
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Gabriel Dusil
 
Ad

Similar to Three Considerations To Amplify Your Detection and Response Program (20)

PDF
Security Breakout Session
Splunk
 
PDF
Applied cognitive security complementing the security analyst
Priyanka Aash
 
PDF
Incident Response: How To Prepare
Resilient Systems
 
PPTX
Cause 11 im final
cavapyta
 
PPTX
Cause 11 im final
cavapyta
 
PPTX
RMS Security Breakfast
Rackspace
 
PPTX
International Conference on Cyber Security, Hide and Go Seek
David Knox
 
PPTX
Hunting before a Known Incident
EndgameInc
 
PPTX
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Rahul Neel Mani
 
PDF
Splunk for Security
Gabrielle Knowles
 
PDF
SplunkLive Auckland 2015 - Splunk for Security
Splunk
 
PDF
SplunkLive Wellington 2015 - Splunk for Security
Splunk
 
PDF
Technical track chris calvert-1 30 pm-issa conference-calvert
ISSA LA
 
PDF
2015 Global APT Summit - Understanding APT threat agent characteristics is ke...
Matthew Rosenquist
 
PDF
2015 Global APT Summit Matthew Rosenquist
Matthew Rosenquist
 
PPTX
Purple Teaming - The Collaborative Future of Penetration Testing
FRSecure
 
PDF
Sophisticated Attacks vs. Advanced Persistent Security
Priyanka Aash
 
PDF
Diagnosis SOC-Atrophy: What To Do When Your SOC Is Sick
Priyanka Aash
 
PDF
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Napier University
 
PPTX
pbc_devsecops_eastereggs.2022oct06.jt.pptx
Julie Tsai
 
Security Breakout Session
Splunk
 
Applied cognitive security complementing the security analyst
Priyanka Aash
 
Incident Response: How To Prepare
Resilient Systems
 
Cause 11 im final
cavapyta
 
Cause 11 im final
cavapyta
 
RMS Security Breakfast
Rackspace
 
International Conference on Cyber Security, Hide and Go Seek
David Knox
 
Hunting before a Known Incident
EndgameInc
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Rahul Neel Mani
 
Splunk for Security
Gabrielle Knowles
 
SplunkLive Auckland 2015 - Splunk for Security
Splunk
 
SplunkLive Wellington 2015 - Splunk for Security
Splunk
 
Technical track chris calvert-1 30 pm-issa conference-calvert
ISSA LA
 
2015 Global APT Summit - Understanding APT threat agent characteristics is ke...
Matthew Rosenquist
 
2015 Global APT Summit Matthew Rosenquist
Matthew Rosenquist
 
Purple Teaming - The Collaborative Future of Penetration Testing
FRSecure
 
Sophisticated Attacks vs. Advanced Persistent Security
Priyanka Aash
 
Diagnosis SOC-Atrophy: What To Do When Your SOC Is Sick
Priyanka Aash
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Napier University
 
pbc_devsecops_eastereggs.2022oct06.jt.pptx
Julie Tsai
 

Recently uploaded (20)

PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PPTX
Configure Apache Mutual Authentication
Antonino Piraino
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
Abstractive summarization using multilingual text-to-text transfer transforme...
IAESIJAI
 
PPTX
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
PPT
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
PDF
A proposed approach for plagiarism detection in Myanmar Unicode text
IAESIJAI
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Configure Apache Mutual Authentication
Antonino Piraino
 
What is a Computer? Input Devices /output devices
GulJan8
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Abstractive summarization using multilingual text-to-text transfer transforme...
IAESIJAI
 
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
A proposed approach for plagiarism detection in Myanmar Unicode text
IAESIJAI
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
The various Industrial Revolutions .pptx
bandileshozi3
 
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
Modernising the Digital Integration Hub
Daniel Toomey
 

