SANS Institute Information Security Reading Room - SANS.org

Page created by Cody Snyder
 
CONTINUE READING
SANS Institute Information Security Reading Room - SANS.org
SANS Institute
Information Security Reading Room

 Targeted Attack Protection:
A Review of Endgame s
Endpoint Security Platform
______________________________
Dave Shackleford

Copyright SANS Institute 2019. Author Retains Full Rights.

This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express
written permission.
SANS Institute Information Security Reading Room - SANS.org
Targeted Attack Protection:
A Review of Endgame’s Endpoint Security Platform

               A SANS Product Review
                Written by Dave Shackleford
                      October 2017

                       Sponsored by
                         Endgame

                                              ©2017 SANS™ Institute
SANS Institute Information Security Reading Room - SANS.org
Introduction
                                             The threat landscape continues to get progressively worse. More sophisticated attacks
                                             are being spotted in the wild, and security teams are scrambling to keep up. We face
                                             many new types of issues—advanced phishing attacks are proving all too successful,
                                             and ransomware has become a common form of malware that many seem helpless to
                                             prevent. In addition, we have many endpoints to protect, and attackers are savvy about
                                             targeting end users. Even worse, many advanced attacks don’t involve malware; instead
                                             they use legitimate operating system tools, operate in memory and move laterally to
   Signature-based                           accomplish their objectives and defeat traditional security programs.
 detection is always a                       In the SANS “Next-gen Endpoint Risks and Protections” survey1 from 2017, 53 percent of
race against the clock,                      respondents indicated that at least one of their endpoints had been compromised in the
                                             previous 24 months, primarily through browser exploits and social engineering. More
where vendor analysts
                                             than one-quarter (27 percent) of those who experienced a compromise noted that they
    need to develop                          discovered it via third-party notification, which suggests that many endpoint security
  signatures fast and                        tools and tactics in use today are inadequate. We really need better prevention and
                                             detection tools right now.
   push them out to
                                             Yesterday’s signature-based detection tools are failing us more frequently because they
customers before they
                                             are built upon reactive intelligence. Traditional antivirus signatures are proving less
        fall victim.                         effective than they once were, as more advanced attackers are capable of morphing their
                                             code and indicators of compromise to evade signature-based methods. Additionally,
                                             many security teams have focused too narrowly on malware without looking enough at
                                             the vast variety of newer, more advanced methods attackers are using.
                                                                             Many attacks don’t leverage any malware to compromise the
                 Endgame Differentiators
                                                                             enterprise network and move laterally from host to host. Some
  • Pre-execution prevention, accelerated detection and automated            attacks use legitimate tools such as PowerShell to avoid detection
    hunting across the breadth and depth of the MITRE ATT&CK™                by endpoint security platforms. Another problem is that many
    Matrix
                                                                             endpoint tools are fairly heavy-handed on system resources.
  • Single, lightweight, autonomous agent providing 24/7
                                                                             SANS reviewed Endgame’s endpoint protection product, a
    protection to online and offline systems
                                                                             lightweight agent that offers prevention, detection and response,
  • Artemis®, an AI-powered security mentor that elevates
                                                                             and threat hunting capabilities to rapidly stop targeted attacks
    Tier 1 analysts and accelerates Tier 3 analysts by leveraging
    natural-language understanding to automate data analysis,                before damage and loss occur. One of the primary goals of the
    investigation, triage and response at enterprise scale                   platform is to help overcome today’s security skills gap, which
                                                                             many SANS surveys show is the top inhibitor to achieving
  • Automated threat hunting that leverages tradecraft analytics
    and outlier analytics to streamline workflows and surface                respondents’ security and risk management goals.
    suspicious artifacts across millions of records in minutes               With its emphasis on ease of use, coverage of attacker tactics
  • Automated memory forensics that detects post-injected code               and techniques, rapid event triage and highly capable hunting
    anywhere in memory at enterprise scale in minutes                        methods, Endgame is a product with which SOC teams can hit the
                                                                             ground running.

