A Beginner's Guide to EDR Security

Cyberattacks are growing in sophistication, requiring new solutions to protect your IT systems. Endpoint detection and response (EDR) is a modern approach to cybersecurity. Learn how EDR works.

Small businesses are increasingly targeted by cybercriminals. Last year, 66% of small businesses experienced a cyberattack. Increasingly, companies turn to endpoint security software to protect information technology (IT) networks.

Yet, a challenge remains. Cybercriminals employ so many tactics to circumvent your defenses, it’s not feasible to stop all attacks every time.

Today’s advanced security technology acknowledges this reality and includes the ability to address threats that sneak through your defenses. One of the most popular and effective approaches is endpoint detection and response (EDR).

What is endpoint detection and response (EDR)?

Endpoint detection and response is an increasingly popular security measure for one key reason: visibility. This is the essential element required to stop a cyberattack infecting your systems.

When an attack penetrates your defenses, alarm bells don’t go off. In fact, you’re not going to know an attack is happening for some time.

It takes businesses an average of 197 days, more than six months, to detect and stop an attack that slipped through endpoint security. This type of cyberattack, called an advanced persistent threat (APT), is complex and designed to inhabit your network undetected for lengthy periods of time.

Endpoint detection and response finds these elusive attacks. EDR involves continuous monitoring of your IT systems combined with automated data analysis to identify suspicious activity on your endpoints (the computing devices used on your IT network, including laptops, mobile phones, and servers).

EDR comprises detection, investigation, and response capabilities. Image source: Author

With EDR, your endpoints’ typical behavior becomes well understood. When that behavior changes due to an attack, you’re alerted and can act to contain the threat.

3 important elements of effective endpoint detection and response (EDR) security

These components are necessary for EDR security to succeed. These elements create the visibility required to identify and act on a security breach.

1. Data collection and storage

Every EDR solution relies on data as the foundational element to create the visibility to catch attacks. Two components comprise the data piece.

• Data collection: EDR security must continually monitor endpoints and collect telemetry (recording and transmitting the readings of the endpoint) in real time without interfering with normal system processes. This data includes a wide range of activities performed by your endpoints. System processes, network connections, and data transfers are among the insights collected. If endpoints implement unexpected behavior, it may indicate a possible attack.
• Data storage: Because the endpoint data collected is vast, most small businesses should plan to store this data in the cloud. A cloud-based threat database allows proper storage capacity as the collected data grows. It also allows you to combine endpoint data with threat intelligence, a repository of security threat information, to help you identify the signs of malicious activity.

2. Analytics and forensic capabilities

To identify potential attacks, EDR systems must sift through the collected endpoint data to flag anomalies. This investigation requires real-time analytics performed by automation and forensic tools employed by IT security professionals, such as threat hunters or a security operations center (SOC).

• Automated analytics: It’s impossible for humans to perform the initial data analysis. The volume of data is too massive. Instead, this data feeds into automated threat detection mechanisms, such as machine learning engines, to correlate network activity and behavior against threat intelligence. This technology looks for patterns signifying potential threats, such as indicators of compromise (IOCs) and indicators of attack (IOAs). An IOC is forensic data signaling a possible security breach. An IOA involves actions taken by cybercriminals to create an APT, such as hiding in computer memory.
• Forensic analysis: This involves humans examining the items flagged by automated analysis to validate whether a threat is present. For example, increased website traffic during odd hours or from suspicious geographies needs human insight to confirm it’s an issue. False positives can occur, such as a new computer script created by your IT team to automate processes. An EDR solution should support a mechanism for noting legitimate activity marked as a potential threat, such as adding these to a whitelist, to avoid subsequent flagging.

3. Fast response

Once analysis confirms a threat, your EDR must perform swift action. Quick response to security incidents helps you minimize or prevent damage such as stolen financial or customer data.

The incident response can range from sending out automated alerts and automatically logging out the endpoint user to shutting down network access and isolating the endpoint before an infection can spread. Any EDR technology you’re considering should support several response options you can adjust based on your needs.

How endpoint detection and response (EDR) works

Successful EDR security involves detection, triage, investigation, and remediation capabilities. These represent stages in filtering through endpoint data to target the cyber threat.

1. Detection

The EDR security process begins with threat detection. For an EDR’s automated systems to find threats, you install a software agent onto your endpoints to perform data collection.

The agent constantly monitors the endpoint and collects telemetry data, sending it to a central database where machine learning algorithms analyze the data for anomalies. Sudden changes in endpoint processes or user behaviors from normal conduct get flagged for further investigation.

