dlemire60
commented
2 years ago This item has been discussed on email (not the TC mail list, so not linkable) and at the 12/8 working meeting. As of the 12/8 meeting, there wasn't a clear consensus regarding a new naming scheme for the descendants-of-EDR APs.
Currently have "EDR" - endpoint detection and response. Proposals for new APs:
- Endpoint Response: ER or EPR
- Endpoint Analytics: EA or EPA
We have 2-character APs at this point: AV for anti-virus and PF for packet filtering. So either 2- or 3-character names for the replacement APs are consistent with current practice. The EDR AP editors don't appear to have a strong preference. The goal would be to have consensus by the next working meeting (either 22 December or 5 January).
I'm pasting in my notes from the 12/8 working meeting. Two-character items are speaker initials (e.g., ME = Martin Evandt, DS = Duncan Sparrell):
EDR repo rename • Martin: what to rename current to Endpoint Response ◇ thinks “ER” is good • Duncan what others? ◇ ME: issue on GH, working out what the others are ◇ At least Endpoint Analytics ◇ https://github.com/oasis-tcs/openc2-ap-edr/issues/27 ◇ DS: if just ED / ER that's fine, but if some others are 3-letter might affect approach ◇ ME: concedes perhaps “EPR” sounds better ◇ DaveK: Gartner(ish) had history of “Endpoint Threat Detection & Response” ▪ would advocate for ETD : endpoint threat detection, if going that way ◇ VM: have demonstrated use cases outside of this domain; could go w/any name ◇ EDR includes an analytics function, a response function, ◇ Duncan: 2-part question ▪ should look at names in context of the wider community ▪ Have the OCA ontology guys tackled this yet? should use their names if so ▪ Have encountered the XDR terminology; how does that factor in? ◇ ME: ▪ EPR is good, rolls off the tongue ▪ XDR is “just a marketing thing” in ME's opinion; prefers to focus on endpoints ▪ https://www.optiv.com/insights/discover/blog/edr-vs-ndr-vs-xdr-vs-mdr-vs-mxdr-wth ◇ VM: XDR is broader scope • DaveL: sounds like a consensus for EPR • VM: would go with ER; not clear that network devices are endpoint? Duncan: from an OpenC2 perspective they are. • ME: refs Duncan's notion of defining additional APs • Patrick M proposed “Nodes” (in chat) • Ginn, Jan: EP-Node, NW-Node, FW-Node... • Duncan: not as keen on node; often perceived as something in the middle • Duncan: doesn't feel consensus, discuss and resolve at next working meeting? • Kemp, David: NDR - Network vs endpoint is the same distinction as HIDS vs NIDS - the Network means traffic sniffing / snooping (nmap) vs. agents on endpoints or network devices.
The functionalities of EDR solutions vary so much between vendors, and the overall list of functionalities is growing so numerous, that I think it would be best to split EDR into two (or more) Actuator Profiles.
The way I see it, EDR can be generalized into five main categories:
As it stands, we have the detection part covered in the AP. But as mentioned in Issue #26, facilitating queries that contain criteria and a high level of granularity will be a lot of work, and it will bloat the current AP.
So my suggestions are:
In regards to suggestion 3, I think we could make a case for putting all the remaining categories under a "endpoint analytics" AP, as all categories other than Detection pertains to querying for data in some way. When it comes to detection, the signature sets of EDR systems are usually the same queries that one use for threat hunting, and so adding a "Update<signature/advanced query>" command would be all we need.
I also think this would be a good time to look at integrating/endorsing the Open Cybersecurity Alliance STIX-shifter and Kestrel projects with OpenC2, as discussed somewhat in issue #26.