Splitting EDR into multiple APs

[MartinEvandt]

The functionalities of EDR solutions vary so much between vendors, and the overall list of functionalities is growing so numerous, that I think it would be best to split EDR into two (or more) Actuator Profiles.

The way I see it, EDR can be generalized into five main categories:

1. Detection
   • Detection of anomalous/malicious behavior by running system events through detection engines
   • Updating the signature set(s) of the detection engine with new/custom signatures
2. Response
   • Enforcing policy (proactive response)
     • Blacklisting hashes, IPs, domains, disallowing external drives, limiting app execution
   • Acting on endpoints (retroactive response)
     • Port isolation, killing processes, initiating AV scans, quarantining binaries
3. Asset management
   • Information regarding hosts and users in an organization
4. Data storage and querying
   • Retaining system events and asset information in a database
   • Querying the data using filters, conditions, logical operators
5. Security posture assessment (few solutions have this, sometimes called XDR)
   • Host software inventories and OS information, aggregated with known vulnerabilities and TTPs for security recommendations

As it stands, we have the detection part covered in the AP. But as mentioned in Issue #26, facilitating queries that contain criteria and a high level of granularity will be a lot of work, and it will bloat the current AP.

So my suggestions are:

1. Rename this AP to Endpoint Response, review it, and move to have version 1.0 published
2. Make a new AP that focuses on advanced queries in EDR systems, @Vasileios-Mavroeidis and I have been calling it "analytics"
3. Review which of the five categories other than Response fit under this new AP

In regards to suggestion 3, I think we could make a case for putting all the remaining categories under a "endpoint analytics" AP, as all categories other than Detection pertains to querying for data in some way. When it comes to detection, the signature sets of EDR systems are usually the same queries that one use for threat hunting, and so adding a "Update<signature/advanced query>" command would be all we need.

I also think this would be a good time to look at integrating/endorsing the Open Cybersecurity Alliance STIX-shifter and Kestrel projects with OpenC2, as discussed somewhat in issue #26.

[dlemire60]

This item has been discussed on email (not the TC mail list, so not linkable) and at the 12/8 working meeting. As of the 12/8 meeting, there wasn't a clear consensus regarding a new naming scheme for the descendants-of-EDR APs.

Currently have "EDR" - endpoint detection and response. Proposals for new APs:

• Endpoint Response: ER or EPR
• Endpoint Analytics: EA or EPA

We have 2-character APs at this point: AV for anti-virus and PF for packet filtering. So either 2- or 3-character names for the replacement APs are consistent with current practice. The EDR AP editors don't appear to have a strong preference. The goal would be to have consensus by the next working meeting (either 22 December or 5 January).

I'm pasting in my notes from the 12/8 working meeting. Two-character items are speaker initials (e.g., ME = Martin Evandt, DS = Duncan Sparrell):

EDR repo rename
• Martin: what to rename current to Endpoint Response
◇ thinks “ER” is good
• Duncan what others?
◇ ME: issue on GH, working out what the others are
◇ At least Endpoint Analytics
◇ #27
◇ DS: if just ED / ER that's fine, but if some others are 3-letter might affect approach
◇ ME: concedes perhaps “EPR” sounds better
◇ DaveK: Gartner(ish) had history of “Endpoint Threat Detection & Response”
▪ would advocate for ETD : endpoint threat detection, if going that way
◇ VM: have demonstrated use cases outside of this domain; could go w/any name
◇ EDR includes an analytics function, a response function,
◇ Duncan: 2-part question
▪ should look at names in context of the wider community
▪ Have the OCA ontology guys tackled this yet? should use their names if so
▪ Have encountered the XDR terminology; how does that factor in?
◇ ME:
▪ EPR is good, rolls off the tongue
▪ XDR is “just a marketing thing” in ME's opinion; prefers to focus on endpoints
▪ https://www.optiv.com/insights/discover/blog/edr-vs-ndr-vs-xdr-vs-mdr-vs-mxdr-wth
◇ VM: XDR is broader scope
• DaveL: sounds like a consensus for EPR
• VM: would go with ER; not clear that network devices are endpoint? Duncan: from an OpenC2 perspective they are.
• ME: refs Duncan's notion of defining additional APs
• Patrick M proposed “Nodes” (in chat)
• Ginn, Jan: EP-Node, NW-Node, FW-Node...
• Duncan: not as keen on node; often perceived as something in the middle
• Duncan: doesn't feel consensus, discuss and resolve at next working meeting?
• Kemp, David: NDR - Network vs endpoint is the same distinction as HIDS vs NIDS - the Network means traffic sniffing / snooping (nmap) vs. agents on endpoints or network devices.

[dlemire60]

Emailed OASIS on 18 January to request renaming from -edr to -er.