EDR Cybersecurity: Unlocking the Black Box of Endpoint Protection
On modern networks there is an explosion in the number of endpoints, including physical and virtual workstations, servers, and cloud machine instances. Each endpoint is potentially vulnerable to attack, but security teams have limited access to endpoints, limited visibility into malicious activity taking place on an endpoint, and limited ability to reach out to an endpoint to investigate and contain an attack.
In recent years organizations have moved from legacy antivirus to more complete Endpoint Protection Platforms (EPP) to secure their endpoints. One important approach to endpoint security is Endpoint Detection and Response (EDR), which provides visibility into security incidents occurring on endpoints, so you can prevent damage and prevent future attacks.
Endpoint Detection and Response (EDR) refers to practices and technologies used to monitor endpoint activity, identify threats, and respond to attacks by triggering automatic actions on the endpoint device. Anton Chuvakin of Gartner coined the term in 2013, with an emphasis on providing visibility into security incidents occurring on endpoints.
The main objectives of an EDR solution are to alert the security team to malicious activity and enable fast investigation and containment of endpoint attacks.
EDR solutions comprise three key mechanisms:
Continuous endpoint data collection—aggregates data on events such as process execution, communication, and user logins occurring on endpoints.
Detection engine—performs data analysis to discover anomalies and detect malicious activity on endpoints.
Data recording—provides security teams with real-time data about security incidents on endpoints, which they can then use for investigative purposes.
Endpoint Protection Platforms and the Need for EDR Security
Endpoint Protection Platforms (EPP) provide both legacy antivirus (AV) and Next-Generation Antivirus (NGAV). Modern attack techniques can sidestep legacy antivirus, and NGAV provides additional protection, including non-signature-based measures such as behavioral analytics, AI, and deterministic modules.
However, if an attack occurs on an endpoint, and legacy AV and NGAV were not able to block it, security teams will find it challenging to address the situation. They may not know that a security incident is occurring on the endpoint, and will not have the forensic information necessary to investigate and respond to the attack.
Even with the most advanced measures, some attacks will succeed in compromising endpoints. EDR was developed with this realization, to help security teams quickly detect attacks on endpoints, and collect data in real time to facilitate response. EDR also enables remote control of the endpoint to contain the attack and prevent it from spreading further.
Today EDR is considered an inseparable part of endpoint protection, and many EPP solutions come with an integrated EDR component. EDR solutions can reduce incident response time when it comes to endpoint-targeted attacks, and increase the chances of detecting an attack and stopping it early before it spreads and causes damage.
What Types of Threats Does EDR Detect?
By providing visibility into your endpoints, EDR solutions can help you detect threats that other endpoint security measures may have missed. These include:
Malware that can evade legacy AV or NGAV—attackers are constantly developing new attack techniques. In case AV or NGAV on the device did not detect a new strand of malware, EDR can detect signs that a device is infected.
Fileless attacks—fileless exploits don’t write files to disk, so they can evade AV and, in some cases, NGAV as well. While EDR cannot block a fileless attack, it can help detect that an attack occurred and help security analysts investigate and mitigate it.
Insider threats and compromised accounts—malicious insiders or external attackers can use existing user accounts to cause damage. EDR can identify that a supposedly legitimate user is behaving in an anomalous way, indicating an account may have been compromised.
The EDR Process
Here is how EDR solutions identify a security incident and help security teams mitigate it. EDR tools typically go through the following steps:
Monitor endpoints— ongoing monitoring of all endpoint devices.
Use behavioral analysis to detect anomalies— establish a behavioral baseline for each device, detect activity that diverges from normal patterns, and detect when it exceeds and acceptable threshold and is probably malicious.
Quarantines affected endpoints and processes— as soon as a security incident is discovered, automatically isolate the endpoint device and stop suspicious processes running on it.
Trace back to the attacker’s original point of entry— compiles data on the potential entry points for an attack, providing more context beyond the activity on the current endpoint.
Provide information about the anomaly and suspected breach— provide analysts with everything they need to investigate the incident.
Cynet: EDR Security and More
EDR solutions exclusively attend to the process behavior that triggers alerts. Organizations can use EDR tools in response to certain areas of common Tactics, Techniques, and Procedures (TTP) attackers use. However, EDR products are blind to other types of attacks.
Let’s look at the example of credential theft. The default method attackers use involves dumping password hashes from memory using an open source tool or a customized tool. The attack method involves anomalous behavior, thus an EDR tool can recognize these types of attacks. However, an attacker can obtain the same hashes by scraping the network traffic between two hosts, a method that doesn’t include anomalous activity.
A subsequent example involves the attack technique of lateral movement. In this scenario, the attacker may successfully compromise several user account credentials and logs, related to several hosts in the network. In this example, the anomaly is the user activity, rather than the process behavior. The EDR would thus see the attack but without sufficient context, or not identify the attack at all, thereby triggering false positives. Therefore, although process data is essential, organizations cannot rely on it as the only source of their security data.
Another limitation of EDR tools is that they are limited to endpoints and cannot help mitigate attacks or restore operations at the network or user level.
Cynet 360 holistic cybersecurity solution
Cynet 360 platform is a comprehensive cyber solution that is created to run in the entire environment of an organization and not only its endpoints. To do so, Cynet 360 safeguards all attack surfaces by tracking the three planes; network traffic, process behavior, and user activity. Attackers often manifest themselves on one or several of these three planes
Continuous monitoring to detect and stop threats across this triad offers increased threat visibility. Organizations can have the chance to monitor more stages in the attack’s lifecycle so they can more effectively identify and block threats.
As a subset of these capabilities, Cynet employs EDR technology with the following capabilities:
Advanced endpoint threat detection— full visibility and predicts how an attacker might operate, based on continuous monitoring of endpoints and behavioral analysis.
Investigation and validation— search and review historic or current incident data on endpoints, investigate threats, and validate alerts. This allows you to confirm the threat before responding to it, reducing dwell-time and performing faster remediation.
Rapid deployment and response— deploy across thousands of endpoints within two hours. You can then use it to perform automatic or manual remediation of threats on the endpoints, disrupt malicious activity and minimize damage caused by attacks.
Cynet 360 threat protection is not limited to attack detection and prevention. Using Cynet organizations can proactively monitor their entire internal environment, including endpoints, network, files, and hosts. This can help organizations reduce their attack surface and the likelihood of multiple attacks. An organization’s response to active attacks should work to enclose the capabilities of the attacker to eradicate the presence of the attacker completely. This requires disabling compromised users, deleting malicious files and processes, blocking traffic controlled by the attacker, and isolating infected hosts.