                                             1
                                                 “Next-Gen Endpoint Risks and Protections: A SANS Survey,” March 2017,
                                                 www.sans.org/reading-room/whitepapers/analyst/next-gen-endpoint-risks-protections-survey-37652
SANS ANALYST PROGRAM
                                                                                   1                   Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
SANS Institute Information Security Reading Room - SANS.org
Testing Overview
                       For this review, Endgame hosted a platform-in-the-cloud infrastructure. We used the
                       Version 2.4.1 environment, which includes the autonomous agents and the software
                       management platform. Because we chose the Endgame hosted delivery model, we
                       did not need to install the main Endgame platform. Endgame offers the platform in
                       an on-premises model or in a cloud-hosted environment. Installation seems relatively
                       painless, and the documentation provided by Endgame for installation and “Quick Start”
                       is thorough and detailed.
                       The review environment included a primary connection to the Endgame platform,
                       as well as Remote Desk Protocol (RDP) connections available via jump hosts to the
                       Windows sensors. A plethora of malware and other malicious code was available in the
                       environment for testing, which SANS made liberal use of during the course of the review.

                       Dashboards
                       We first logged into the Endgame console and explored the main dashboard. It showed
                       us a breakdown of current alerts in the environment, endpoint agent status, and
                       endpoint OS types. In addition, other panes in the dashboard showed the breakdown
                       of the top priority alerts, which could help analysts in prioritizing their day. The console
                       dashboard is shown in Figure 1.

                                                   Figure 1. Enterprise Console Dashboard

SANS ANALYST PROGRAM
                                                   2               Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
SANS Institute Information Security Reading Room - SANS.org
Testing Overview              (CONTINUED)

                       We explored the Endpoints dashboard next. Within this view, all deployed endpoint
                       agents can be viewed, configured and assessed. The Endpoints dashboard is shown in
                       Figure 2.

                                                      Figure 2. Endpoints Dashboard

                       The Endpoints dashboard was simple to use. Endpoints can be discovered with
                       Endgame’s built-in network scanner, looking for systems within the environment.
                       Endpoints that do not have Endgame agents are flagged as “Unmanaged” and can then
                       have sensors deployed to them directly through the console, per policy.
                       Configure Endpoints
                       Analysts can configure the endpoints with a protection policy by selecting those they
                       want to configure or modify, then choosing “Misc Actions” and finally “Configure.” The
                       configuration window then opens, and various protection, detection, alerting and
                       response configurations for the chosen agent(s) can be implemented in real time. These
                       will each be covered in the respective sections discussing the capabilities of the product.

SANS ANALYST PROGRAM
                                                  3              Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
SANS Institute Information Security Reading Room - SANS.org
Testing Overview                   (CONTINUED)

                       Investigate and Hunt
                       This dashboard also allows analysts to initiate investigations by choosing assets and then
                       clicking Create Investigation. In the pane that appears, they can name the investigation,
                       assign a profile or create a new one, assign analysts to the investigation and add “hunts”
                       to the investigation to gather and include evidence (covered later). The Investigation
                       pane is shown in Figure 3.

                                                        Figure 3. Initiating an Investigation

                       The Alerts dashboard presents a list of the current and most recent alerts noted by the
                       system. These can be selected to drill into and triage each alert, and alerts can also be
                       selected to assign to particular users, facilitating team-based analysis, triage and incident
                       response. The Alerts dashboard is shown in Figure 4 on the next page.

SANS ANALYST PROGRAM
                                                    4                  Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
SANS Institute Information Security Reading Room - SANS.org
Testing Overview               (CONTINUED)

                                                         Figure 4. Alerts Dashboard

                       The Investigations dashboard is the central location that aggregates investigations in
                       progress (once initiated). Analysts can update and finalize (archive) their investigations
                       from this pane.
                       Administration
                       The final area of the console that we explored was the Administration pane. The
                       Administration console provides the following capabilities:
                           • User management—Create, delete and manage users and their assigned roles
                             (levels 1-3, as well as admin)
                           • Sensor management—Create and manage sensor profiles (version, protections in
                             place and specific configuration of deployment attributes)
                           • Alert management—Transfer alerts to central event aggregation tools if needed
                           • Whitelist management—Whitelist alerts to prevent event overload when false
                             positives or low-severity issues are detected
                           • Platform management—Enable multi-client activation, which provides
                             customers a single dashboard to view the health and status of the endpoints;
                             this is beneficial to customers who have more than 50,000 endpoints or have
                             endpoints in various geographies
                       Creating a new sensor profile was simple. In the “Sensor Management” pane of the
                       Administration console, an admin can click Create New Sensor Profile, name the profile
                       and point to a “transceiver” (the platform it will connect back to). Then the admin selects
                       the binary for the preferred Endgame sensor version, and that’s it. Once the new sensor
                       profile is created, the admin can configure the default protection controls in place for the
                       sensors. These are covered in more detail in the upcoming sections.

