本帖最后由 呵呵大神001 于 2023-1-19 20:26 编辑
Stop Responding. Start Preventing?
*本文部分引用deepinstinct公司官网文档Deep Instinct是一家将深度学习应用于网络安全的网络安全公司。该公司使用先进的人工智能来预防和检测恶意软件。也就是我们所说的NGAV厂 。
但是,和许多NGAV厂不同的是,Deep Instinct似乎并不打算推出EDR类产品,并且他们认为他们还不是普通的Next-gen antivirus。因为DI使用的是深度学习!
我们是Double next generation antivirus!
以下是DI批判EDR的八个理由
1."假设违规"的心态是有问题的
2.EDR是一种补救措施
3.EDR不能解决勒索软件(Crowdstrike:你说的对)
4.EDR导致了很多误报
5.采用机器学习的EDR有可以利用的弱点
6.EDR 的好坏取决于它在每个端点的可见性。
7.EDR只作用在感染发生后,而无法提前阻止感染
8.XDR让EDR变的更加垃圾(低效)
首先他们定义了自己
“Deep Instinct is not an EDR, nor do we claim to be. Our focus is on earlier prevention of unknown threats, pre-execution, to lessen the need for post-compromise detection and response.”
我们不是EDR厂!我们做的不是EDR!我们专注于执行前预防!
“Given that the MITRE ATT&CKframework is publicly available, this gives vendorstime to prepare before the evaluations based onthe actions a specific threat actor is known totake. You would not have the benefit of this timeto prepare the tool in your environment.”
即由于测试所模拟的APT团队所采用的MITRE ATT&CK战术是已知的,EDR安全厂商可以通过临时修改设置和针对性更新检测模型来获得更好的测试效果,俗称:跑分软件。此处@某台湾大厂
”MITRE does not measure the length of time it takes to prevent or detect a threat. Most vendors check the cloud for threat intelligence feeds, policies and rules, causing latency.“
MITRE不规定EDR厂商从入侵发生到检测到威胁所用的时间,而我们DI很牛逼,用深度学习可以在未知文件出现的20ms内判断它是否是恶意的。其他供应商需要把EDR数据与云中已知的威胁情报做对比才能产生检测警报。
“If you look at the detailed MITRE results, you will see that Deep Instinct prevented a file once we knew the file was malicious or the behavior was malicious - not because the file may have looked like a risk. This significantly lowers the false positive rate.The MITRE evaluation did not impose a penalty for false positives.”
DI不会因为一个VB脚本打开winword.exe就生成一个警报,因为这会增加实际场景中的误报,MITRE没有对误报进行扣分(因此跑分软件可以把自己的警报阈值调的很低)
“In addition, over 93% of Deep Instinct's detections were at an analytic level (beyond simple telemetry), with 92% being at the highest detection level and technique. This attests to the high level of context, correlation, and actionability of the events and data presented to the user, reducing time, manual threat hunting, and analysis resources.”
最后,我们滴EDR信噪比非常高!不像某些EDR厂生成了一堆遥测然后吹自己检测覆盖多
大家觉得DI说的有道理吗?还是纯粹的“人不行怪路不平”?
那么,DI吹的那么神的“NGNGAV”究竟如何?答案很快就会揭晓,敬请期待!
|