Endpoint protection platforms (EPPs) have evolved beyond traditional antivirus software to offer advanced threat detection and response capabilities. Many EPPs also offer threat-hunting or SOC services to provide organizations with real-time visibility into security incidents and remediation recommendations.
Among the EPP providers that offer these services are the following, and, obviously, this is just a sample but, hopefully, also a good start:
CrowdStrike Falcon Complete
Kaspersky Endpoint Security has an Endpoint Detection and Response
McAfee (Trellix) Endpoint Security Managed Detection and Response (MDR)
Palo Alto Networks Unit 42 MDR Service for Cortex XDR
Symantec (Broadcom) Endpoint Protection Managed Endpoint Detection and Response
Trend Micro Apex One Managed XDR
VMware Carbon Black MRDR
Sophos MDR is interesting in that it leverages other providers' cybersecurity technologies including telemetry from AWS, Check Point, CrowdStrike, Darktrace, Fortinet, PAN, and others.
Yes, there are endpoint protection platforms that offer threat-hunting or SOC (Security Operations Center) services, and Custodian360 is one of them.
Endpoint protection platforms (EPPs) are security solutions that are installed on endpoint devices to detect, prevent, and respond to cyber threats. Threat-hunting is a proactive approach to cybersecurity that involves actively searching for threats and vulnerabilities that might have evaded traditional security measures. SOC services involve monitoring and analysing security events to identify and respond to security incidents.
Custodian360 is a comprehensive endpoint protection platform that offers both threat-hunting and SOC services. It uses a combination of signature-based and behavior-based detection to detect and respond to cyber threats in real-time. The platform has a built-in threat-hunting engine that continuously scans endpoints for signs of compromise, and it also has a team of expert analysts who perform manual threat-hunting to identify and respond to advanced threats.
Custodian360's SOC services include 24/7 monitoring and analysis of security events, incident response, and forensic investigation. The platform also provides detailed reporting and analytics to help organisations understand their security posture and identify areas for improvement.
In summary, Custodian360 is an endpoint protection platform that offers threat-hunting and SOC services, making it an ideal solution for organisations that want comprehensive protection against cyber threats.
There are several endpoint protection solutions available that can provide protection for endpoints running on Linux, Windows, and MacOS. Among them are Symantec (Broadcom) Endpoint Protection, Trend Micro Apex One, McAfee (Trellix) Endpoint Security, Kaspersky Endpoint Security for Business, ESET Endpoint Security, Palo Alto Networks Cortex XDR and, perhaps surprisingly (but then again, not) Microsoft Defender for Endpoint. (This is not an exhaustive list).
However, the devil is in the details regarding which versions of an OS and what kind of hardware requirements a given solution supports. You need to closely check the specifics of the range of devices you have with what a given vendor covers. It's also important to note that for agent-based solutions, the minimum processor requirements may allow you to install the product, but if you're just getting by in that regard, there could be issues with computer performance.
Symantec supports a fairly broad range of Linux and Windows Embedded versions, but does not support application control on Mac, Windows Servers, Windows Embedded, Linux, or mobile devices.
Trend Micro Apex One's agents support support from macOS High Sierra 10.13 to macOS Monterey 12, on Apple M1, Apple M2, or Intel® Core processors. To protect Linux file, web, and application servers with Trend Micro, you'll need its ServerProtect product.
McAfee handles Windows 8.1, 10, and 11, and offers limited customer service if you try running it on Windows 8.0 and 7.x. For macOS it goes as far back as Mac OS X 10.10 and through to macOS 12 (Monterey). For Linux it offers limited coverage: Ubuntu 16.04, Ubuntu 18.04, and Ubuntu 20.4.
With Kaspersky Endpoint Security for Business you get Windows, of course, and pretty extensive Linux coverage, with nine 32-bit OSs covered, and literally dozens of 64-bit Linux flavors. Mac coverage is included in the Advanced and Select versions of Kaspersky ESB (and you also get Android and iOS).
ESET Endpoint Security will work with Windows 7 - 11 (although some features are not supported on ARM processors) macOS 10.12 and up, and a couple of 64-bit Linux systems: Ubuntu Desktop 18.04 LTS and RHEL Desktop 7.
