Everything you need to know about Endpoint Detection and Response
The cybersecurity threats targeting organisations are ever-changing. Long gone are the days when deploying a good anti-virus solution (plus keeping it up to date), having robust firewalls, and an intrusion detection system was enough to protect end-user IT systems and their data. Modern cyber-protection requires tools and solutions that can keep up with the rapidly changing threat landscape and the cybercriminals driving that change.
Endpoint Detection and Response (EDR) solutions have emerged in response to the complexity of the endpoint IT space, and the evolving threats devices face. In this context devices include traditional PCs and laptops, plus other endpoints such as smartphones, tablets, IoT devices and sensors, and increasingly wearable technologies like smartwatches. All of these are connected directly to networks or are proxied via connected devices and data aggregators.
EDR solutions are available from many of the well-known cybersecurity tool vendors. Each aims to provide broad and deep protection against known, emerging, and unknown threats targeting endpoints. A typical EDR solution will block attacks & exploits, enable system patching to close known exploits, provide firewalls on devices, blacklist internet domains to prevent malware and other infections, manage local admin rights, and deploy Anti-virus and Malware protection.
EDR solutions are now an essential part of a multi-layered cybersecurity strategy that all businesses and organisations need to deploy. Gartner agrees, and they predict that by 2022 about 60% of all organisations will have deployed EDR protection. Renaissance's partners in this space supply best of breed EDR solutions. Give us a call if you want to find out more. Read on for a high-level overview of what a typical EDR solution offers.
EDR Solutions
EDR solutions take a multi-layered approach to endpoint security. They all aim to monitor activity on endpoints to detect attacks, or unusual activity that could signal an attack is starting. They then look to contain the detected threat, analyse it in real-time, and in future after any incident is resolved to allow precautions to be enhanced via lessons learned. The final task for EDR solutions is to eliminate the threat. Either by stopping it before damage is done or making it quick and easy to restore endpoint devices to a pre-attack state.
Detect Threats
Early detection of threats is core to EDR. Some threats are bound to get past perimeter cyber-protections, and it's vital to detect any abnormal activity on endpoints quickly before the threat can spread and do damage. The prevention is better than cure adage is apt here. Stopping an attack in its tracks is preferable to clearing up a mess after a successful cyberattack on some endpoint devices.
Modern cyberattack methods are very stealthy. Some malware types, for instance, only operate in memory and don't write files to storage. So traditional malware disk scanners won't pick them up. Comprehensive EDR solutions will detect this type of attack, and many others that try to evade traditional detection methods.
Contain Threats
Any threats that are detected by an EDR solution need to be contained. Many cyberattacks aim to spread as quickly as possible once they have a toehold within devices. Any detected threat, attack, or atypical behaviour must result in the devices that are impacted being isolated to contain the threat. Often deception technologies are used in conjunction with EDR to trap attackers within dummy systems so that the attack vectors can be studied safely.
Attackers are increasingly adopting attack methods that operate slowly over time, rather than rapidly infecting many devices. They know that rapid infection will be spotted, so now they try to operate within compromised devices over weeks or months. EDR detection must spot these infections as well so that they can be contained.
Analyse Threats
Any threat detected and contained needs to be analysed so that the way it got in can be found and any security holes closed. The analysis should be rapid to block current threats, plus in-depth over a more extended period to discover all the vulnerabilities that the attack highlights.
Increasingly EDR solutions are using machine learning techniques to do the instant analysis of threats, with combined human and machine analysis used for the deeper dives. Deception technologies can play a vital role in the analysis stage. They can be used to allow attacks to operate in a sandboxed environment to see what they do, without the attackers knowing they are being observed.
Eliminate Threats
Eliminating threats is the logical last stage of any EDR solution and process. Any detected threats that are contained and then analysed need to be eliminated from the endpoint devices. This shouldn't be done until the contained threat is thoroughly investigated so that any information that can be found to stop future attacks is discovered. Elimination techniques will vary depending on the attack vector. But the EDR solution will be able to get the endpoint devices back to a pre-attack state.
Conclusion
EDR solutions and tools are becoming a core pillar in any cybersecurity defence strategies. They are not a silver bullet but are part of the broader defences that need to be used. Perimeter protections such as those provided by EPP (Endpoint Protection Systems) that aim to stop threats getting on to devices are also required, as are tools like deception technologies as mentioned previously. But the benefits of a robust EDR solution to a business in avoided disruption due to detected, contained, and eliminated threats to endpoints are extensive in both the financial and repetitional spheres via avoided downtime or data breaches.