The Cybersecurity Defenders Podcast #225 - Defender Fridays: EDR, DFIR & endpoint triage with Brian Carrier, CEO of Sleauth Kit Labs
Jun 27, 2025
Join Brian Carrier, the CEO of Sleuth Kit Labs and a digital forensics expert with over 25 years in the field, as he dives into the latest in cybersecurity. Topics include the evolving landscape of endpoint detection and response (EDR) and its unique challenges. Carrier discusses the limitations of traditional forensic techniques in cloud environments and emphasizes the importance of root cause analysis. He sheds light on the complexities of data collection across different operating systems and the implications for cybersecurity, especially regarding Advanced Persistent Threats.
AI Snips
Chapters
Books
Transcript
Episode notes
EDR's Role in Investigations
- EDRs gather valuable data used primarily for detection but are often limited by retention policies and focus on noise reduction.
- Combining EDR data with other investigative sources creates a fuller, single-pane view for effective incident response.
Endpoint Triage After Alerts
- Always perform endpoint triage after an alert to assess if additional malicious activity exists.
- Lower your suspicion threshold once a system is flagged to uncover stealthy attacker behavior.
Distinct Data Shapes in Forensics
- EDR data tends to be consistent and continuous over time, while forensic triage tools collect large data bursts at a single point.
- The different "shapes" of data complement each other in investigations, offering depth and breadth.
