Security

The Security Toolbox: Endpoint Detection and Response

This blog is part of a series to help organizations of any size optimize their security. Our experts provide insights and recommendations based on common security use cases, customer questions, and security software developer needs.

As every security professional understands, securing and protecting servers, workstations, mobile devices, IoT devices, and anything else that may join an organization’s network is a full-time exercise in vigilance.

Security operations teams must also consider on-premises and offline environments, many locations, and the data that is continuously added through every endpoint.

A good solution for endpoint detection and response (EDR) support is invaluable in any Security Operations Center (SOC).

What should I look for in a good EDR solution?

There are two key areas for EDR: the solution architecture and the product capabilities.

EDR solution architecture consists of a server (or cloud) and agents that are installed on endpoints. The agents serve as information envoys between anything that happens on an organization’s network and their designated server or cloud.

EDR product capabilities should easily gather data from endpoints in real time, record all activity and actions from all users and endpoints on the network, alert security teams of threats, and provide reporting for investigative analysis. They should also be able to stop malicious activity by isolating files, breaking network connections, and containing any damage to minimal levels.

What should I expect from my EDR solution in the event of an attack?

A great EDR solution includes visibility, rapid response, and scalable threat-hunting capabilities, similar to those provided by VMware Carbon Black EDR.

Visibility must be comprehensive through real-time visualizations. Rapid response is just that: threats should be contained quickly and damage repaired and remediated. Finally, scalable threat hunting that incorporates automated watchlists and threat intelligence through machine learning is vital.

Good EDR solutions typically follow a well-known framework and best practices such as those defined by MITRE. MITRE ATT&CK has a one-stop interactive matrix detailing security techniques as a comprehensive resource for security professionals.

A solution is only as good as its usability, so look for something that is either familiar to your security team or a solution that can be installed with ease and managed through easy-to-understand training. An accelerated path to getting the full value of your solution can also include professional services.

Once we have an EDR solution, how can security teams learn to find threats?

To prepare for possible attacks, it’s important to rehearse real-time scenarios to be able to quickly recognize vulnerabilities in the case of a real attack. Threat-hunting simulations can help security professionals practice identifying threats, malicious code, and nefarious activity. Simulations can also be good team-building activities as security professionals collaborate to find threats in a gamified environment.

What are the common use cases for EDR?

  • Centralized access, monitoring, and recording: visibility in the SOC as well as an archive for all recorded data to use in breach investigations
  • Live response and remediation: secure connection for kill processes and memory dumps with remediation available remotely
  • Attack visualization: good visualizations for teams to identify a root cause of an attack, identify attacker behavior, and close security gaps
  • Automation: open application programming interfaces, or APIs, allow integration into an organization’s unique IT ecosystem and security stack

What is the role of user access and privilege management in EDR?

Because the great majority of breaches begin at an endpoint, managing user access should play a large role in any EDR implementation. A modern least privilege policy maintains that users should only have access to the specific resources they need to complete required tasks, and it’s imperative to EDR success.

This type of policy aligns with Zero Trust models and minimizes risk. In addition to a least-privilege policy, constant monitoring of end user changes is necessary to adjust privileges and access according to current role. Often overlooked, this last point is a common security gap and vulnerability that is easily remedied with enhanced vigilance and collaboration with people management teams within an organization’s IT environment.

Learn more about identity and access management in a previous post in The Security Toolbox series.

What about open-source EDR tools available at no cost?

While there are multiple EDR solutions and resources available online as open source, their reliability and safety are currently unknown and untested. However, some of these open source solutions have been developed or supported by established corporations and may provide an EDR option.

Learn more about security for your unique environment

Get the basics at-a-glance in this infographic. If you’re not sure about your security posture or the level of vulnerability in your organization’s IT environment, a security assessment can help you develop a clear view of your current state and possible remediations needed. You can also rehearse real-time scenarios and threat-hunting through our Cyber Defense Simulation service. Visit the Professional Services for Security resources section for overviews on the different types of assessments available, and contact us at [email protected] to learn more.

For more support, read the other blogs in this series: