EchoTrail Insights

Shorten your security analysis response time


EchoTrail Insights data helps security analysts understand the big picture of how processes typically behave on Windows endpoints. This enables them to move faster, and with more efficiency, allowing them to make more informed decisions. We have been collecting data from hundreds of endpoints for years and our statistical model is built on millions of observed executions. In the world of Endpoint Detection and Response (EDR), understanding the context of a detection is the crucial first step to making a decision to escalate or suppress an alert. EchoTrail insights give analysts that context that is typically only understood by the most senior analysts after years of experience. Our Insights data can be accessed directly via our free web search tool, or integrated into your SOAR or SIEM product for seamless access using our API.

Insights Summary

EchoTrail Insights provides several unique pieces of analytical context for analysts. The first is a high level summary, or lay of the land. The Insights Summary provides analysts with a high-level overview of a particular filename or hash, including the typical paths from which it executes as well as the most common hash for a given filename or the most common filename for a given hash.

EchoTrail Prevalence Score (EPS)

The EchoTrail Prevalence Score (EPS) is a convenient number an analyst can use to quickly understand the overall prevalence of a given filename or hash. This score is represented as a number between 0 and 100, with 100 being the most common file executed in Windows and 0 being the least common. A very high number would tell an analyst that an executable is very common in Windows and therefore might allow them to move on more quickly when investigating something they have never encountered. Conversely, a low number might lead them to investigate a little further.

Rank Analysis

The Rank Analysis section consists of Host Prevalence and Execution Rank. Host prevalence is exactly what it sounds like. It represents the percentage of endpoints that a particular file or hash has been seen running on in the wild. Whereas Execution Rank indicates the overall rank of how often a file or hash executes across all endpoints in the wild as compared to others. The lower the rank, the more often it executes. When an analyst investigates a file running in their environment, these two numbers can help them understand whether that particular file is common or rare, or somewhere in between.

Ancestry Analysis

The Ancestry section consists of Grandparents, Parents and Children of a given file or hash. When a process launches on an endpoint, it has to be launched by another process (it’s parent) and sometimes it launches other processes (it’s children). Every process running on an endpoint is part of a family tree, with grandparents, parents, children and siblings. Many EDR detections are based upon this ancestry. More specifically, they are often based on an understanding of how certain processes are normally launched, as well as what those processes normally launch themselves. A detection is often triggered when a hard-coded or machine learning based deviation from the norm is detected. Unfortunately, with many EDR products there are often false positives (FP) with ancestry or behavior-based detections. When an analyst is investigating one of these detections, they are on their own to determine whether a particular detection is a false positive or a true positive. Without additional context it is often impossible to know for sure. That’s where EchoTrail Insights comes in. By giving analysts ancestral context right when they need it, they can make more informed and confident decisions.

Behavioral Analysis

The Behavioral Analysis section consists of hashes, paths and network ports. As discussed above, every process running on an endpoint is part of a family tree, but every process also exhibits other attributes and behaviors, such as the hash of the file that executed, the path it ran from, network connections it made, files it wrote, etc. The attributes and behaviors in this section provide even more context to an analyst to compare and contrast a detection under investigation with our endpoint insights collected in the wild. For example, an analyst investigating an unknown executable in their environment might find in EchoTrail that that file executes from a given path 100% of the time in the wild, but they see that it ran from a different path in their environment. This is a red flag for the analyst and will give them good reason to investigate further. Conversely, if the path and other attributes and behaviors are consistent across their environment and the wild, then they can more quickly make a decision to move on to the next alert.

Security Analysis

The Security Analysis section provides a unique, in-depth intelligence analysis for a file or hash, detailing how attackers might use that file in an intrusion and what behaviors to look for that are indicative of an attack. These intelligence analyses were written by expert endpoint analysts with years of experience detecting and mitigating attacks by the most sophisticated adversaries. Providing analysts with this level of targeted intelligence, at the exact time it is needed (while investigating an alert), can dramatically increase the speed and accuracy of an investigation by even the most junior analysts. This type of intelligence, provided in context, is invaluable during all phases of security response.