Why EDR Should Be a Part of Your Endpoint Protection Strategy

Image by Gerd Altmann from Pixabay

Most of the information about security solutions tend to talk about advanced prevention. However, large organizations are deploying Endpoint Detection and Response (EDR) products. It may seem puzzling, considering that most of these organizations boast their own Security Operations Centers (SOCs) with large security teams. Furthermore, many of them are investing in security analytics solutions such as network forensics or threat intelligence.
The reason behind this lies in the proactive mindset shift of cybersecurity analysts, that state that there is a sort of hamster wheel when it comes to threat prevention technology. The hypothesis states that the higher the popularity of a threat preventing technology, the more attackers try to overcome it.
This makes an endpoint detection and response solution helpful in bolstering the ability of the team to proactively detect and block cyber attacks by using advanced behavior analytics to build their own prevention controls as needed. In this article, I’ll explain the concept of EDR and its features, present use cases and suggest what to look when selecting a solution for your organization.

What Is EDR?

Gartner defines Endpoint Threat Detection and Response (ETDR), or as commonly known Endpoint Detection and Response (EDR) as the “the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.” EDR stands for:

• Endpoint—a hardware device capable to be connected to the Internet on a TCP/IP network. Most connected devices enter in this category, from your desktop computer, laptops, tablets and smartphones to specialized hardware such as Point Of Sale terminals or smart meters, even your Google home or Alexa.
• Detection—this technology detects threats on such endpoint devices allowing security teams to access quickly and respond to the attack.
• Response—EDR solutions respond automatically to attacks at the device level, for example, by quarantining the endpoint or blocking malicious processes.

The main feature of an EDR solution is to monitor the end point devices, searching for threats and sending alerts to security teams about indicators of compromise. This allows an investigation in real-time of the cause and severity of an attack.

How EDR Works?

Put it simply, EDR solutions collect data from endpoints, use that data to identify potential threats,alerts about it and takes “first aid measures” to contain the damage.The system uses three key mechanisms to achieve this goal:

• Endpoint data collection—An advanced endpoint detection solution should collect and analyze disparate types of data such as endpoint logs, processes, network traffic, configuration changes, and file integrity changes.
• Detection engine—the system uses behavioral analysis to determine a baseline of “normal” endpoint activity, therefore detecting abnormal behavior. Next, analyzes this anomalies for indicators of compromise.
• Data recording—provides real-time data about the security incidents on endpoints, allowing a quick response by the security teams to mitigate it.

EDR solutions use analytics tools for continuous monitoring and detection. However, not all EDR security solutions are the same—some focus on analyzing the agent, while others use a management console to monitor the backend.

EDR Features

Unlike other endpoint protection platforms, such as Antivirus (AV) or anti-malware it focus is not just to stop threats when they are already in the pre-execution stage on an endpoint. EDR takes a proactive approach, actively monitoring the endpoints to discover indicators of compromise that can signal malicious behavior, therefore detecting advanced threats and broader attack campaigns spanning multiple endpoints.

Most EDR solutions have the following features:

• Detect and prevent hidden threats—that evade traditional anti-virus such as Advanced Persistent Threats.
• Visibility—of the security status of endpoints, including the applications, processes and communications, allowing detecting malicious activities in real-time.
• Automation of alerts—and defensive responses, such as isolating affected devices or shutting off processes.
• Forensic capabilities—to quickly grasp the attackers techniques and methods in order to minimize the damage once an attacker is inside.
• Data aggregation—allows to build a repository of information that can be used to fine-tune incident response plans.

Until recently, organizations needed to combine several solutions to get all this capabilities in their security strategy. Nowadays, security vendors like Cynet are introducing all-in-one EDR offerings that simplify security by monitor, block and respond to attacks with a simple interface using behaviour analytics.

To summarize, you can use EDR for:

• Detecting threats before they wreak havoc in your network—Every second counts during an attack, so the sooner you detect a compromised endpoint, the better you can contain the damage. An EDR is useful to contain an attack against a number of endpoints.
• Quick response across the network—an EDR solution can block and quarantine affected devices automatically, once an attack is validated while gathering the evidence for forensics use later.
• Threat hunting— attackers workaround the security systems, most of the time don’t triggering alerts, lurking in the network while stealing data. An EDR doesn’t wait until your perimeter is broken, but will proactively hunt adversaries before they cause damage, looking for the signs of an attacker, like a detective.

What to Look for in an EDR Solution

You decided to buy an endpoint security solution for your organization because you want to leverage of the benefits we mentioned above. What do you need to look for? There are a number of solutions in a market that is growing exponentially, driven by increasing data breaches incidents across leading companies.
Let’s review some key capabilities to look for in your next endpoint security solution:

• Filtering—a high quality solution will sift through false positives, only triggering an alert on a real-threat, thus avoiding alert fatigue.
• Advanced Threat Blocking—an efficient EDR will start blocking the threat the moment it is detected and continue throughout the life of the attack. A low-quality product blocks at the beginning, lowering the defenses after a while, letting persistent attacks to overcome the security measures.
• Incident response abilities—a solution with automatic response capabilities can prevent a minor breach from transforming into a meaningful data breach.
• Multiple threat protection—sometimes attackers perform multiple types of attacks at once, overwhelming weaker endpoint security offerings. Therefore, the ability to handle multiple types of threats at the same time, such as ransomware, malware or denial of service, is critical.

Wrap Up

For enterprises requiring advanced threat protection, EDR is in high demand. The benefits gained through continuous visibility into all data activity make endpoint detection and response a valuable component of any security stack. If you know what to look for, you will be in a better position to choose the right EDR solution for your business.