Endpoint Visibility: Discrepancies in Defenders’ Perception and Pentesters’ Experience

Download the complete Cybersecurity Perceptions Versus Reality report, also available in French.

As part of our research on Cybersecurity Perceptions Versus Reality, we developed a survey in collaboration with Serene-risc, a knowledge mobilization network in cybersecurity based in Canada, on the perceptions and practices of cybersecurity professionals. The survey aimed at understanding how defenders perceive specific security measures and whether these measures were implemented in their respective organizations. We then combined the survey results with our penetration testing experience to confront two perspectives: the defenders’ and the pentesters’, the latter standing as proxies for real attackers. This blog post summarizes the results related to endpoint visibility.

Download the complete Cybersecurity Perceptions Versus Reality report, also available in French.

Pentesters’ Experience

The fact that 68% of the respondents said that they had high endpoint visibility was surprising to penetration testers, who usually experience the opposite. They mentioned that the discrepancy may be explained by the idea that endpoint visibility perceived by the respondents is based on more traditional threats instead of more recent techniques using in-memory payloads and weaponized operating system features. In addition, based on pentesting experience, when compared with the tactics, techniques, and procedures frameworks (TTPs) like the Mitre Att&ck framework, the client’s endpoint visibility usually covers only a fraction of the known tactics and techniques.

Pro Tips on Endpoint Visibility

As a reference for readers, below are some pro-tips related to maintaining endpoint visibility on corporate networks.

• Consider an Endpoint Detection and Response (EDR) provider to increase effective endpoint visibility and prevent sophisticated attacks
• Also, tools like Sysmon and Windows Event Forwarding (WEF) / Windows Event Collector (WEC) are free and, when well configured, are a good replacement/complement/addition to an EDR solution

Conclusion

These findings are part of the Cybersecurity Perceptions Versus Reality report that highlights the key results of a two-year long study that aimed at understanding a disconnect that exists between how defenders perceive the value of their implemented security controls, and the most common attack vectors leveraged by penetration testers acting as potential attackers. The report is available in French and the microdata of the survey is available online.