endpoint-detection-and-response

Knowledge is Power

Endpoint Detection and Response

How to Get Insights with Endpoint Detection and Response

This year, we see cyber criminals spending maximum energy for a variety of reasons to successfully target and attack endpoints of organizations. They are doing this to steal data or take them hostage for ransom (ransomware), to try to take them offline, to abuse them in a botnet or to carry out DDoS attacks or crypto-mining.

With the evolution of workplace mobility and employees connecting from their workplace on the go, in the office or at home – it's no surprise that these devices are becoming increasingly vulnerable. Without the right cybersecurity measures, malicious hackers can easily take advantage of all existing and new vulnerabilities. That's why there has been an increased need for enhanced security tools in recent years that outpace traditional firewalls and antivirus solutions. For both large and small organizations, this has become an undeniable priority. Endpoint Detection and Response (EDR) is the term for a tool set for detecting and preventing threats and is increasingly becoming the standard in cybersecurity.

In this article I explain what EDR is and why I think it should be an essential part of the set of cybersecurity solutions within each organization. This is intended to provide a good overview for everyone active in IT security and to describe opportunities and new developments where organizations will need to go to get maximum insight and grip on the IT assets within (and outside) the organization. In the following two articles in this series of three security blog posts, I will look at EDR versus Antivirus/Endpoint protection and the differences with a SIEM and the trend towards Managed Detection and Response, Cross Layer Detection and Response and SOAR solutions.

What Does EDR Mean?

The term EDR stands for Endpoint Detection and Response and was first introduced by Gartner in 2013. The original definition from Gartner is: tools that are primarily aimed at detecting and investigating suspicious activity (and eliminating them) and other issues on hosts/endpoints: Endpoint Threat Detection & Response. EDR systems were created to detect and actively respond to advanced malware and cyberattacks. They recognize suspicious behaviors that can be investigated later. As their name implies, these tools are specifically designed for endpoints.

Why is EDR Important?

Compared to traditional security solutions, EDR provides a better understanding of all the endpoints available and ensures a faster response time. In addition, EDR tools detect and protect organizations from advanced forms of malware, Advanced Persistent Threats, Phishing, Credential Theft, etc. In addition to all the powerful and indispensable techniques that have been used for 30 years, EDR solutions are often based on machine learning algorithms designed to recognize unknown types of malware, and then make behavior-based decisions.

In essence, when certain files appear to behave maliciously (and are similar to already known types of malware) they will fail to circumvent EDR solutions.

Possibilities and Benefits of EDR

1. Confidently report the state of security at any time

IT and security teams are often motivated by attack and defense statistics, but the most difficult question for most teams to answer is "are we safe now?" This is because most networks have significant blind spots, making it difficult for IT and security teams to see what is going on in their environments.

Lack of visibility is the main reason why organizations struggle to understand the scope and impact of attacks. This often manifests itself when an incident occurs, and the team assumes that they are safe because that incident has been detected. EDR provides additional insight that determines whether other machines were also affected. For example, if a suspiciously executable file is found on the network, it will be restored. However, it is possible that the analyst does not know if that executable file still exists elsewhere in the environment. With EDR, this information is readily available. By being able to view the other locations where threats exist, the security team can prioritize incidents for additional research and possible solutions.

Generating a clear picture of the overall security status of an organization also provides the advantage of being able to report on its compliance status. This information helps identify areas that may be vulnerable to attack. It also allows administrators to determine whether the scale of an attack has hit areas where sensitive data is housed. For example, if malware is detected that exfils data from the network, an analyst must determine whether the affected machines contain medical information that is subject to the GDPR (or BIO or NEN7510 etc.). An additional compliance benefit of innovative endpoint solutions is that it is also much easier to demonstrate that patient information is protected thanks to good visibility of the endpoint.

2. Detect attacks that have gone undetected

When it comes to cybersecurity, even the most advanced tools can be defeated with sufficient time and resources, making it difficult to really understand when attacks are taking place. Organizations often rely only on prevention to stay protected, and while prevention is critical, EDR provides an additional layer of detection capabilities to identify potentially undetected incidents.

Organizations can use EDR to detect attacks by searching for Indicators of Compromise (IOCs) – for example, IP addresses or URLs. This is a quick and easy way to search for attacks that may have been missed. For example, threat searches are often started after a third-party notification: a government agency (such as the NCSC-Cert) can inform an organization that there is suspicious activity in their network. The notification may be accompanied by a list of IOC's, which can be used as a starting point to determine what happened.

EDR solutions often provide a list of the main suspicious events so analysts know exactly what they should be investigating. Using machine learning, a list of the most suspicious events is presented, often ranked based on their threat score. This makes it easy for analysts to prioritize their workload and focus on key events.

