By filtering out unwanted data, this telemetry reduces noise and offers clear visibility into endpoint activities, including processes, parent-child process relationships, triggered events, files and network activity, whether malicious or benign. Let’s explore the detection events captured by Cisco Secure Endpoint in the Events view, along with the telemetry recorded in the Device Trajectory view. The screenshot below shows the Device Trajectory view in the Secure Endpoint console, highlighting Behavioral Telemetry identified by the detection engine. The telemetry details captured by Secure Endpoint in this view provide crucial context around the observed activity, allowing security teams to quickly assess the situation. The screenshot below shows the Device Trajectory view in the Secure Endpoint console, with the Activity Telemetry captured. Cisco Secure Endpoint (CSE) captures two types of telemetry under Device Trajectory view: Activity Telemetry and Behavioral Telemetry. Cisco Secure Endpoint is an Endpoint Detection and Response (EDR) tool that collects and records a wide range of endpoint telemetry. By offering a deeper understanding of potential threats, Secure Endpoint helps to streamline the threat detection process, reducing response times and enhancing overall security posture. Endpoint telemetry also serves as a crucial data source for XDR, enhancing its ability to detect, analyze and respond to security threats across multiple environments. Cisco XDR correlates telemetry from various detection sources to generate high-fidelity incidents, enhancing the ability to identify and stop complex attacks while reducing the likelihood of false positives. The exploration of Cisco Secure Endpoint’s detection events and telemetry highlights the power of visibility in early attack detection. Additionally, events from Cisco Secure Endpoint are ingested into the Cisco XDR analytics engine and correlated with other data sources to generate high-fidelity incidents within Cisco XDR. We could address this challenge is by correlating the events and telemetry triggered around that activity or by using an XDR (Extended Detection and Response) tool, such as Cisco XDR. Lazarus frequently employs these techniques as part of their broader Living Off the Land (LOL) strategy, which allows them to exploit legitimate system tools and binaries to blend in with regular network activity and avoid detection by traditional security solutions. We’ll focus on how Secure Endpoint provides visibility into the early stages of an attack and its capability to stop complex threats before they escalate. To detect malicious behavior early in the attack chain, it’s essential to monitor the endpoint and record activities that resemble these commonly used techniques. The screenshot below depicts the event Secure Endpoint generated on observing “tasklist.exe” usage in the endpoint in a suspicious manner, run by “rundll32.exe”, and mapping the behavior to Process Discovery technique. It employs various detection engines to analyze this telemetry, identify malicious behavior and trigger detection events. In cybersecurity, endpoint telemetry refers to data collected by monitoring activities on endpoint devices, such as computers and servers. By monitoring and analyzing endpoint behavior, organizations gain valuable insights into potential threats, allowing them to detect and respond to attacks at their earliest stages. All the events used in this example can be viewed from Management->Events page of the Cisco Secure Endpoint console. Execution tactics represent the techniques used to run attacker’s payload on a compromised endpoint to perform some malicious activities.
This Cyber News was published on feedpress.me. Publication date: Wed, 02 Oct 2024 12:43:06 +0000