SANS ANALYST PROGRAM
                                                   5              Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
SANS Institute Information Security Reading Room - SANS.org
Endgame Prevention, Detection and Response, and Threat Hunting
                       Today, an attacker’s goals are data access and exfiltration. Sophisticated attackers often
                       use advanced nation-state techniques, which sometimes do not involve any malware, to
                       aggressively pursue and compromise specific targets. These attacks often include fileless
                       tactics, living-off-the-land techniques and malicious macros with delivery mechanisms
                       via social engineering tactics such as spearphishing. After a compromise has occurred,
                       attackers attempt to maintain a persistent presence within the enterprise network,
                       escalate privileges and move laterally within to extract sensitive information to locations
                       under the attacker’s control.

                       Advanced Attacks
                       The Lockheed Martin “Kill Chain” is an industry model for an attack lifecycle that includes
                       the stages shown in Figure 5:2

                                                       Figure 5. Lockheed Martin Kill Chain Attack Lifecycle

                       2
                           “Deconstructing the Cyber Kill Chain,” Nov. 18, 2014,
                           www.darkreading.com/attacks-breaches/deconstructing-the-cyber-kill-chain/a/d-id/1317542
SANS ANALYST PROGRAM
                                                              6                   Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
SANS Institute Information Security Reading Room - SANS.org
Endgame Prevention, Detection and Response, and Threat Hunting                                                                                  (CONTINUED)

                           While the widely referenced Lockheed Cyber Kill Chain created a common language to
                           discuss sophisticated attacks, it lacks the granularity essential to make comprehensive
                           programmatic improvement against today’s targeted attacks. MITRE, a not-for-profit
                           organization, has created that needed granularity, collecting details on the vast array of
                           methods to build a threat model and framework called “Adversarial Tactics, Techniques,
                           and Common Knowledge” (ATT&CK).3
                           Why are we not catching these movements today when we know so much about
                           these patterns? In short, attacks and methods are constantly changing, but our tools
                           and approaches aren’t. To understand why, it’s helpful to break down indicators of
                           compromise. For organizations trying to leverage signatures and typical indicators of
                           compromise (IOCs), security detection and prevention are a constant game of whack-
                           a-mole if the usual simple indicators are used alone. An attacker can very easily modify
By changing the name       code to communicate with a different IP address or domain, leverage a different local
  and/or value of a        port or present a different cryptographic hash value.
specific registry key on   In contrast, behavioral aspects of attacks are by far the most valuable knowledge to
 a Windows platform,       have in preventing and detecting compromise scenarios, but they are much more
                           difficult to create and describe. In turn, this makes it more difficult to automate and unify
 attackers can easily
                           the systems, each of which holds a little information about these attacks but doesn’t
  bypass some of the       show the whole picture. Behavioral indicators will often include multiple indicators; for
  endpoint detection       example, a certain IP address is accessed, retrieves a known ZIP file, unpacks and drops
   technologies in         certain files, and installs software that opens a port or creates a new registry key.

      use today.
                           Full Stack Protection
                           Endgame offers a number of advanced features for the prevention of targeted attacks
                           against enterprises, and these align with the various stages of the ATT&CK model. During
                           our review, we tested several of the zero-day-prevention capabilities offered in the
                           product, and it successfully caught each attempt, provided us advanced intelligence that
                           included detailed indicators of compromise and system-level aspects of the attempt,
                           and automated remediation workflow. Endgame has advanced protections that include
                           exploit prevention, malware prevention, fileless attack prevention, malicious macro
                           prevention and ransomware prevention.

