Endpoint Detection and Response : Why EDR ?
Antivirus limits without EDRs
Every day thousands of endpoints are compromised by hackers, whether they are beginners or professionals hired by governments. And it’s the latter that we’re interested in today: Advanced Persistent Threats (APTs). These advanced and persistent threats compromise machines to steal trade secrets and political secrets or disrupt a country’s entire power grid.
This is because these hackers use techniques that allow them to bypass historical antivirus programs that simply compare files’ signature to a database of known malicious files. This also means that any new strain of the virus will strike with force before it is recognized, analyzed, and passed on to all antivirus vendors for blocking. This is not the only weakness: to compare the signature, a file must be dropped. However, many techniques are available to ignore this point and perform malicious actions directly in memory, known as “file–less“ attacks, because they do not drop files but now execute commands.
Regardless of these advanced threats, legacy antivirus software lacks a crucial point in today’s security environment: correlation. We study and analyze attacks on a peer-to-peer basis, without a global view of the entire fleet. It is complex and time-consuming to recover the initial infection path.
Nevertheless, antivirus programs, and especially next-gen programs that do more than just compare files, can still block a considerable amount of malware. Many opportunists reuse or buy malware and vulnerabilities. We can always find some of them exploiting vulnerabilities that are more than 10 years old!
The power of EDR
In this context, EDR is a complementary security tool to the next-gen antivirus with which it works to block unknown threats (zero-day). It is a tool placed on the terminals and not at the network level of for information system (IS).
How does EDR work? The solution performs behavioral analysis and monitors the actions of a terminal. This allows, for example, to highlight file-less attacks that will execute PowerShell commands. If the user never uses them, the simple fact of seeing them appear, mostly encoded in base 64, will allow EDR to decide to block the program at the origin of the command and not only the command itself.
EDR is characterized by its detection, investigation, and remediation capabilities.
Detection
EDR can monitor the exploitation of security vulnerabilities by monitoring kernel calls and the various services usually targeted, especially in Windows. This monitoring capacity and event correlation allow it to recognize methods and habits that hackers have, which is more difficult to protect themselves against.
Behavioral analysis is another point studied by EDR, allowing it to recognize behaviors that deviate from a norm after a learning phase. Through this analysis, EDR can issue alerts that will be verified and reinforce learning. The interest of this technique is that it allows stopping an attacker in his momentum. If a PDF contains a script that opens PowerShell and opens a connection on a classic port of a server outside the IS, this action sequence will be considered abnormal and blocked by EDR. This visibility is a great strength of EDR because it allows remediation at the source of the infection.
Investigation
As mentioned above, EDR allows for the observation of action sequences with highly questionable results. This process visibility is an excellent help for investigation: actions are correlated and reported in a centralized platform that extends the practical learning from one job to all the others. Thus, if an attack is detected on five terminals, then the centralized console will bring down the information on all the others.
Thanks to this platform, the Security Operations Center (SOC) can know immediately how many workstations are affected and trace them: it is a formidable investigative tool that will interface with your Security Information and Event Management (SIEM), providing visibility on the terminals. Especially since your SOC will be able to use EDR to recover artifacts from the remote attack.
Remediation
In terms of remediation, EDR has similar capabilities to a next-generation antivirus, including blocking, deleting and quarantining files. Your security teams will also be able to rely on the tool to perform registry key cleaning or even for some to go in a quasi-surgical way in memory to correct the actions that malware may have undertaken. Also, some EDR allows Orange Cyberdefense SOC analysts to control a terminal that requires further investigation remotely.
EDR, but not only
EDR is not a stand-alone solution. It is an excellent complement that will integrate perfectly with a classic antivirus, SIEM, and network security. It extends the IS visibility to the endpoints, thus improving and developing the IS security and increasing SOC capabilities.