Endpoint protection has evolved considerably over the last few decades. Many people don't know that Norton's first endpoint protection tool took the form of an "allow list" -- until the "signature wars" forced a different approach to antimalware/antivirus. More recently, "Endpoint Detection and Response" (EDR) tools have taken over this space. EDR tools represent an impressive leap forward from their predecessors, but they are not perfect. They can miss threats and/or generate false positives. They can be difficult to implement and maintain. Second, the current endpoint protection paradigm is a reactive model that only detects an attack after it has already occurred.
These tools excel at detection and response, but they can’t provide a lot of context around the attack, other than what's provided by the research teams of the vendor, and a general priority or severity rating. Researchers tend to focus on nation-state threat actors (TAs), which most large organizations have deep concerns about and it's what they expect from these tools. Researching these TAs also consumes a lot of time, leaving little time to research other groups like criminal organizations or ad-hoc TAs. T
To best prioritize their alerts, organizations typically need to have more information than just nation state details. Other context that can help prioritize response include:
- Is the threat leveraging a brand new zero-day vulnerability?
- Is this threat attributed to a nation state threat actor, cyber criminals, or other types of actors? How active is the threat actor?
- Is this threat theoretical or have attacks been observed in the wild?
- Are multiple industry verticals impacted by this threat?
- Is your industry vertical specifically targeted by this threat?
- How often has this threat evolved?
- How new is this threat? Are mitigations available for thwarting this threat, or do none currently exist?
- Does your organization use the apps targeted by this threat?
However, organizations that want to prioritize their alerts based on these signals would need to correlate and match this data, typically in databases, SEIMs, or good old-fashioned spreadsheets. Correlation between threat feeds, endpoint tools, MITRE Groups and other sources of intelligence signals usually requires a dedicated threat intelligence program, with specialized staff and the integration of multiple tools. Typically not something one sets up over the weekend. Even then, you're often limited to published threat feeds, plus whatever intelligence your team can glean on their own. Published threat feeds have their limitations, and typically don't include signals from media like Twitter, security articles, or security blogs like KrebsOnSecurity.com until that data is vetted and normalized, often days after the original post.
Fletch does this research and correlation for you, going beyond what EDR tools can provide, and delivers it in advance of most threat feeds. Without the need for expertise to set up extensive systems, normalize or analyze data, or correlate the data together. By giving Fletch read-only access to your EDR's API, Fletch automatically does all the work and analysis for you, correlating your endpoint data with the latest news every day to identify which trending threats may have already impacted your resources. It also gives you an immediate answer to the question: "Have we seen <new attack the boss just read about> in our organization?" Having this data correlated for you allows you to profile your attacker, and make better decisions on how to triage, respond to, and recover from the attack.
Fletch gives context to your EDR alerts, helping you understand if you’ve been attacked by a new trending threat, or compromised by an old vulnerability that should have been patched over a year ago (no one would listen to you, right?). This context not only helps you understand your security posture, it helps estimate and justify your security budget and any increases you feel you need to meet the threats that are targeting you.