                           3
                               Adversarial Tactics, Techniques and Common Knowledge, https://attack.mitre.org/wiki/Main_Page
SANS ANALYST PROGRAM
                                                                   7                   Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
SANS Institute Information Security Reading Room - SANS.org
Endgame Prevention, Detection and Response, and Threat Hunting                                                                (CONTINUED)

                       Endgame has developed a unique technique it calls “Hardware Assisted Control Flow
                       Integrity” (HA-CFI™). This technology uses hardware features available in processors
                       to monitor and prevent exploitation before code execution. By leveraging hardware
                       features, Endgame prevents exploits before an attacker reaches the “Post-Exploitation”
                       stage of the Kill Chain (and the beginning of the ATT&CK cycle).
                       Another feature Endgame touts is enhanced “Dynamic Binary Instrumentation” (DBI),
                       which allows for very early-stage detection of exploits. This feature allows the product
                       to detect malicious macros through heuristics-based prevention, closely monitor fileless
                       attacks for process injection and look at behaviors for file activity that may indicate
                       ransomware and similar attacks.
                       Figure 6 shows the configuration of exploit protections within the Endgame sensor
                       configuration screen.

                                               Figure 6. Endpoint Exploit Protection and Prevention

SANS ANALYST PROGRAM
                                                     8               Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting                                                                  (CONTINUED)

                       These protections are enabled by editing the Sensor configuration policy mentioned
                       earlier. In the “Exploit Protection” category, analysts can enable HA-CFI and/or DBI to
                       detect and prevent exploits and malware on each endpoint. A range of protections is
                       available, including API filtering, monitoring for macros with heuristics, monitoring stack
                       memory and many more.
                       Figure 7 shows a prevention alert with a process injection and also highlights the source
                       process and the target process infected.

                                                   Figure 7. Endpoint Process Injection Prevention

                       Accelerated Triage and Response
                       For all of its capabilities in preventing attacks, Endgame also impressed us with its
                       detection and triage capabilities, setting up more effective response and hunting
                       activities for security teams. The first tool we explored in the world of detection was
                       Endgame Artemis, which is an AI-powered security mentor that analyzes and triages
                       alerts in simple English.

SANS ANALYST PROGRAM
                                                      9                Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting                                                             (CONTINUED)

                       We explored Artemis after creating all of our “infections” that generated attack alerts
                       and events. The Artemis icon, which is available in all dashboards and screens within the
                       main Endgame console, interacts with the analyst when querying the platform. To start,
                       we entered a query to the Artemis system (not having any idea of syntax or behavior),
                       which produced the following dialog:
                           SANS: “lsass.exe”
                           Artemis: “To search process data, I need one of the following endpoint designators:
                           - All Endpoints
                           - Operating System (e.g. win7 endpoints)
                           - Endpoint IP address (e.g. 10.5.1.10 endpoint)”
                           SANS: “all endpoints lsass.exe”
                           Artemis: “Are you sure you want to run:
                           Search process for file lsass.exe on active endpoints?”
                           SANS: “yes”
                           Artemis: “Created investigation: 68f09d90-ba9d-4f9e-bf10-3a458c758ef0”
                       We could then click a View the Investigation link directly within the Artemis console. This
                       was an amazing way to get started quickly with an intuitive “guidance” system, one that
                       could help junior analysts figure out what to do and where to go for more information.
                       As we explored the product, we decided to query Artemis for more in-depth
                       information. One of the pieces of malware we ran in the first phase of the analysis was
                       named sekur1.exe. To get Artemis focused on a particular IOC process chain, we
                       queried the process lineage for this executable on a particular endpoint in the test
                       environment (shown in Figure 8).

                                                  Figure 8. More Advanced Artemis Queries

SANS ANALYST PROGRAM
                                                  10              Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting                                                                 (CONTINUED)

                          Artemis dutifully created the investigation and provided in-depth results that we then
                          reviewed in the Investigations console (see Figure 9).

  The Investigation
    pane includes
  information about
  processes created,
     running and
  terminated, as well
 as user, system and
command-line details.
  It was also simple
   to filter results by
 process, DNS, user or
    network event.

