1 Introduction
Endpoint Detection & Response (EDR) solutions have become increasingly popular in just the last few years as a means to help security analysts determine if other security mechanisms have failed, if their systems have been attacked and compromised, and if valuable data has been exfiltrated. Surveys show that 11% of cybersecurity breaches are targeted attacks, and 13% are acts of corporate espionage, designed to steal state or trade secrets. Malware and account takeovers are involved in 48% and 14% of attacks respectively. Almost every industry and every level of government agency are under attack. Organizations are justified in looking for additional security tools to discover and thwart such attempts. A main goal of EDR is often reducing the Mean Time To Respond (MTTR), given that many reports show that attackers can spend months inside organizations before being detected.
EDR solutions look for evidence and effects of malware that may have slipped past Endpoint Protection (EPP) products and other security tools, such as email/web gateways. Security professionals refer to such data points as Indicators of Compromise (IOCs). Examples of IOC types include:
- MD5 file hashes
- Known bad IPs and URLs
- File/process name mismatches
- Unusual application and network port usage
- Unusual process injections
- Module load point modifications
- Registry changes
EDR solutions log activities centrally, allow administrators to examine endpoints remotely, and generate reports often complete with attribution theories and confidence levels. Key features of endpoint protection products include:
- Host-based agents for detecting malware infection, command and control (C2) traffic, reconnaissance and lateral movement of bad actors, and data exfiltration attempts. Additionally, as part of the detection process, EDR tools can also perform evaluation of threat intelligence information, event correlation, interactive querying, live memory analysis, and activity recording and playback. Using Machine Learning (ML) and Deep Learning (DL) algorithms can help produce normal baselines and reduce false positives.
- Management console for collecting and analyzing information from deployed agents, producing alerts, and facilitating incident response, threat hunting, and forensic investigations.
- Automatic responses can be configured on consoles and executed by agents. Responses can include actions such as termination of processes, file removal, quarantine, memory analysis, forensic evidence collection, and full endpoint restoration.
- Interface to Security Intelligence systems such as SIEM.
EDR solutions can provide additional insights into possible nefarious activities in your enterprise and can serve as a complement to other security tools. EDR is not a substitute for EPP, but rather a component of many modern security architectures, alongside EPP, email/web gateways, Network Threat Detection & Response (NTDR), and even Distributed Threat Deception tools.
EDR solutions require a special set of skills to not only implement and run but also from which to derive value. The inclusion of ML technology does not obviate the need for trained security analysts. Most organizations that successfully deploy EDR have a well-defined IT security organization and one or more SOCs (Security Operations Centers), staffed by knowledgeable security analysts. Such organizations would be categorized as at least Level 1 or 2 in the Hunting Maturity Model .
F-Secure is headquartered in Helsinki, Finland, with many offices and customers around the globe. The company formed as Data Fellows in 1988, released its first Windows anti-virus in 1994, and changed their name to F-Secure in 1999. F-Secure also publishes cybersecurity research and was one of the first anti-malware vendors to make a rootkit detection and removal tool, BlackLight, available back in 2005. The company has won many awards from independent testers over the years.