What We Do
How we do it
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
Mar 15, 2023
CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Zero-Day Vulnerability
THE THREAT On March 14th, as part of Microsoft’s monthly Patch Tuesday release, the company disclosed a critical, actively exploited vulnerability impacting Microsoft Office and Outlook. The…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Mar 20, 2023
Exertis and eSentire Partner to Deliver 24/7 Multi-Signal MDR, Digital Forensics & IR Services and Exposure Management to Organisations Across the UK, Ireland, and Europe
Basingstoke, UK– 20 March, 2023. Leading technology distributor, Exertis, announced today that it has bolstered its cybersecurity services, adding eSentire, the Authority in Managed Detection and Response (MDR), to its Enterprise portfolio of offerings. eSentire’s award-winning, 24/7 multi-signal MDR, Digital Forensics & Incident Response (IR), and Exposure Management services will be available…
Read More
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Jun 17, 2021

The Importance of “Forensic” Capabilities When Choosing an Endpoint Protection Provider

5 minutes read
Speak With A Security Expert Now
This blog was originally published on CyFIR.com and has been reposted as-is here following eSentire’s acquisition of CyFIR Inc. in June 2021. As of the date of the acquisition, no changes have been made to the content below.

Do you really know what happened during that data breach? In this post, CyFIR Chief Product Officer John J. Irvine and World Wide Technology (WWT) Global Director of Security Sales Chris Konrad explain what to look for when searching for an Endpoint Detection and Response software solution.

In today’s market for Endpoint Detection and Response (EDR) solutions, vendors are defining “forensics” based upon their own product’s capabilities. The industry is awash with sales pitches from all manner of EDR vendors using similar terminology to refer to underlying technology with vastly different capabilities.

Digital “Fingerprints”

Many of today’s digital forensic practitioners begin their careers in law enforcement. Before “Incident Response” was a buzzword included on every IT professional’s resume, most digital forensics casework supported the investigation and prosecution of crimes. To do so, digital forensic examiners would pore over a hard disk—often with rudimentary, low-level tools—for days, weeks, or even months. Examiners would scour disks looking for hidden partitions, host protected areas, or other spots that craftier suspects would use to hide their data from Johnny Law. When investigators found files of note, they would render them down to hash values (a digital “fingerprint” as it’s often called) to prove their uniqueness or to track their movements between systems or individuals. Investigators could recover fragments of files deleted long ago from the hard disk, often finding a crucial piece of evidence. Forensics was, and continues to be, an often difficult and time-consuming set of processes that can yield unimaginable results—IF you’re willing to put in the time and effort.

Marketing Hype vs. Reality

Today, the EDR marketing landscape could easily lead purchasers into the belief that “AI will save us all” or that “machine learning keeps your network safe.” Many vendors are selling the myths of the “unbreachable perimeter” or the “find all evidence button,” and telling weary, underfunded CISOs that their tools not only will stop attacks, but also provide a “forensics component” in case something evil should get through their defenses.

If you’re looking at one of the ever-present meatball charts that compare different vendors’ tools against each other, you’ll often find that antivirus, patch management, continuous monitoring, or other capabilities under the EDR heading will have a proud dot in a row called “Forensics” (often from an up-charged component). As a CISO, you can purchase one of these tools and check-off “Allows a user to perform a digital examination on a computer or network” from your readiness list, right? I wish it were that simple.

When evaluating the “forensic capability” of a cybersecurity product, you need to ask the vendor some direct, pointed questions to learn what that specific vendor defines forensics to be. Finding and deleting the offending file is only part of the job; understanding the attack vector, reviewing the data exfiltrated, and quantifying the damage done are equally important in handling a breach and in preventing future attacks. Without knowing what went wrong, how can you be sure that you’ve taken the appropriate measures to stop it from happening again?

Ask the Right Questions

When considering an EDR solution, ask the following questions before making your decision:

Question: Can an authorized member of my security team navigate to the hard disk structure on an endpoint to look at the content of individual files?

Why you care: Attacks often leave behind forensic evidence that is critical in the discovery of the type and amount of data that has potentially been exfiltrated from your organization. If you can’t find and view the content of the exfiltration files, you might not have accurate information regarding the size or scope of a breach.

Question: Can I pull running processes individually out of memory for external review, or at a minimum, can I use your tool to extract live RAM remotely for the entire machine?

Why you care: Strategic or advanced attacks may use custom-crafted malware that might be able to defend itself from antivirus engines or even automated sandboxes. Sometimes a manual breakdown of a malicious program’s capabilities is the only way to know the potential extent of any damage it caused, and to do that, you must be able to isolate and extract the process from live memory.

Question: How many endpoints can I search at once now that I know what I’m looking for?

Why You Care: Many tools that search remote endpoints are limited to searching only a few at a time through a round-robin scripting method. If you have a lot of time and money, that’s fine. If you’re short on either, look for tools where searching the endpoints happens simultaneously instead of five or ten at a time.

Question: Can I look through the raw data on the hard disk remotely and recover deleted files?

Why you care: Deleted malware, erased exfiltration files, and other items hidden from normal view of the operating system can provide critical evidence as to the scale and effectiveness of a breach. Without the capability to directly access a disk and recover deleted information, you’re likely to miss the whole picture. If you can’t do it remotely, you’re going to pay your employees (or a contractor) a lot of money to visit your individual locations and make copies of hard disks for later analysis.

Question: Can your solution help me with attackers who are “living off the land” or using fileless attacks? 

Why You Care: Many platforms sold under the EDR banner are strongly based in their antivirus or continuous monitoring roots. While they may flag malicious activity in the form of a trojan or virus, they often miss the use of legitimate administrative tools by a bad actor. As a use case, ask how the solution being presented can help identify someone doing evil by using stolen legitimate credentials and standard administration tools, and more importantly, make them show you.

Once you start digging with questions like these (and making the sales engineer pitching the product a little uncomfortable), you’ll find that the term “forensics” is being redefined by each individual software vendor for their own convenience—and a tick-mark on that meatball chart. If you have any doubt, find an old-school cop who has been doing digital forensics for twenty years and ask them if they consider “Tool X” to be forensically sound. Believe me, they’ll know the difference.

Still Need Help? Consider WWT's Advanced Technology Center

Another resource for CISOs to consider is WWT’s Advanced Technology Center (ATC), which provides a platform for technology professionals to stay up-to-date with market innovations and receive assistance when comparing available technology options. The ATC connects industry professionals across technology verticals to collaborate on topics such as infrastructure design, regulatory compliance, and how to integrate virtual and physical environments. It also tests and simulates the performance of hundreds of products, making it easier for CISOs to identify what solution(s) are right for their own environment.

View Most Recent Blogs

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.