By browsing this site, you are agreeing to our cookie policy. More Information

Saudi Hacks and The Case for Endpoint Detection & Response

Security | Dec 2, 2016

As reported by Bloomberg and others on Thursday, hackers successfully launched an attack against Saudi Arabian government agencies, including the General Authority of Civil Aviation, the government agency that manages Saudi airports. The attackers, believed to be affiliated with the Iranian government, used the destructive malware Shamoon to wipe data and damage equipment. Shamoon was previously  used in a 2012 attack that wiped 35,000 computers at Saudi Aramco, the world's largest oil company.

The Saudi Aramco breach was a watershed moment in the cybersecurity world that generated ripples across the globe. So how, four years later, could a known threat like Shamoon be leveraged again to such an effect?

This attack is the latest to highlight the critical need for Endpoint Detection and Response (EDR) solutions.

Preventing known threats is the bread-and-butter for the myriad of next-gen AV and Endpoint Protection Platform (EPP) tools on the market today. Virtually every organization has some form of perimeter-based security designed to stop known threats. But as this attack shows us, 100% prevention is not possible, even with well-known malware like Shamoon. However, there are ways to reduce the chance of a successful breach and to prevent malware from quickly spreading across the network should a breach occur. The following diagram illustrates how EPP and EDR work together to create a holistic approach to defense.

Figure 1: EPP and EDR work in conjunction to prevent, detect, and respond to threat of all kinds


On Nov 16, Gartner predicted (or foreshadowed) the new cybersecurity reality, recommending that organizations, “communicate the importance of a ‘continuous response’ security mindset, wherein systems are assumed to be compromised, necessitating monitoring and remediation.[1]

“Continuous Response” demands an EDR tool like EnCase Endpoint Security. With an EDR solution, Shamoon or other malicious threats can be detected proactively, and if necessary an EDR solution can perform the required triage and remediation, before the malicious binary is executed. EnCase Endpoint security provides a single platform to mitigate exactly this type of threat and completely remove it from the network to possibly prevent, or at least limit, data loss or damage.

This attack also highlights the need for better information sharing in the cybersecurity community to ensure security teams are prepared for similar threats. When information is shared more openly, security teams can use EDR solutions to proactively scan and hunt for similar threats on endpoints. When armed with the right information and a proactive approach, an organization has a better chance to detect and neutralize a threat before it can cause any real damage.

To learn more about how EnCase Endpoint Security can ensure you are prepared for a breach, please visit: or contact us at

Anthony Di Bello is a Senior Director and Security Strategist at Guidance Software. Anthony is responsible for the voice of the customer, go-to-market strategy and product roadmaps across Guidance Software forensic security, data risk management and digital investigations products.  An 11-year veteran of Guidance, Anthony previously served as director of Strategic partnerships.


[1] Gartner, “Predicts 2017: Information Security management”

Load more comments
Thank you for the comment! Your comment must be approved first

You May Also Like


EnForce Risk Manager: Redefining Data Privacy & Co...

Have you ever asked yourself if your organization has control over its data?
Feb 4

Finding those Easter Eggs?

We don't mean to egg you on... well, in fact, we do.
Nov 3