This article supplements the wiki entry “Virus scanner”, which explains what antivirus programs are, how virus scanners work and what advantages and disadvantages they have. He sheds light on Endpoint Detection and Response (EDR), a further development of virus scanners and endpoint protection, in order to combat the development of malware with the help of new technologies.
What is EDR (Endpoint Detection and Response)?
Endpoint Detection and Response (EDR) is an advanced solution that is integrated with Endpoint Protection to enable continuous data collection, monitoring and automated analysis and response functions. It can protect endpoints from advanced malware, APTs and phishing attacks.
What kind of threat does it protect against?
EDR protects against malware, anomalous behavior and fileless attacks using advanced analytics. It also deals with documenting and tracking the tactics, techniques and procedures (TTP / Tactic, Technique and Procedure) used, how the attackers came into and moved around the network.
Most organizations implement endpoint protection, which is a means of reactive security, but integrating EDR also provides organizations with proactive security. Even with the best solutions, there is no 100% protection; it makes access more difficult for attackers due to the significantly increased effort and the required know-how.
Some information collected by EDR:
1. Processes:
The analysis of processes provides information on running programs on end devices. Malicious processes invoke other processes, and this information can help determine the parent process of a malicious process.
2. Network connections:
Information is collected on all active and pending connections.
3. System information:
Gathering information about end devices to identify abnormal system behavior. This information helps identify what has changed on a system in the event of an incident.
4. User information:
Gathering user information for machine learning can help determine its standard user behavior and thus identify anomalies.
5. Autostart:
Control of the auto start. This is one of the most widely used means of code execution and attacking systems as some malware tries to hide in the Windows startup process.
Endpoint Detection and Response capabilities
1. Collecting and monitoring:
The data is collected centrally for monitoring and used to detect threats. This collected data is useful for Security Operation Centers (SOC) and used in incident response.
2. Alerting and prioritization:
If threats are detected, the IT security officers are alerted. When multiple threats occur, prioritization takes place in order to effectively avert the threat.
3rd examination:
EDR offers the possibility of using correlated events to visualize the progress of the attack.
4.Automation and real-time response to threats:
If end devices do not comply with the guidelines or malware is discovered, EDR offers automated response options, such as isolating these end devices from the network or isolating the entire network area.
5. Hunt for threats:
An active search can find threats and prevent them from being exploited.
Areas of application of endpoint detection and response
Proactive by posting potential dangers (Cross referencing to “Network Traffic Analysis”)
Replacement of regular endpoint protection in larger companies with their own SOC
For subsequent incident analysis