                                                     Figure 9. Artemis-initiated Investigation

                          Another view of the investigations is the Endgame Attack Visualization. With a click of
                          a button, an analyst can search across the entire environment for more evidence of the
                          attack or can pivot to one of Endgame’s many integration partners to gather information
                          about the overall extent of the compromise.

SANS ANALYST PROGRAM
                                                     11               Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting                                                               (CONTINUED)

                       Figure 10 shows the guided response workflow that accelerates an analyst’s ability to
                       quickly triage and respond to alerts.

                                            Figure 10. Endgame Artemis Guided Response Workflow

                       This set of results provided a detailed timeline of the execution of malware/exploit code
                       (sekur1.exe), followed by Windows services being initiated and DNS lookups being
                       performed for local systems and external domains, as well.

                       Take Action
                       For any given alert, Endgame offers a number of responses an analyst can take directly
                       from the console. First, we can start an investigation, much as we did with the Artemis
                       query engine. Second, we can take a variety of actions depending on the nature of the
                       alert. For files, we can download the file locally for analysis or delete the file. For process
                       injection, we can suspend the process thread to minimize impact on the affected host,
                       terminating the malicious behavior while response and forensics teams get engaged. In
                       all cases, we can also choose to whitelist alert items, reducing false positives that may
                       turn up from time to time in specific environments.

SANS ANALYST PROGRAM
                                                   12               Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting                                                                         (CONTINUED)

                                  The Alert Details listing also provides ample information on the entire process tree on
                                  the endpoint, as well as network activity and user accounts on the system. Within the
                                  process view, we could also choose to select processes to get hash values associated
                                  with them, and kill the process if we chose. See Figure 11.

TAKEAWAY:
                                                             Figure 11. Details of Suspicious Processes
Endgame can help rapidly
detect and respond to events      By selecting an endpoint, we could click the Respond button in the dashboard to
in a monitored and protected      configure more advanced response actions. Here, we could upload scripts or binaries to
                                  run for response and then run them as analysts. An example of running the Microsoft
environment. The intelligent
                                  Sysinternals program handle.exe is shown in Figure 12.
tools available in the console,
such as Artemis, may serve
to elevate Tier 1 analysts to
be more effective at initial
diagnosis and triage and
accelerate Tier 3 analysts who
are doing deep investigations
in the environment based on
IOCs and other behaviors.

                                                             Figure 12. Executing the handle.exe File

                                  We were able to delete files, suspend processes and take other actions here, too. This
                                  process allowed us to run our own tools for response and collect the tool output data
                                  back to the console.

SANS ANALYST PROGRAM
                                                             13               Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting                                                           (CONTINUED)

                       Hunting with Endgame
                       Endgame automates the hunt for malicious activity at the earliest stages of the MITRE
                       ATT&CK matrix. Endgame hunting includes process, persistence, Registry and network
                       searches, as shown in Figure 13.

                                               Figure 13. Automated Hunting with Endgame

SANS ANALYST PROGRAM
                                                 14             Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting                                                              (CONTINUED)

                       Eliminating Persistent Threats at the Earliest Stages of the
                       Attack Lifecycle
                       Another feature we explored in hunting with Endgame was attacker persistence.
                       Endgame has many built-in analytics for finding and eliminating advanced attacker
                       “beachheads” in the environment. One of Endgame’s advantages is its MalwareScore®
                       analytics engine, which looks for unknown malicious persistence based on behaviors
                       and unusual indicators seen on systems that may not match any known signatures.
                       Other persistence mechanisms look for hijacking entries in the Registry, rogue dynamic-
                       link libraries (DLLs), filename masquerading, suspicious paths and more.
                       Within the Investigation pane, we were then able to monitor the hunt and see what
                       results came back. We chose the Persistence hunt type and looked at different specific
                       indicators that came back with high scores, shown in Figure 14.

                                      Figure 14. Persistence Indicators with a High MalwareScore Rating

SANS ANALYST PROGRAM
                                                  15               Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting                                                                                (CONTINUED)

                       We also looked at network indicators for uncommon connections or suspicious
                       connections, shown in Figure 15. After malicious persistence is identified, an analyst can
                       perform a variety of response actions, including uploading or executing to eliminate the
                       malicious persistence, all with a single click.

