Cynet converges endpoint protection, EDR and all other essential security technologies into the first autonomous security platform to provide total environment visibility and protectionLearn More
On modern networks there is an explosion in the number of endpoints, including physical and virtual workstations, servers, and cloud machine instances. Each endpoint is potentially vulnerable to attack, but security teams have limited access to endpoints, limited visibility into malicious activity taking place on an endpoint, and limited ability to reach out to an endpoint to investigate and contain an attack.
In recent years organizations have moved from legacy antivirus to more complete Endpoint Protection Platforms (EPP) to secure their endpoints. One important approach to endpoint security is Endpoint Detection and Response (EDR), which provides visibility into security incidents occurring on endpoints, so you can prevent damage and prevent future attacks.
Click here to learn more about Extended Detection and Response (XDR), the next stage in the evolution of EDR.
In this article you will learn:
Endpoint Detection and Response (EDR) refers to practices and technologies used to monitor endpoint activity, identify threats, and respond to attacks by triggering automatic actions on the endpoint device. Anton Chuvakin of Gartner coined the term in 2013, with an emphasis on providing visibility into security incidents occurring on endpoints.
The main objectives of an EDR solution are to alert the security team to malicious activity and enable fast investigation and containment of endpoint attacks.
EDR solutions comprise three key mechanisms:
Endpoint Protection Platforms (EPP) provide both legacy antivirus (AV) and Next-Generation Antivirus (NGAV). Modern attack techniques can sidestep legacy antivirus, and NGAV provides additional protection, including non-signature-based measures such as behavioral analytics, AI, and deterministic modules.
However, if an attack occurs on an endpoint, and legacy AV and NGAV were not able to block it, security teams will find it challenging to address the situation. They may not know that a security incident is occurring on the endpoint, and will not have the forensic information necessary to investigate and respond to the attack.
Even with the most advanced measures, some attacks will succeed in compromising endpoints. EDR was developed with this realization, to help security teams quickly detect attacks on endpoints, and collect data in real time to facilitate response. EDR also enables remote control of the endpoint to contain the attack and prevent it from spreading further.
Today EDR is considered an inseparable part of endpoint protection, and many EPP solutions come with an integrated EDR component. EDR solutions can reduce incident response time when it comes to endpoint-targeted attacks, and increase the chances of detecting an attack and stopping it early before it spreads and causes damage.
By providing visibility into your endpoints, EDR solutions can help you detect threats that other endpoint security measures may have missed. These include:
EDR solutions work by identifying a security incident and help security teams mitigate it. The process typically involves the following steps:
EDR solutions exclusively attend to the process behavior that triggers alerts. Organizations can use EDR tools in response to certain areas of common Tactics, Techniques, and Procedures (TTP) attackers use. However, EDR products are blind to other types of attacks.
Let’s look at the example of credential theft. The default method attackers use involves dumping password hashes from memory using an open source tool or a customized tool. The attack method involves anomalous behavior, thus an EDR tool can recognize these types of attacks. However, an attacker can obtain the same hashes by scraping the network traffic between two hosts, a method that doesn’t include anomalous activity.
A subsequent example involves the attack technique of lateral movement. In this scenario, the attacker may successfully compromise several user account credentials and logs, related to several hosts in the network. In this example, the anomaly is the user activity, rather than the process behavior. The EDR would thus see the attack but without sufficient context, or not identify the attack at all, thereby triggering false positives. Therefore, although process data is essential, organizations cannot rely on it as the only source of their security data.
Another limitation of EDR tools is that they are limited to endpoints and cannot help mitigate attacks or restore operations at the network or user level.
Cynet 360 platform is a comprehensive cyber solution that is created to run in the entire environment of an organization and not only its endpoints. To do so, Cynet 360 safeguards all attack surfaces by tracking the three planes; network traffic, process behavior, and user activity. Attackers often manifest themselves on one or several of these three planes
Continuous monitoring to detect and stop threats across this triad offers increased threat visibility. Organizations can have the chance to monitor more stages in the attack’s lifecycle so they can more effectively identify and block threats.
As a subset of these capabilities, Cynet employs EDR technology with the following capabilities:
Cynet 360 threat protection is not limited to attack detection and prevention. Using Cynet organizations can proactively monitor their entire internal environment, including endpoints, network, files, and hosts. This can help organizations reduce their attack surface and the likelihood of multiple attacks. An organization’s response to active attacks should work to enclose the capabilities of the attacker to eradicate the presence of the attacker completely. This requires disabling compromised users, deleting malicious files and processes, blocking traffic controlled by the attacker, and isolating infected hosts.
Learn more about the Cynet 360 security platform.