Three Considerations To Amplify Your Detection and Response Program

  • 1. Three Considerations To Amplify Your Detection and Response Program with Mark Dufresne and David Lavinder Confidential and Proprietary
  • 2. Who Are We? Mark Dufresne (@mark_dufresne) Endgame - Director of Threat Research and Adversary Prevention David Lavinder (@dllavinder) Morphick - Vice President, Threat Intelligence Prior: 13 years at NSA, Operations Chief for Offensive and Defensive Cyber Ops Prior: 7 years as Air Force Digital Network Intelligence Principal Intelligence Analyst Confidential and Proprietary
  • 3. Topics §  3 Key Challenges to a Detection and Response Program –  Advanced TTPs –  Analytical Tradecraft –  Detection Methodologies §  The Morphick / Endgame Approach –  Beyond IOC/Signature Detection –  Uncovering the Full Story –  Integrated Prevention, Detection, and Response Confidential and Proprietary
  • 4. Advanced TTPs §  New Attacks > Existing Defenses –  Paradigm Shift – Attackers are People §  Designed to defeat off-the-shelf defense –  Advanced Evasion Techniques –  Custom rolled malware Confidential and Proprietary §  In-memory Attacks –  DLL side-loading –  Malware-less attacks §  Malicious use of Admin Tools –  Powershell –  WMI
  • 5. The Analytical Tradecraft Gap Confidential and Proprietary
  • 6. The Detection Problem The technology problem: §  Limited enterprise-wide visibility §  Complex tools that don’t work well together §  Static defenses that do not adapt §  Difficult to deploy and maintain solutions §  SOC analyst talent shortage §  Alert fatigue §  Fighting an asymmetric battle §  Unprepared for an incident The people problem: Confidential and Proprietary
  • 7. So What Do I Need? The right tradecraft armed with The right technology Confidential and Proprietary
  • 8. The Right Technology §  Detection –  Beyond IOC/Signature-based detection §  Visibility –  Enabling visibility and rapid detection of unknown advanced attackers §  Prevention –  Automatically protecting against the vast majority of malicious activity Confidential and Proprietary
  • 9. Beyond IOC/Signature-Based Detection §  Signatures (IOCs) aren’t enough §  Attackers adjust tools and tradecraft §  Attackers cycle infrastructure §  Attackers live off the land Good for pivoting. Bad foundation for protection. WHAT ABOUT THE UNKNOWN? Confidential and Proprietary
  • 10. So What Should I Do Instead? 10 Confidential and Proprietary §  Focused on behaviors/techniques §  At each stage off the attacker lifecycle §  Layered and working together You need a different method of detection
  • 11. But EVERYONE is Saying “Behavior” 11 Confidential and Proprietary §  NGAV – malware and exploit prevention §  But what about bypass and file-less attacks? Only part of the problem §  Both EDR and NGAV are adding detection of behaviors §  Capturing process actions and writing rules (IOAs) §  Still a signature. Still brittle. Vulnerable to bypass. §  Experts needed for configuration This is still not the right mix
  • 12. Gather Visibility – Endpoints and Network §  You need full visibility on system events and other data –  Persistence –  Processes –  Network –  Users –  More §  A mountain of data doesn’t do you much good without analytics –  Endgame provides sophisticated analytics to guide the hunt –  Chatbot guides users through the hunt –  Robust API allows for flexible and powerful access and enrichment Confidential and Proprietary
  • 13. Gather Visibility - Memory §  Memory is a permissive environment for attackers. Why? –  Memory analysis doesn’t scale –  Need to know what you are looking for (search based) –  Until now… §  Endgame technology –  Patent-pending technology detects stealthy adversaries in memory in seconds, at scale –  Detects process hollowing, thread hijacking, module hiding, and much more §  Precise identification of suspicious memory and remediation §  Follow on analytic actions such as extraction of IOCs Confidential and Proprietary
  • 14. Behavioral Preventions §  Exploits – Hardware and Software approaches §  Macros – Detecting malicious execution of macros §  Malware – Machine learning (Malwarescore™) §  Kernel-level technique preventions –  Atomic-level system state in the presence of malicious behaviors –  More than streaming rules. Simple configuration, inline and hardened. §  Ransomware Layered prevention minimizes adversary’s capability to entrench Much more than traditional AV Confidential and Proprietary
  • 15. The Right Tradecraft §  Analytical Pivoting –  Discovering unknowns from knowns, across the kill chain §  Generate Threat Intelligence –  Extract as much intel from a positive detection event as possible §  Harden Defenses –  Update defenses with new intelligence Confidential and Proprietary
  • 16. Visibility Across the Kill Chain §  A security analyst’s job doesn’t END at detection, it BEGINS there §  Take that single detection event and explore the kill chain –  How did it get here? –  What was it going to do next? Confidential and Proprietary
  • 17. Visibility Across the Kill Chain §  A security analyst’s job doesn’t END at detection, it BEGINS there §  Take that single detection event and explore the kill chain –  How did it get here? –  What was it going to do next? Confidential and Proprietary
  • 18. The Power of a Security Analyst §  Discovering unknowns from knowns –  Identifying missed detection opportunities §  Telling the whole story –  Tracing an event to earlier kill chain steps §  Then BUILD IT BACK IN §  The analysis tradecraft is getting lost amongst all the tools §  Visibility is key, but good tradecraft unlocks the power of that visibility Confidential and Proprietary
  • 19. SOLUTION §  Combination of Technology and Tradecraft Technology provides layered behavioral prevention Technology provides visibility and access Tradecraft finds the remaining adversary Tradecraft hardens defenses Confidential and Proprietary
  • 20. Managed Endpoint Detection and Response (MEDR) §  Continuous Endpoint Threat Monitoring & Advanced Prevention §  Full Attack Cycle Threat Detection §  Proactive, scalable Threat Hunting §  Detailed Forensic Investigation and Threat Validation §  NSA-CIRA Accredited Incident Response Services Best in-class Tech, Wrapped in Best in-class Service Confidential and Proprietary
  • 21. Interested in learning more? Come see us at RSA §  Endgame Booth, South Hall #1739 §  Morphick Booth, North Hall #5004 Schedule a Demo §  Endgame –  Ashwini Almad –  AAlmad@Endgame.com §  Morphick –  Tom Doepker –  Tom.Doepker@Morphick.com Confidential and Proprietary