Any device with a network IP address is an endpoint as long as it is allowed to interact with the organization’s network.
Here are some key endpoint threats:
- Executable file package (malware)
- Potentially unwanted programs (PUA), such as adware
- Ransomware, such as file encryption and disk encryption (eraser)
Vulnerability-based attacks and file attacks, such as disguised documents (usually office programs that have been carefully crafted or modified to cause damage) and malicious scripts (usually malicious code hidden in legitimate programs and websites)
Active attack techniques, including privilege escalation (the method by which an attacker gains additional access rights in the system), identity theft (theft of usernames and passwords), and code holes (hiding malicious code in legitimate applications), etc.
In the past decade or so, endpoint security only refers to a product of anti-virus software. With the evolution of security threats, the problems of traditional endpoint security products have become more and more prominent: the response mechanism is passive, and organizations can only perceive and capture after being attacked, and put their characteristics in the virus database, and then upgrade to kill viruses.
Gartner’s Anton Chuvakin first coined the term Endpoint Threat Detection and Response (ETDR) in July 2013 to define a “detection and investigation of suspicious activity (and its traces) on a host/endpoint” Tool. Later it was often called Endpoint Detection and Response (EDR). The emergence of EDR helps to solve these problems: it is very difficult to “see” unknown threats, and the key is to detect abnormal behavior. EDR continuously detects endpoints, discovers abnormal behaviors and intervenes in real-time, and analyzes abnormal behaviors such as operating system calls through applications, detects and protects against unknown threats, combines machine learning and artificial intelligence to assist judgments, and finally achieves that antivirus software cannot solve them.
EDR definition
Endpoint detection and response is a proactive endpoint security solution that records terminal and network events (such as users, files, processes, registry, memory, and network events), and stores this information locally on the endpoint or centralized database. Combining known attack indicators (Indicators of Compromise, IOCs), behavior analysis database to continuously search data, and machine learning technology to monitor any possible security threats, and quickly respond to these security threats. It also helps to quickly investigate the scope of the attack and provide response capabilities.
Some findings: EDR solutions must be able to detect fileless malicious activities; EDR must have scalable data management, data mining, and analysis capabilities and detection techniques, and must have an in-depth understanding of the ever-changing attacker’s technology.
Note: Attack indicator, IOC is an indicator that can be forensic after an intrusion. It uses XML document type to describe and capture incident response information of multiple threats, including the attributes of virus files, the characteristics of registry changes, virtual memory, etc
Benefits Of Endpoint Detection and Response
Endpoint detection and response provides continuous controllability and controllability for various security threats, reduces the complexity of detecting and handling security threats, assists the security team to respond to security threats more quickly and intelligently, and is a solution to advanced continuous threats in cyberspace. Powerful means. Its advantages can be summarized as follows:
Identifying Attacks
EDR has the inherent advantage of accurately identifying attacks. The endpoint is the main battlefield of offensive and defensive confrontation. The implementation of defense on the endpoint through EDR can collect security data more comprehensively, accurately identify security threats, accurately determine whether a security attack is successful, and accurately restore the process of security incidents.
Threat Detection
EDR completely covers the entire life cycle of endpoint security defense. For various security threat events, EDR can perform corresponding security detection and response actions before, during, and after the occurrence. Before a security incident occurs, actively collect terminal security data in real-time and conduct targeted security reinforcement; when a security incident occurs, use various security engines such as abnormal behavior detection and intelligent sandbox analysis to actively discover and prevent security threats; after a security incident occurs, Trace the source through endpoint data.
Network Architectures
EDR is compatible with various network architectures.Endpoint detection and response can be widely adapted to various network architectures such as traditional computer networks, cloud computing, and edge computing, and can be applied to various types of endpoints, and is not affected by network and data encryption.
Security Threats
EDR assists administrators to intelligently respond to security threats. A series of tasks such as the discovery, isolation, repair, remediation, investigation, analysis, and forensics of security threats by EDR can be automated, which greatly reduces the complexity of detecting and handling security threats, and can assist users to respond to security threats more quickly and intelligently.
EDR and Security Analyst
No human factors are required in the detection, path analysis, and lateral movement phases. The analysis and interpretation of the collected data set are still important, but not in the first few seconds of the detected event. This will strengthen the protection of the network and allow security analysts to investigate legitimate threats instead of filtering through false positives. Thanks to the integration of data using EDR and MalOps, it is easier and more intuitive to understand, diagnose, and remediate problems. This allows analysts to investigate and provide solutions to legitimate threats.
How does EDR work?
(1) Once the EDR technology is installed, it will use advanced algorithms to analyze the behavior of individual users on the system, allowing it to remember and connect their activities. (Detection)
(2) Perceive the abnormal behavior of a specific user in your system. The data is immediately filtered, enriched, and monitored to prevent signs of malicious behavior. These signs triggered the alarm, and the investigation began – it was determined whether the attack was real or not.
(3) If malicious activity is detected, the algorithm will track the attack path and construct it back to the entry point.
(4) Then, the technology merges all data points into a narrow category called MalOps (MalOps), making it easier for analysts to view. (Visualization)
(5) In the event of a real attack, the customer will be notified and get actionable response steps and suggestions for further investigation and advanced evidence collection.
If it is a false alarm, the alarm will be closed, only the investigation record will be added, and the customer will not be notified.
