Endpoint security is recognizably an essential part of modern cybersecurity, and endpoint security tools are in many cases a first and last line of defense. Endpoint security is focused on securing servers, workloads, end-user workstations, laptops, and any other devices that are used to access corporate networks and SaaS applications.
Generally, endpoint security is regarded as a mature market and well-understood discipline; defend against malware and non-malware-based attacks (Next Generation Antivirus – NGAV), monitor and manage the baseline security state and vulnerabilities of the endpoint, manage the endpoint host-based firewall (HBFW), and detect and respond to attacks (Endpoint Detection and Response – EDR). These are all well understood and in Carbon Black’s case, all disciplines we excel at and deliver through our platform, VMware Carbon Black Cloud.
The reality however is that threat actors continue to adapt and evolve to evade security tools, and so security tools and processes must also evolve to meet them. This is the driving force behind VMware Carbon Black’s evolution of EDR into extended detection and response (XDR) – ensuring that we continue to empower users and partners to stay ahead of the latest threats.
Put simply, XDR is the natural evolution of EDR. XDR adds additional telemetry types, such as identity and network, to the existing process-related telemetry we have always delivered with EDR. Additional telemetry types increase signal fidelity and provide additional means to detect suspicious activity, reducing the mean time to detect and respond (MTTD/MTTR). With VMware Carbon Black XDR we natively collect and analyze identity, network, and EDR telemetry, all without requiring changes to the network configuration or the installation of additional software or hardware.
EDR, network, and identity telemetry are all equal pillars of XDR, but for this blog I want to focus on why identity is so important as the network pillar will be expanded on in a future blog post.
To stay ahead of the attacker, it is essential to have a clear view of who is accessing the network, from where, and on which device. This statement addresses the reality that a significant number of attacks involve the creation of new user accounts or identities, account takeover, and privilege escalation, and this is where user authentication visibility comes in.
Carbon Black Cloud is now able to collect events associated with a broad range of identity intelligence or user authentication activity including logon/logoffs, failed logins, account lockouts, privilege assignments, etc. This capability provides critical insights into who is accessing the network, from which device, and from where. We collect this telemetry, index it, and make it searchable in the same Carbon Black Cloud console customers are using today to search process (and network) telemetry. The output of the combined telemetry from Carbon Black Cloud is invaluable for detecting and preventing attacks by malicious actors who may use stolen or compromised credentials to gain access to sensitive data or systems.
There are many benefits of combining user authentication visibility with endpoint security:
- Early detection of suspicious activity: By monitoring user authentication, endpoint security platforms can detect suspicious login attempts or unusual activity on the network. This information can be used to trigger alerts and prompt security teams to investigate potential threats early before they have a chance to cause significant damage.
- Improved incident response: User authentication visibility can also provide critical information in the event of a security incident. By knowing who was logged in at the time of an incident, security teams can quickly identify potential sources of the problem and take appropriate action to contain and mitigate the impact.
- Enhanced compliance: Many compliance regulations require organizations to track and monitor user access to sensitive data and systems. User authentication visibility can help organizations meet these requirements and avoid costly penalties for non-compliance.
- Improved access control: User authentication visibility can also help organizations improve access control by identifying users who have excessive or inappropriate access privileges. This information can be used to adjust access policies and prevent potential security breaches.
As a security practitioner and as someone who has built security products for over eight years, my top priority is to ensure our customers, partners, and the organizations they defend are protected against modern threats. The inclusion of identity intelligence in Carbon Black Cloud is another way we’re helping empower security professionals to keep their organizations safe.
We will continue to evolve the capability based on feedback from YOU. To learn more, schedule a demo, join the Customer Advisory Board, and if you’re at the RSA Conference – stop by our booth!
Happy Hunting.