Frequently Asked Questions

What is endpoint data?

When we say endpoint data, we’re referring to events that happen on computers in your environment. For most companies, that means Windows workstations and servers. It might also mean Mac workstations and Linux servers. Typically endpoint data is collected in the form of events occurring in time. An event might be a process start event, indicating that a particular process ran on a particular host. The data that would be collected in a process start event might be the filename and path of the executable, the SHA256 or MD5 hash of the executable at the time it ran, the username or account that caused the executable to run, as well as various other attributes about that process. Other event types are: Network Connection made, File Written, DLL Loaded or Process Accessed by another process.

Why endpoint data?

Most security platforms tend to be built around either network packet data, or endpoint process data. The Endpoint Detection and Response (EDR) market focuses on the latter. While both are useful and necessary, those choosing to focus on endpoint data do so because it offers several advantages. One advantage is that the data being collecting is from the original source and therefore can provide the richest insights as to what exactly occurred and how. On the network side, most activity observed is due to something first happening on an endpoint and therefore is often only a reflection of activity that would otherwise require manual forensics to obtain. That’s why we choose to focus our analytical efforts on endpoint data, because we find it to be the most insightful and immediately actionable data you can capture from your environment.

What do you mean by process behavior and why does it matter?

Process behavior, or endpoint behavior in general refers to events that occur on a computer due to the actions of a particular process. When a process starts, it has a distinct starting time and set of parameters around it’s execution that we capture. If that process makes a network connection we capture that as a behavior. Similarly, we capture several other process behaviors such as file writes, DLL loads, accessing other processes, writing to the registry, etc. Analyzing these behaviors both in normal conditions and during an attack can provide tremendous value in terms of distinguishing between normal operations vs. activities that might be part of a broader attack or intrusion.

As an analyst or IT professional, why should I care about process behavior in the wild?

Very often, when an IT or security professional investigates something on a workstation or server (endpoint), one of the first questions that often arises is: Is what I’m seeing normal? EchoTrail’s first goal is to answer that question. By capturing and analyzing process behaviors across a broad array of environments, we can begin to build a picture of what’s normal or typical for a given operating system (OS) or a process running on that OS. We then have something to compare and contrast with what activities we’re investigating in our environment. Staring with normal as a baseline we can start to build detections or early warnings around activities that stray from that baseline. The farther they stray, the more likely something is amiss.

Now that you mention it, what do you mean by wild and why does it matter?

When we say “Process Behavior in the Wild” we simply mean that we’re capturing behavioral data from sensors deployed in real enviornments that we don’t control or modify. We’re simply passively collecting those events and anonymously aggregating them into an overall behavioral picture of process behavior. Anything can happen on those computers and we’re simply measuring it.

How do you collect your data

We deploy sensors to computers in a wide variety of enviornments. Those sensors collect kernel-level, anonymized events, and streams those events into our analytics engine in the cloud. We then process those events as they come in to build out and keep our analytics data up to date with what’s ocurring in the wild.

Can I help contribute data?

Sure! Email us:

Can I contribute in another way?

Yep. If you’re a veteran security analyst and you’d like to contribute intel analysis, we’d love your help! Email us: