By: Gilad David Maayan
Endpoints are any externally facing device on your network, including smartphones, laptops, routers, and Internet of Things (IoT) sensors. Endpoints enable users to access the network from different physical locations and devices. However, this benefit can turn into a risk when attackers take advantage of endpoints to breach the network.
Read on to learn how to secure endpoints with EDR practices and tools.
Intro to EDR Technology
Endpoint Detection and Response (EDR) is a set of practices and tools you can use to monitor for and respond to threats on endpoint devices. EDR is designed to provide greater visibility into possible security incidents on the perimeter of your network.
There are three components to EDR solutions:
- Data collection—endpoint activity is continuously monitored and logged. Data points include communications, logins, and process executions.
- Data aggregation—collected data is aggregated to a centralized store where it is analyzed and made visible to security teams.
- Detection engine—collected data is analyzed to identify suspicious events and trigger alerts for attack activity.
Different EDR solutions offer different features, but there are several features you should look for when making your choice. These include:
- Advanced behavioral monitoring
- Comprehensive data collection and malware sandboxing
- Controls to prevent users from adjusting or disabling protections
- Incident response capabilities
- Support for forensics and compliance auditing
What Types of Threats Does EDR Detect?
The detection engine in EDR solutions is capable of detecting incidents and activities that might otherwise be missed. These include:
- Incidents that can evade traditional tools—traditional detection tools rely on signatures and known characteristics to identify malware and attacks. Next-generation threats, such as fileless malware are missed. Fileless malware takes advantage of in-memory processes and doesn’t leave traces in device storage. EDR solutions, however, can use event correlation methods to detect these threats even without signatures.
- Credential abuse—traditional tools cannot tell the difference between valid credential use and malicious credential use. EDR solutions can use behavioral baselines to determine when credentials are used for suspicious or malicious actions.
- Low and slow attacks—once an attack bypasses security systems, it traditionally goes undetected. A protection agent only evaluates data for the device on which it is installed. EDR systems aggregate data across a system, however. This enables the detection of attacks through correlation of events that appear benign when viewed alone.
5 Things You Didn’t Know About EDR
Although EDR is not a new technology, it has advanced significantly since it was first named in 2013. Maybe you’re new to the concept of EDR or you are only familiar with its initial capabilities. Either way, below are six aspects of EDR you might not be aware of.1. Proactive Approach
Organizations are increasingly becoming dependent on technology and the perimeter of networks continues to expand. This creates more attack surface for criminals and requires more than just a reactive approach.
EDR solutions enable you to identify and patch vulnerabilities before an attack succeeds at breaching your systems. By continuously scanning your network and devices, EDR can alert you in real-time when you’re at risk. Additionally, EDR includes machine learning technologies. These technologies can enable you to identify a threat or vulnerability even before the larger security community is aware it exists.2. Employee Safeguards
Employee actions present some of the greatest risks to an organization. For example, if a privileged employee responds to a phishing email with credential information, they have given attackers a full access key to your systems. Likewise, employees are frequently the source of malware infections. They may download unapproved software or open carelessly email attachments, infecting your system.
EDR solutions can help you reduce the harm that employees can cause by restricting access and filtering traffic. You can use EDR solutions to prevent employees from accessing potentially dangerous sites. You can also use it to limit the networks that employees can connect to your systems from. For example, blocking public networks and only allowing connections from virtual private networks.3. Scalability
As businesses grow, their networks expand. New workstations are added and frequently cloud services are adopted. Modern businesses are likely to have tens of thousands of endpoints in their network, all of which need simultaneous protection.
EDR solutions enable you to monitor and correlate data across your network, regardless of its size. These solutions are designed to aggregate data across networks, unlike traditional solutions which must be individually installed on each device. Additionally, there are many managed EDR options available. These options can enable you to secure and monitor your systems 24/7 even if you do not have in-house staff to do so.4. Whitelisting and Blacklisting Features
Whitelisting and blacklisting features enable you to define what traffic is allowed and what’s not. Whitelisting allows only traffic or applications that are defined while blacklisting blocks any traffic or applications that are defined. Whitelisting provides greater security because it doesn’t require knowledge of potential threats to block attacks.
EDR systems often come with both whitelisting and blacklisting features, enabling you to use each where appropriate. Some solutions even integrate threat intelligence sources, enabling you to automatically add threat details to blacklists when discovered.5. Compatibility and Integration
Many EDR solutions are designed to integrate with your existing security tooling. This enables you to stack protections and to gain even greater visibility into your systems. For example, you can integrate EDR tools with systems for malware analysis, system information and event management (SIEM), or threat hunting. By integrating tools, you can create feedback loops that continually improve your protections.
Another option available to you is to combine EDR with Integrated Cyber Security Orchestration Platforms (ICOPs). ICOPs combine tooling from a variety of vendors, bringing a wider assortment of technologies and threat information to your efforts. These toolsets can enable you to avoid vendor lock-in and ensure the greatest available protections.
EDR solutions and practices can help you gain improved visibility, and protect your network from threats that originate at the endpoint level. Your EDR processes should proactively search for threats, and work through an automated mechanism that alerts and prevents malicious activity, based on a pre-configured yet actively updated policy. An automated process can help you maintain visibility 24/7/7, while supporting the efforts of your cybersecurity personnel.
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.
Check out the latest data & cloud security offers for SMBs from PTG.