PAN Cortex XDR supports Windows 8 - 11 as well as macOS as far back as 10.13 with its 7.5-CE release. Subsequent 7.x releases cover later macOS versions (with 7.7.3 and later handling macOS 13.x). Cortex XDR only supports 64-bit Linux and you have to install a supported kernel module version, but it does cover a good selection of the main Linux offerings including CentOS, Debian, Oracle, RHEL, openSUSE, and Ubuntu.
Microsoft Defender for Endpoint has coverage for macOS 11 (Big Sur), 12 (Monterey), and 13 (Ventura), although Big Sur requires some additional configuration. It also protects more recent versions of RHEL, CentOS, Ubuntu, Debian, and Oracle Linux. Android (6.0 and higher) and iOS (11.0 and higher) are also available.
As for legacy systems, it's best to explicitly ask the vendor if they cover the particular hardware/OSs you have. For example, older versions of Symantec Endpoint Protection 14 cover Windows as far back as Vista, and Windows Server as far back as Windows Server 2008 (RTM, SP1, SP2).
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote!
If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too!
If you’re weighing your options for endpoint security solutions, there are many options out there. However, solutions vary greatly in terms of how effectively they can protect your network. I want to help you make the best decision possible, so here are some questions to ask before buying an endpoint security solution, and why they are important.
1) Does the solution employ Foundational Tech...
Hi dear community members,
This is our latest community digest. It helps you catch up on recent contributions by community members. Comment below with your feedback and suggestions!
What are the Top 5 cybersecurity trends in 2022?
What are the main benefits of modern IT Asset Discovery tools?
Post an educational article from your Home feed and receive 20 point...
Hi community members,
Spotlight #2 is our fresh bi-weekly community digest for you. It covers cybersecurity, IT and DevOps topics. Check it out and comment below with your feedback!
What are the pros and cons of internal SOC vs SOC-as-a-Service?
Join The Moderator Team at IT Central Station (soon to be PeerSpot)!
Share your experience with other peers by ans...
Compromise Assessment is reactive while Threat Hunting is proactive.
@Geoffrey Poer covers it well with his answer and the Cisco blog does too.
Compromise Assessments should be performed frequently, weekly or at least monthly. Rather than a pen test, or at least in addition to pen tests, we recommend regular analysis of your entire environment to give you visibility of everything which includes where vulnerabilities lie.
Endpoint protection (EPP or EDR) is one more layer to your antivirus security and is operational 24/7. EDR - endpoint detection and response, is typically finding and reporting on newer attacks that do yet have a signature in the AV as well as looking for unusual behaviour on the network and endpoint continuously.
Threat hunting is expensive and complex too and goes a step further than EDR. Unless you are a large organisation with a specialist team it can be difficult to interpret the results of CA, EDR and TH effectively.
Often outsourcing this whole capability is more effective and less expensive than doing it in-house and continues to work during weekends and public holidays and provides a properly structured (NIST or MITRE) approach to visibility, vulnerability scanning and remediation advice.
A Compromise Assessment (CA) is an active and generally scheduled engagement that is looking for malicious activity, undiscovered breaches, and threats. It generally is performed with a DIFFERENT set of security tools/services than what is being used by the team day today. Often they encompass active scanning and/or vulnerability assessments in addition to network and system analysis. The goal is to identify bad actors and initiate incident response and forensic plans. A common mistake happens when teams try to use this process to be the main component of the identification, containment, and forensics processes. In my experience, they should be considered separate to be effective.
Threat Hunting (TH) is an ongoing process that leverages current datasets and tools to look at the data in a different way. TH comes in many forms, from manual searches looking for suspicious data to leveraging outlier and anomaly detection or other machine learning/advanced analytics. Really good threat hunting teams are able to take new Tactics, Techniques, and Procedures (TTPs) or Indicators of Compromise (IOCs) and specifically look for events, files, and/or behavior that would depict potential malicious activity specific to those TTPs or IOCs.
Generally, TH is a jump-off point to dig deeper into a dataset or system based on a good hypothesis with supporting data. If EPP was installed then it missed it. Both of these activities are looking for failures in a security process or tool. If EPP wasn't installed then the question is why and how do we get something deployed in the future (probably as part of the remediation phase of the incident response process) that would have identified or stopped the compromise/malicious activity.
Threat hunting typically comes before a compromise assessment.
Threat Hunting is looking for IOC’s or TTP’s being used within an environment to identify a compromise or potential compromise. Once identified you can then move to assessing the compromise.
This is an excelent article dealing with it.