← @kwm Twitter archive



This thread is relevant to EDR/EPP for two reasons:

1) There are no tamper-proof endpoint solutions. Tamper evident is the best that you can hope to achieve.

2) Due to #1, but for other reasons as well, timely exfiltration of endpoint telemetry is of utmost importance. https://twitter.com/taviso/status/946411989793783810

12/28/2017, 9:18:33 PM

Favs: 12

Retweets: 0



The more data that you ship off of your endpoints, the better your chances of detecting tamper events. You create data processing and analysis challenges, but overcome those and you cast a net that requires attackers to think much more carefully about their every move.

12/28/2017, 9:23:15 PM

Favs: 3

Retweets: 1



Part of the power of Carbon Black Response is that it ships off 10x the data of every other sensor/agent. This provides opportunities to detect attacks against the endpoint and/or sensor based not only on the presence of data, but based on the absence of data as well.

12/28/2017, 9:25:50 PM

Favs: 17

Retweets: 9