Examples of suspicious activities include attempting to log in to an endpoint from a remote location, downloading certain types of software files, or disabling firewalls. EDR combines these signs of irregular behavior with the chain of events before and after to create a map of the executed processes.

With this broader context, combined with threat intelligence, EDR systems can evaluate the billions of events across your network to narrow down the activity indicative of a cyberattack.

2. Triage

EDR platforms notify IT staff of suspicious activity. They send alerts and provide dashboards and reports summarizing the results of algorithmic findings.

This is when the triage occurs. The IT team must eliminate the false positives. They also classify the alerts as known malicious activity, which immediately triggers the remediation stage, or unknowns for investigation.

The triage phase is the most challenging for IT teams. They are often overwhelmed with alerts, and the team can miss activity requiring deeper investigation.

To prevent this, IT teams must routinely review EDR detection criteria to address the following.

• False positives rate: Are too many false positives coming up? If so, why is this happening? One solution is to employ whitelists.
• Useful alerts: Fine tune detection mechanisms and alert notifications to ensure you’re receiving the alerting needed to help you act. You don’t want alerts to feel like spam because they’re too generic.
• Triage framework: It’s essential to establish a framework to clearly categorize alerts and understand the required actions to effectively execute the triage phase.

3. Investigation

The triage phase pares down the universe of detected anomalies to the unknowns, called leads. From there, it’s time to dig into the leads to confirm benign or malicious activity.

The IT team examines each lead using threat hunting techniques to collect additional context. This context enables better understanding of the activity and why it’s happening. For instance, an unfamiliar computer process executed on an endpoint could signify an attack or simply that an employee downloaded new software.

The key to the investigation stage is speed. You want to determine if unknown activity is malicious quickly to contain any damage.

Today’s cyberattacks employ lateral movement, a tactic that allows infections to move from one endpoint to others, rapidly infecting large parts of your network. A good EDR system accelerates the investigation phase, leading to faster response and remediation to contain lateral movement.

4. Remediation

Confirmed threats require a response so EDR platforms can automatically act.

Responses include tactics such as stopping any computer processes running on the infected endpoint and isolating the endpoint from the rest of your network. Some EDR solutions can automatically salvage files and data stored on the endpoint while removing the infection.

Part of remediation efforts involves your IT team determining the extent of the damage. Was customer data stolen? What network vulnerabilities need addressing?

Understanding the cybercriminal’s target and how the attack occurred allows you to take the proper actions. It also enables your team to collect specific knowledge to strengthen your network security.

The EDR process is like a funnel sifting through data to zoom in on threats. Image source: Author

FAQs

• Why is EDR important?

  Cyberattacks are evolving in sophistication and can sneak past traditional security protections. Phishing, ransomware, and polymorphic malware capable of changing itself to avoid detection are just some of the threats that circumvent security systems.

  EDR combats this by providing enhanced visibility into the state of your IT network. This visibility allows EDR solutions to find attacks fast, stopping them before damage occurs.

• What’s the difference between EDR and antivirus?

  EDR works hand-in-hand with antivirus protection. Antivirus, and other endpoint protection platform (EPP) capabilities, prevent cyberattacks by blocking them from infiltrating your IT network in the first place, like the walls of a castle.

  Once your defenses are breached, however, antivirus can’t help. The attacker found a vulnerability and sneaked in. Antivirus is incapable of addressing such attacks.

  EDR acts as an additional security layer to identify and stop the threats that broke through. In this way, EDR works in tandem with antivirus to provide holistic security.

• What is MDR, and how is it different from EDR?

  MDR (managed detection and response) is EDR performed by an external cyber security company. It’s an ideal solution for small businesses without the IT resources to conduct EDR in-house.

  MDR services deliver the benefits of EDR security, including 24-hour monitoring, threat hunting, and threat remediation. This frees your business from the need to staff your IT team with EDR experts.

A final word about EDR

It’s easy to view endpoint detection and response implementation as a low priority. You’d rather ensure threats can’t get past your security in the first place. But a single employee tricked into clicking on an emailed file can trigger an attack that bypasses your defenses.

EDR puts the power back into your hands. Rather than reactively cleaning up after a cyberattack and hoping sensitive information wasn’t stolen, use EDR to proactively find and stop attacks.

The proliferation of endpoints, such as tablets and smartwatches, combined with the increasing sophistication of cyberattacks makes EDR a key component of every organization’s IT security.