TABLE OF CONTENT |
EDR, known as Endpoint Detection and Response, is a type of endpoint security solution that goes beyond detection-based, reactive defence. It also monitors end-user devices to detected and respond to cyber threads.
The term itself was created by Anton Chuvakin at Gartner and was defined as ‘’solution that records and stores endpoint-system-level behaviours, uses various data analytics techniques to detect suspicious system behaviour, provides contextual information, blocks malicious activity, and provides remediation suggestions to restore affected systems.”
Endpoint security has always been crucial element of IT Security but nowadays it became even more important, especially after an increased number of organizations’ employees are working remotely. Theirs devices must be protected from potential threads coming from cyber criminals but also from lack of regular security patching.
Moreover, EDR security solution will help you and your business in collecting and monitoring data, and it will give your IT Security team possibilities to show most vulnerable in the network, faster investigations of threads, and automatic remediation.
Here is a summary of what an EDR platform does:
There are analyses that an attack via a Living-of-the-Land attack (LotL) - "file-less attacks" - remain undetected for up to 200 days on average. Endpoint Detection & Response solutions enable the "silent" observation of an intruder without intervention.
An EDR solution offers the possibility to recognise and correlate data company-wide. It collects information during an attack:
The EDR solution provides security managers, security teams, and forensic investigators with the information they need to perform their analysis of abnormal or deviant behaviour on the endpoint.
When it comes to cyber security, a security team should always be able to report the status and progress of its investigations. The prerequisite for this is an understanding of typical attack vectors and attack procedures.
Attack techniques and vectors - What attacks are there?
Let's take the MITRE ATT&CK™ database as an example: This database provides in-depth information on attack tactics and techniques and is based on real observations. MITRE ATT&CK™ is free of charge.
Incident tracking: Thread Hunting
The number of incidents detected during threat hunting should not be the only indicator of success. What if you don't find anything suspicious and something is still there?
It is therefore important to check whether the correct data has been collected, whether automation has been improved, and how much the team knows about its own environment when searching for specific enemy techniques. This only works with a focus on the right data - and this is where the EDR solution comes in.
A behavioural or heuristic analysis can identify new techniques and malware without relying on known signatures. By signatures, we mean, among other things, the established practice of software manufacturers to sign their programs.
Antivirus programs (AV) work on the basis of known signatures and can therefore only report or prevent what they know. Descriptions for malicious software are often not up to date, however, or are missing anyway due to the number of variants that occur.
An AV solution can recognise a malware signature, which is a continuous sequence of bytes contained in malware. But zero-day attacks, for example, manipulate the signature and are often not recognised by AV solutions.
Ransomware attacks are software that is infiltrated by users, often via an infected email attachment. AV does not always protect against ransomware, as the signature of the malware is sometimes new or not recognisable.
Unlike a ransomware threat, a file-free malware attack is an attack on existing Windows tools, not on malicious software installed on the victim's computer. Therefore there is no signature that the AV can pick up.
EDR solutions enable more effective cleanup and remediation after an attack. The counter-reactions or responses are configured (with DriveLock) in a policy. Responses are executed automatically when an alert occurs or centrally by an administrator.
Possible response options for alerts include