                                                              Figure 15. Suspicious Network Connections

                       Detecting Ongoing File-less Attacks at Scale
                       Finally, in the test environment, we drew on the “Defense Evasion” article on the MITRE
                       ATT&CK wiki4 to run a range of highly sophisticated exploit code seen in the wild
                       and get a sense of how Endgame handles advanced attacker techniques, particularly
                       file-less attacks. These attacks may persist only in memory, making them very hard
                       to detect. Endgame’s technology prevents fileless attack techniques, including shell
                       code injection and DLL injection. Endgame’s automated in-memory analysis is able, in
                       minutes, to identify techniques such as memory modification, memory injection, hidden
                       modules, and packed and encrypted areas in memory across unlimited endpoints. Our
                       hunt-monitoring tools made looking for these simple, because this is a category that
                       Endgame looks for readily in the Process section. See Figure 16 on the next page.

                       4
                           “Defense Evasion,” https://attack.mitre.org/wiki/Defense_Evasion
SANS ANALYST PROGRAM
                                                               16                    Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Endgame Prevention, Detection and Response, and Threat Hunting                                                                          (CONTINUED)

                                                                Figure 16. A File-less Attack Process

                                This process has the following attributes:
                                    Path: C:\Windows\SysWOW64\rundll32.exe
TAKEAWAY:
                                    Command Line: C:\Windows\System32\rundll32.exe
Hunting allows analysts
                                    "C:\Users\vagrant\AppData\Local\jlc3V7we\IZsROY7X.-MP",F1dd208
to leverage automation to
find suspicious behavior in     Once an analyst detects a memory injection, he or she can suspend the thread, which
                                will contain the attack without any loss of system stability. As a bonus, the analyst
minutes across hundreds and
                                can download the strings to determine the malicious command-and-control and use
thousands of systems that are
                                Artemis to search across the enterprise.
managed and monitored.
                                This example just scratches the surface of what Endgame’s hunting capabilities can do.
                                The platform can perform single hunts for specific configuration aspects of systems, look
                                for network ports, services and just about any item an analyst would want to find. In
                                addition, if this is set to prevention mode, Endgame can block file-less attacks.

SANS ANALYST PROGRAM
                                                           17                  Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Conclusion
                       Endgame lived up to its promise. The platform focuses on the breadth and depth of the
                       MITRE ATT&CK to stop known and unknown threats. It was easy to use and get started
                       with, and the various dashboards were intuitive to navigate. Creating endpoint policies
                       was straightforward, and communicating with sensors was fast and painless. Endgame
                       prevention blocks known and unknown threats, at the earliest stages of the attack
                       lifecycle. Where the product really shines, however, is in event detection, triage of events
                       and threat hunting.
                       The skills gap in security operations continues to grow. There just aren’t enough experts
                       to go around. Endgame empowers junior analysts to find threats rapidly and effectively,
                       analyze them and dig deeper for more evidence—which can only help to improve the
                       state of security incident monitoring and forensics today.
                       At the same time, all of this needs to happen fast. When we receive IOCs from threat
                       intelligence or sharing groups, we need to look across all endpoints rapidly. Endgame
                       provides the tools to hunt for known and unknown files, processes, and behaviors across
                       all endpoints very rapidly, and then take remediation actions immediately.

SANS ANALYST PROGRAM
                                                  18              Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
About the Author
        Dave Shackleford, a SANS analyst, instructor, course author, GIAC technical director and member of
        the board of directors for the SANS Technology Institute, is the founder and principal consultant with
        Voodoo Security. He has consulted with hundreds of organizations in the areas of security, regulatory
        compliance, and network architecture and engineering. A VMware vExpert, Dave has extensive
        experience designing and configuring secure virtualized infrastructures. He previously worked as chief
        security officer for Configuresoft and CTO for the Center for Internet Security. Dave currently helps lead
        the Atlanta chapter of the Cloud Security Alliance.

