For most commercial and government organizations, targeted attacks on the entire network infrastructure are becoming the main problem. Targeted attacks are a range of multifaceted threats, ranging from unique malware distribution methods to zero-day vulnerabilities and common methods of causing harm. Over the past few years, fileless attack methods have become very popular, which also causes a lot of problems.
A targeted attack almost always comes as a surprise to the information security department. It is only very unlikely that one can notice such an “attack” in time. By the way, this is exactly what the main concept of information security, which dominates the market today, is aimed at. Security technologies today also have a preventive impact. Detection systems complement all this:
- Pinpoint malicious activity against which conventional antiviruses (EPP) can actively fight.
- Key vulnerabilities scanned by Tenable products.
However, even such solutions are sometimes not enough to ensure complete security. Especially when it comes to targeted and complex attacks, with multiple scenarios and adaptive tactics.
After all, individual access points to the system (server hardware, laptops, work PCs, and smartphones, and tablets) must also be protected from unauthorized access by third parties. And just for attackers, these endpoints are a priority target. Because this is the easiest way to penetrate the system. With physical access (or remote) to a device authorized on the network, you can do a lot. In part, the strict policy of differentiating access rights for users solves this problem.
But even in this case, it will not be possible to achieve a 100% safety level. To limit the likelihood of a threat, you have to use Endpoint Detection & Response ( EDR).
What is EDR?
This is a separate cluster of solutions that can detect malicious activity at endpoints:
- Gadgets associated with the Internet of Things.
- Portable devices for accessing the system, etc.
Antivirus software allows you to solve several typical tasks. This is the elimination of massive threats. Whereas EDR tools are used to detect targeted threats and attacks. In other words, EDR is a highly specialized tool designed to identify targeted attacks and complex threats that are not detected by conventional anti-virus software. Do not go to extremes and choose one thing. The point is that protection must be comprehensive. And EDR does nothing to address the challenges facing antivirus software ( EPP ).
The converse is also true: EPP cannot replace EDR. The fact is that EPP and EDR are 2 technologies aimed at ensuring security. But technologies are not interchangeable. They must be used in an integrated manner.
The architecture of EDR solutions is not as simple as it might seem. Traditionally, the entire system consists of targeted agents. They are installed on the server and at the endpoints of the system. It is the agent who will monitor all infected processes, the actions of all users, and communication network channels. On the other hand, the agent will transfer information to the cloud storage or a local server.
The EDR server module scans all the information received with algorithms built on machine learning technologies. The module also compares all data with the IoC database (database of indicators of compromise) and other available databases. If the system detects an event with signs that detect an incident, representatives of the organization’s security service will be immediately notified.
Key features of EDR products
Modern EDR software allows you to solve a whole list of tasks at once:
- Blocking attacks.
- Identification of suspicious activity.
- Recording information.
- Collection of information from end devices.
Integration with other security solutions is very important because it allows you to organize security in those companies that use a “motley” set of software. These are not only SIEM complexes but also other security software. In addition, EDR solutions can isolate any suspicious file, stop an atypical process in time, and even break the network connection, preventing intruders from accessing it.
Identifying and classifying suspicious activity is another powerful tool. Naturally, EDR solutions have modules that notify security personnel. Separate EDR components also track the behavior of any programs and users. This allows you to detect the intercepted user account in time and disable it. Moreover, EDR solutions can be used when account access was obtained using SI (social engineering) methods.
Roughly speaking, EDR functionality is not limited to standard EPP tools.
Advantages of EDR vs. EPP
EPP is an endpoint security platform. Such software is traditionally present in all companies, and it helps to protect against known threats. Up-to-date database updates eliminate the possibility of an unknown threat, but there is no absolute recipe here either. And the key disadvantage of EPP complexes is their inability to detect malicious activity that does not match the signature. This is precisely the task EPP will not be able to cope with. It would be appropriate to give a few examples:
- Virus software that does not store file bodies on the system.
- A previously unknown program for which there are no signatures already prepared.
- Access through legal user accounts (detection at the level of behavior and actions).
EPP can’t handle this. This is a challenge for EDR. 2 complexes complement each other, and allow you to organize the protection of almost any infrastructure.
Top EDR solutions in 2021
Gartner ranked the most popular products in the Peer Insights Customers’ Choice nomination not so long ago. This is the choice of users. A diverse audience has widely appreciated all software products also presented in this category.
Solution Endpoint Threat Defense and Response from the developer McAfee suitable for business people. This software package facilitates the work of specialists dealing with information security issues. State-of-the-art technology, advanced tools, and a simple administration interface: Malwarebytes Endpoint Protection has it all. The key benefits also include:
- Centralized control and response capability.
- Built-in threat neutralization kernel.
- Intelligent algorithm for exchanging information between different levels.
- Ease of use.
- ePolicy Orchestrator
In addition, McAfee has a variety of dashboards to identify an emerging threat or vulnerability quickly. There is practically no participation of the end-user in ensuring security. It also does everything automatically.
An extremely interesting software solution for protection. According to Gartner, relatively recently, in 2013, the solution entered the market. Today, it is the market leader. Features a fast development cycle and amazing API. The main advantage of the solution is the ability to decrypt files after a ransomware attack. This is the only solution on the market that allows you to do something like this. Among the advantages of this solution, you can also highlight:
- Efficiency of deployment in the system.
- Cross-platform (you can also deploy software on almost any device).
- Deep analytics engine.
The solution has also proven itself and is actively used in many large companies around the world.
Intercept X from Sophos is a software product that combines rich functionality and fine-tuning of the detection mechanism. The key advantages of this solution also include:
- Functionality that unites all data streams (from telemetry to the user’s network information and even his e-mail).
- An effective threat detection system.
- An algorithm that also tracks traces of various attacks.
- Stop ransomware
With Sophos, you can also retrieve files from remote devices for analysis.
Attackers continue to use server hardware and workstations to infiltrate the system. EPP software was developed at a time when the threat landscape was completely different. And systems of the EPP class today are frankly not enough to ensure complete safety. Therefore, in addition to EPP systems, today, you also need to use EDR solutions. To provide a high level of protection for infrastructure of any complexity.