EDR stands for Endpoint Detection and Response. The term EDR first appeared in 2013 in an analysis by the consulting firm Gartner. Analyzing the fact that hackers primarily target employee workstations, Gartner has introduced the concept of “Endpoint Detection and Response” to designate a security solution to detect and remedy cyber threats targeting endpoints (computer, server).
How does an Endpoint Dectection and Response work?
In recent years, companies have been the target of sophisticated attacks using known and unknown threats (called zero-day or 0day). Called APT for Advanced Persistent Threat, these advanced threats most often use several attack vectors simultaneously, ultimately allowing them to infect a machine and then spread to the company’s computer systems. Faced with cyber attacks by ransomware, emails (phishing, spear phishing), Trojan horses, spyware, traditional antiviruses were no longer able to stem the threat. And for good reason, antivirus and other EPP (Endpoint Protection Platform) based on signatures can only detect threats that have already been seen as such. However, groups of attackers are now masters in the art of concealment to avoid this type of detection. Remember that in 2020, 1,600 companies around the world announced that they had been the target of a ransomware attack.
EDR vs antivirus
When traditional antivirus software relies on a database of signatures, it is not able to detect malicious code if the latter’s signature is not included in its knowledge base. With the emergence of polymorphic malware (same strain of virus, but different fingerprint), the effectiveness of an antivirus scan has been greatly reduced. To address this problem, the role of the EDR technology or solution is to detect and analyze, alert and neutralize the threat based on the behavioral observation of the covered system. Rather than relying on a knowledge base, an EDR (endpoint detection response) solution has an autonomous analysis capacity.
EDR, a semi-autonomous detection capability.
Using supervised data models (AI) and using behavioral analysis, EDR searches for malicious behavior and anomalous scenarios. An EDR solution has, for example, the ability to detect the following scenarios:
- Compilation of an executable.
- Launching a PowerShell command with the use of obfuscated parameters.
- Modification of the Windows registry.
- Running a macro from an attachment.
- Unwanted connections.
- Access to sensitive data by a malicious individual.
- Authentication using a password from an unauthorized IP.
EDR technology enables near-instantaneous remediation.
If a machine is infected, EDR has the ability to automatically remediate the threat. Removing a virus, stopping a process in progress (Kill of the PID), the EDR provides an almost instantaneous response capacity. In the case of human intervention, the main EDR solutions also allow opening a shell and typing commands on the infected machine.
EDR vs XDR
EDR, a valuable asset for Threat Hunting but not to be used alone
The technical nature and rapid evolution of hacker techniques demonstrate the need for research, analysis and mapping of these threat strategies. attacks. A standalone tool will never have the ability to detect 100% of potential threats. If he has never previously mapped a similar strategy, the threat will not be detected. By collecting contextualized data, EDR provides valuable information to analyst teams.
XDR to extend your ability to detect computer threats
At SEKOIA.IO, we provide our users (SOC teams) with an XDR platform combining “the power of a SIEM, the agility of SaaS and the efficiency of a SOAR, driven by intelligence”. Thanks to its ability to interconnect all your security solutions (on-premise or SaaS), you have extensive visibility of all security events that may occur within the digital infrastructure. Then, the presence of an actionable CTI (Cyber Threat Intelligence) ; materialized by indicators of compromise and a real-time detection engine in SIGMA correlation format, allows you to detect the most recent threats; contextualize alerts and enrich your investigations around very advanced attack scenarios. Finally, you will find among our playbooks, the way to automate a unified response to detected incidents; from a single console.
If you would like to learn more about our XDR and CTI products, just click the button below.