                                                    Sponsor
                              SANS would like to thank this paper’s sponsor:

SANS ANALYST PROGRAM
                                                              19           Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform
Last Updated: May 21st, 2019

                    Upcoming SANS Training
                    Click here to view a list of all SANS Courses

SANS San Antonio 2019                                         San Antonio, TXUS     May 28, 2019 - Jun 02, 2019    Live Event

SANS Atlanta 2019                                             Atlanta, GAUS         May 28, 2019 - Jun 02, 2019    Live Event

Security Writing NYC: SEC402 Beta 2                           New York, NYUS        Jun 01, 2019 - Jun 02, 2019    Live Event

Enterprise Defense Summit & Training 2019                     Redondo Beach, CAUS   Jun 03, 2019 - Jun 10, 2019    Live Event

SANS Zurich June 2019                                         Zurich, CH            Jun 03, 2019 - Jun 08, 2019    Live Event

SANS London June 2019                                         London, GB            Jun 03, 2019 - Jun 08, 2019    Live Event

SANS Kansas City 2019                                         Kansas City, MOUS     Jun 10, 2019 - Jun 15, 2019    Live Event

SANS SEC440 Oslo June 2019                                    Oslo, NO              Jun 11, 2019 - Jun 12, 2019    Live Event

SANSFIRE 2019                                                 Washington, DCUS      Jun 15, 2019 - Jun 22, 2019    Live Event

SANS Cyber Defence Canberra 2019                              Canberra, AU          Jun 24, 2019 - Jul 13, 2019    Live Event

Security Operations Summit & Training 2019                    New Orleans, LAUS     Jun 24, 2019 - Jul 01, 2019    Live Event

SANS ICS Europe 2019                                          Munich, DE            Jun 24, 2019 - Jun 29, 2019    Live Event

SANS Cyber Defence Japan 2019                                 Tokyo, JP              Jul 01, 2019 - Jul 13, 2019   Live Event

SANS Paris July 2019                                          Paris, FR              Jul 01, 2019 - Jul 06, 2019   Live Event

SANS Munich July 2019                                         Munich, DE             Jul 01, 2019 - Jul 06, 2019   Live Event

SANS London July 2019                                         London, GB             Jul 08, 2019 - Jul 13, 2019   Live Event

SEC450 Security Ops-Analysis Beta 1                           Crystal City, VAUS     Jul 08, 2019 - Jul 13, 2019   Live Event

SANS Cyber Defence Singapore 2019                             Singapore, SG          Jul 08, 2019 - Jul 20, 2019   Live Event

SANS Charlotte 2019                                           Charlotte, NCUS        Jul 08, 2019 - Jul 13, 2019   Live Event

SANS Pittsburgh 2019                                          Pittsburgh, PAUS       Jul 08, 2019 - Jul 13, 2019   Live Event

SANS Rocky Mountain 2019                                      Denver, COUS           Jul 15, 2019 - Jul 20, 2019   Live Event

SANS Columbia 2019                                            Columbia, MDUS         Jul 15, 2019 - Jul 20, 2019   Live Event

SANS Pen Test Hackfest Europe 2019                            Berlin, DE             Jul 22, 2019 - Jul 28, 2019   Live Event

SANS San Francisco Summer 2019                                San Francisco, CAUS    Jul 22, 2019 - Jul 27, 2019   Live Event

DFIR Summit & Training 2019                                   Austin, TXUS          Jul 25, 2019 - Aug 01, 2019    Live Event

SANS Riyadh July 2019                                         Riyadh, SA            Jul 28, 2019 - Aug 01, 2019    Live Event

SANS July Malaysia 2019                                       Kuala Lumpur, MY      Jul 29, 2019 - Aug 03, 2019    Live Event

SANS Boston Summer 2019                                       Boston, MAUS          Jul 29, 2019 - Aug 03, 2019    Live Event

Security Awareness Summit & Training 2019                     San Diego, CAUS       Aug 05, 2019 - Aug 14, 2019    Live Event

SANS Melbourne 2019                                           Melbourne, AU         Aug 05, 2019 - Aug 10, 2019    Live Event

SANS London August 2019                                       London, GB            Aug 05, 2019 - Aug 10, 2019    Live Event

SANS Crystal City 2019                                        Arlington, VAUS       Aug 05, 2019 - Aug 10, 2019    Live Event

SANS Krakow May 2019                                          OnlinePL              May 27, 2019 - Jun 01, 2019    Live Event

SANS OnDemand                                                 Books & MP3s OnlyUS             Anytime              Self Paced
You can also read