IEEE Access (Jan 2022)

Performance Evaluation of Open-Source Endpoint Detection and Response Combining Google Rapid Response and Osquery for Threat Detection

  • So-Hyun Park,
  • Sun-Woo Yun,
  • So-Eun Jeon,
  • Na-Eun Park,
  • Hye-Yeon Shim,
  • Yu-Rim Lee,
  • Sun-Jin Lee,
  • Tae-Rim Park,
  • Na-Yeon Shin,
  • Min-Jin Kang,
  • Il-Gu Lee

DOI
https://doi.org/10.1109/ACCESS.2022.3152574
Journal volume & issue
Vol. 10
pp. 20259 – 20269

Abstract

Read online

Detecting the latest advanced persistent threats (APTs) using conventional information protection systems is a challenging task. Although various systems have been employed to detect such attacks, they are limited by their respective operating systems. Furthermore, they are developed as closed platforms and cannot be customized to meet user environments. To overcome these limitations, open-source endpoint detection and response (EDR) techniques are needed. In this study, we construct one that integrates open-source security frameworks combining GRR (Google Rapid Response) and osquery. A threat-detecting case study is conducted to validate the feasibility of the proposed open-source EDR system. Additionally, APT coverage for the proposed EDR system is analyzed using MITRE’s Adversarial Tactics, Techniques, and Common Knowledge model. The assessment result shows that APT tactics having high levels of threat detection using non-customized osquery configurations comprise 28.5 % of all detections, which is lower than the other response levels. The performance of open-source EDR can be increased by customizing osquery for specific purposes and environments. Open-source EDR combining GRR and osquery has the potential to provide the detection-coverage efficient threat detection system and has the advantage of flexible integration with other applications; it can also be developed for evolving system environments such as cloud and internet of things.

Keywords