Earlier this week, I posed a question using a Twitter poll. Yes, I know about sampling bias. I won’t pretend for a minute there isn’t some sampling bias in my data set, but the results are interesting nonetheless. I’ll note that when it comes to sampling bias, I’m okay with the bias that my Twitter feed produces. In this case, I think we’re getting a better sampling (hopefully more stacked with experts) than just blasting this out into the void.
I expected a few responses, but I got far more than I would normally hope for. It’s clear that a small majority of respondents prefer endpoint to host visibility. Fortunately, the responses are much more insightful than the numbers.
Chris Sanders noted that the answer to the question would likely cycle every few years (I don’t actually disagree). This year the answer was endpoint, but years earlier we would likely have seen network win.
I’m of the belief that if you asked this question every year, you’d see clear cycles. I think we’re in an endpoint-has-more-value cycle right now, but ~3 years ago network would have won.
— Chris Sanders (@chrissanders88) December 24, 2017
Randy Marchany had one of the best comments, noting that network visibility can answer the all-critical question of “did the attacker get the data out of the network?” If you don’t have network visibility, you won’t be able to prove data didn’t leave the environment.
It ain't a breach unless it leaves the net. Net forensics best since that tells u if an exfil happened.
— Randy Marchany (@randymarchany) December 23, 2017
Another great response came from Steve Armstrong. Steve makes a great point that one of the most important considerations is which solution you can get deployed at 100% coverage (or nearest to 100%). Endpoint might work best for your organization, but in most cases you’ll need to deploy fewer network sensors than endpoint sensors to get to (or near) 100% coverage.
It’s a close call but what ever you can push to 100% coverage fastest at lowest cost is the best bet. 75% coverage on both is still useless against a determined APT.
— Steve Armstrong (@Nebulator) December 24, 2017
Another great point/counterpoint discussion is here between Christopher Meenan and Richard Bejtlich. Meenan argues that encryption and cloud are shifting balance to the endpoint. Bejtlich offers the counterpoint that IoT is shifting visibility requirements back to the network. Several people noted that BYOD may also shift the balance back to the network.
IoT is shifting toward network. No endpoint visibility on most networked devices these days!
— Richard Bejtlich (@taosecurity) December 24, 2017
NotDan (snarkily) makes the point that good analysts are needed in either case. He’s not wrong.
c.) good analysts
— notdan ✸ (@notdan) December 24, 2017
So what did we learn here? I think if anything, we learned that there’s no clear choice between network and endpoint instrumentation if you can only deploy one. Several people claimed that my “either/or” question is artificial. They claim that most organizations should deploy both. I don’t disagree. But in many orgs just getting into the infosec game, this is a very real either/or choice. Other orgs already have some network visibility and some endpoint visibility but are trying to decide where to invest more.
- So while there’s no clear answer here, a few points come out:
- BYOD often prevents the deployment of endpoint instrumentation
- Your endpoint instrumentation solution almost certainly doesn’t have an agent for your IoT devices
- Getting 100% (or near 100% coverage) in one area (endpoint or network) is better than spotty coverage in both
- Neither endpoint or network visibility really matters if you don’t have good analysts monitoring your alerts
- Beware of anyone showing you surveys that extol the virtues of endpoint or network monitoring – industry opinions on these are likely to flip flop every few years
- Network visibility is almost certainly required for proving data exfiltration did or didn’t happen
- SSL decryption is good to consider if you are deploying network instrumentation
- Network instrumentation is probably better for detection, while endpoint detection is probably more useful for investigation
Unfortunately, we haven’t answered the question of “endpoint or network.” But hopefully this has given you some points to think about when considering your monitoring needs. As always, if you need help with your information security needs, contact Rendition and we’ll be happy to help you.