adam's notes

Endpoint Detection and Response (EDR)

Endpoint Detection and Response (EDR) is a software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats.

  • provides:
    • real-time and historical visibility into a breach
    • contains malware within a single host
    • facilitates remediation of a host to its original state
  • managed from a cloud portal
  • use AI/ML to perform user and entity behavior analysis
  • protects endpoint devices by collecting and analyzing data from endpoints to
    • detect, investigate, and respond to advanced threats that may bypass traditional security measures
  • use cases:
    • detects and responds to advanced persistent threats and ransomware
    • provides valuable forensic insight after a breach

EDR Components

  • EDR solution typically includes:
    • Centralized Security Monitoring Platform
      • where data is stored and analyzed
    • Endpoint Acquisition Points
      • endpoints that the platform acquires data from
    • Data Analysis Engine
      • where the data is analyzed and contextualized for real-time or historical decision-making

EDR Platform Capabilities

  • Malware Detection
    • malware detection tool will look for specific malicious behavior
  • URL Filtering
    • used to block access to malicious URLs often associated with phishing attacks
  • Honeypots
    • attract, monitor, and analyze suspicious activity
    • help to block it before causes real damage
  • Monitoring
    • monitoring tools enable an org to track the activity of endpoints
    • e.g., system activity, application use, network activity, firewall rules
  • Orchestration
    • can orchestrate the activities of other security tools in response to suspicious activity or event triggers
  • Detect Emerging Threats
    • can detect new types of attacks by looking for new attack patters on the network

Benefits of EDR Solutions

Benefits

  • Detecting malicious activity
    • detect and analyze malicious activity on endpoint
  • Improved incident response
    • security teams can develop proactive measures by leveraging real-time IR capabilities
  • Proactive prevention
    • EDR looks for patterns and behaviors indicative of an imminent threat
  • Risk assessment
    • real-time risk assessment capabilities help identify and analyze risk levels associated with various incidents
  • Incident investigation
    • allows security analysts to investigate incidents and accurately determine root cause

Extended Detection and Response (XDR)

  • Extended detection and response (XDR)
    • expands on EDR by providing broader visibility and response capabilities
    • extends protection beyond endpoints by incorporating data from:
      • the network
      • cloud platforms
      • email gateway
      • firewall
      • and other essential infrastructure components

EDR as a Strategy

  • EDR is also a security strategy
    • focused on the identification, tracking, and response to threats on endpoints
  • differs from typical antivirus solutions
    • which focus solely on identifying and quarantining malware
  • provides a timeline or report of events that typically extends beyond the initial infection or intrusion

Graph View

Backlinks