Suspicious events also point to a common scenario in which analysts are asked to determine if something is truly malicious. This relates to activity that does not appear to be malicious enough to automatically classify as undesirable yet seems suspicious enough to warrant a deeper look or analysis. Many new code or scripts fall into a "gray area" where additional analysis is needed to confirm whether it is malicious, benign, or undesirable.

3. Respond more quickly to potential incidents

Once incidents are detected, IT and security teams typically try to address them as quickly as possible to reduce the risk of attack spread and mitigate potential damage. The most relevant question to be asked is how to get rid of each respective threat. On average, security and IT teams spend more than three hours on each incident. EDR can significantly accelerate this.

The first step an analyst could take during the incident response process is to stop the attack. An endpoint security including EDR is isolated on demand. This is an important step to prevent a threat from spreading further in the environment. Analysts often do this before doing research, buying time while determining the best course of action.

The research process can be slow and painful. This, of course, presupposes that an investigation is taking place at all. The response to incidents has traditionally depended heavily on highly trained human analysts. Most EDR tools also rely heavily on analysts to know which questions to ask and how to interpret the answers. With the new Endpoint Security including EDR, security teams of all levels can respond quickly to security incidents with guided investigations that provide proposed next steps as well as a clear visual representation of the attack and built-in expertise.

Guided incident response provides proposed next steps and on-demand endpoint isolation to resolve incidents quickly and safely. When an investigation is complete, analysts can respond with the click of a button. Quick response options include the ability to isolate endpoints for immediate recovery, clean and block files, and take forensic snapshots. If a file is accidentally blocked, it can be easily reversed.

4. Understand how an attack took place to prevent new attacks

Security analysts have recurring nightmares when they have suffered an attack: an executive shouted, "How did this happen?!" and they can only shrug their shoulders. Identifying and deleting malicious files solves the immediate problem, but it doesn't shed light on how it got there in the first place or what the attacker did before the attack was stopped.

"Threat cases" must identify all events that led to detection, making it easy to understand which files, processes, and registry keys have been touched by the malware to determine the impact of an attack. They provide a visual representation of the entire attack chain and provide accurate reporting on how the attack began and where the attacker went. More importantly, by understanding the cause of an attack, the IT team is much better at preventing future attacks.

Conclusion

As described above, EDR offers more knowledge, more insight and better protection against contemporary threats. Significant advantages are offered over the capabilities of traditional endpoint tools. The market is now mature, and it is a must for your organization to move from the often-reactive mode towards proactive protection.

What's Next?

In my next article I will go deeper into the specific differences within Endpoint Security, the challenges with standalone EDR solutions and the differences with a SIEM. In the third and final article of this security series, I will discuss the trend towards Cross Layer Detection and Response and SOAR solutions. In addition, I recommend what to look at when selecting and evaluating EDR tooling.

Optimize Your Endpoint Security Strategy

Looking to improve the Endpoint Management at your organization, but don’t know where to begin? SoftwareONE’s Managed Security services are here to support you. Learn more about how we can help you secure your most valuable assets.

Discover now
  • Cybersecurity User Awareness, Cybersecurity, Managed Security
  • Cyber-Crime, Cyber-Threats, Endpoint Management, Endpoint Security

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment

Author

William Jansen

William Jansen

Senior Solution Advisor Security

Related Articles

multilayer-edr-xdr-is-next
  • 24 November 2020
  • William Jansen
  • Managed Security, Cybersecurity User Awareness, Cybersecurity
  • Endpoint Security, Endpoint Management

Multilayer EDR (XDR) is Next

Most organizations don’t want to work with EDR due to the huge number of alerts to manage. Cross-layer EDR (XDR) can be the solution. Find out how.

Endpoint Security: What you need to know about "Next-Gen" EDR
  • 19 November 2020
  • William Jansen
  • Cybersecurity User Awareness, Cybersecurity, Managed Security
  • Endpoint Management, Endpoint Security

"Next-Gen" EDR

Combining EDR and SIEM might be the ideal way of fighting cyber security risks. But why isn’t EDR enough? Learn more about the challenges of standalone EDR and how it differs from SIEM.

security-is-not-privacy-ways-to-keep-personal-data-secure
  • 14 October 2020
  • Bala Sethunathan
  • Managed Security, Cybersecurity User Awareness, Cybersecurity
  • Data Security, Data Backup

Security is Not Privacy: Ways to Keep Personal Data Secure

Organizations must know the difference between data security and privacy, the ways your data could be compromised, and how to keep it secure.