The modern digital landscape is a battleground rife with adversaries ready and willing to go to great lengths to steal your data. Clever independent attackers and state-sponsored actors alike are deploying increasingly effective versions of cyber-attacks intended to intrude, infect, steal, evade, disrupt and destroy everything they touch. To defend themselves, many businesses are investing in a variety of technologies and techniques to mitigate these threats. Blocking, containing, obfuscating, authenticating, verifying, and filtering are all important control elements of network security.
However, the one that promises to do exactly ZERO of these things, Endpoint Detection and Response (EDR), may just be the most essential component.
The first task in any conflict is to identify and understand the adversary. You cannot combat what you cannot see. Many high-powered (read: high-cost) defensive network security measures do not offer much in the way of actionable intelligence. EDR solutions place a “secret agent” on each endpoint (i.e. desktop, laptop, or mobile device) that will covertly record and report any happenings on the device. These EDR agents generate intelligence and identify targets by monitoring activity and comparing activity with behavioral indicators of compromise.
Additionally, if more traditional types of security measures are circumvented, they will likely be disabled by the attacker for future engagements. When the dreaded breach incident occurs the Incident Response Team is left with little information to assess the threat and few resources that are effective at containing the breach.
The primary aim of EDR is to deliver 100% visibility into what is happening on your network, in real-time, on each and every endpoint. It doesn’t promise to block, contain, verify, or filter anything an attacker might do. The value of an EDR solution is its ability to hide deep in the operating system and report everything it sees while remaining as covert as possible. The information collected by an EDR solution is a critical component utilized by Incident Response Teams to make informed, intelligent decisions on containing and remediating attacks.
The three phases of EDR are described below in the diagram.
Phase 1: Collects the endpoint data. The goal is to gather as much relevant data on the endpoint as possible (registry entries, process creation, driver creation, etc.).
Phase 2: Communicates this data, covertly, to a central EDR management server to be analyzed and processed. In most cases the data will be encrypted and hidden in standard internet traffic.
Phase 3: Profiles and monitors data. This happens inside the EDR management server. Alerts are not generated for every event, doing so would quickly overwhelm IT resources and do more harm than good (known as Alert Fatigue). Instead, the management server will profile each endpoint individually and monitor it for behaviors that are indicative of infection and alert the administrator that further investigation is needed. Behavioral Analysis is the most effective method for identifying and alerting on Advanced Persistent Threats (APTs)
When looking to implement an effective EDR solution, consider the following:
- Reporting type: Two primary types of reporting exist, stateful scan review and real-time reporting. If resources permit, real-time processing and reporting on events is the ideal solution. Reviewing stateful scans post-attack is time intensive and often yields fewer leads.
- Stealthiness: Attackers with the ability to circumvent firewalls and bypass authentication can surely disable a standard process running on an endpoint. During the initial testing of the solution, be sure to inspect the systems for any indicators of the EDR software; specifically new processes, drivers, and files that can be attributed to the software vendor. These indicators will alert an intruder to the presence of advanced monitoring software and they will adjust their attacks accordingly.
- Log Data Management: EDR solutions collect large amounts of data. When a potential incident is discovered the solution will begin analyzing data on the affected endpoint(s). How long can the solution retain the logs? How long do the incident logs need to be retained? Is the performance of querying the log data acceptable? Is log data capacity expandable? Is the log data transferable? These are important questions to answer before choosing a solution.
Whether your network is being bombarded by run-of-the-mill malware attacks or is the target of skillful state-sponsored actors, having real-time, actionable intelligence to combat modern threats is essential in the fight against cyber-criminals. Endpoint Detection and Response solutions greatly aid in effective incident response by illuminating attack sites, attacker activities, their means and their methods. So get your team together. Get your tool kits ready. It’s time to regain control of your network. Targets identified, fire for effect.