A significant and oft-overlooked advantage of network-based collection is that it can be implemented in relative silence. A skilled adversary (or even a mediocre one with good tools, procedures) will be watching endpoints closely, and will be aware/wary of EDR/EPP.

← @kwm Twitter archive

Keith

@kwm

Like build or buy, network or endpoint is a false choice. You can't do a good job without both, and in any given intrusion both have value.

The best endpoint-based tools give you "enough" network, thus endpoint tends to have a fast time to value for detection, investigation. https://twitter.com/MalwareJake/status/944622938044682240

12/24/2017, 9:11:38 AM

Favs: 13

Retweets: 1

link

Keith

@kwm

A significant and oft-overlooked advantage of network-based collection is that it can be implemented in relative silence. A skilled adversary (or even a mediocre one with good tools, procedures) will be watching endpoints closely, and will be aware/wary of EDR/EPP.

12/24/2017, 12:58:54 PM

Favs: 5

Retweets: 1

link

Keith

@kwm

Hopefully, the more time one spends thinking about network vs. endpoint, the faster they come to the conclusion that collecting *something* today, and getting that data *off* of the source systems, is more important than being right about where to start. Proactive > Perfect.

12/24/2017, 1:03:42 PM

Favs: 8

Retweets: 0

link