Endpoint Detection and Response, a guardian on the inside

Stealth is the new risk

And the unique protection from EDR

Traditionally security was added at the perimeter – things like firewalls, passwords, MFA, etc. – creating a cordoned-off area in which we could get on with our work. What Bryley’s seeing lately are attempted attacks disguised as legitimate software. As an example, recently Endpoint Detection and Response (EDR) helped Bryley stop a data-exfiltration attempt that used two pieces of legitimate software (rclone [a file-copying program]) and Chrome Remote Desktop. Traditional perimeter defenses, dependable as they’ve been for years, would not be aware of good software being misused like this.

EDR at its core takes a behavioral approach to attacks. It watches systems for suspicious activities – like when a program suddenly attempts to encrypt dozens of files or when an unusual network connection appears during non-work hours.

EDR performs these core functions:

• Detection of anomalous behavior on desktops and laptops
• Analysis of suspicious activity
• Blocking the attack, in many cases before damage occurs

Detection

Bryley’s EDR is tasked with continuously gathering activity data from your endpoints. This data includes file modifications, settings changes, and user-access permission changes. EDR also monitors the endpoint’s network activity – what connections the device is making, what it’s sending and receiving. The system watches applications employees are using and the software running in the background, while observing user actions like logins and application access.

If needed Bryley’s EDR can perform deeper data collection to investigate potential problems more thoroughly.

Analysis

When the EDR detects unusual behavior, human analysts at a 24/7/365 Security Operations Centers (SOC) review the data to see if the threat is genuine. These analysts watch system activity for patterns that indicate malicious behavior. In the recent attack, above, it was an attempted exporting of files at a very slow rate so as not to raise red flags. But the SOC analysts did notice. Human oversight helps ensure that automated systems don’t miss sophisticated attacks that blend legitimate and malicious activities. In the above example, the SOC analysts combined a few different slight signals (the software name change, the software download, a very slow data-copying attempt) to piece together criminal intent. It’s likely that software alone would not have been triggered by the criminal’s subtle moves.

Threat-blocking

The EDR isolates suspected infected devices to help contain malicious software from moving across the network. The EDR can quash dangers by quarantining harmful files, stopping processes and deleting malicious software.

EDR can also cut off an attacker’s access by blocking connections to IP and web addresses. Compromised credentials can be revoked and reset to keep attackers out of the device. At the same time, EDR has levels of escalation and can respond proportionally to threat severity so business operations can continue with minimal interruption.

How EDR Complements Existing Security

EDR is not really a super hero – but because of the way attackers have changed their approaches, it’s powerfully effective when implemented well. And there are challenges to proper configuration and EDR management. As an example, EDR can generate a lot of alerts – trained IT support is needed to tune it to cut down on false positives so analysts do not experience alert fatigue.

To be clear EDR is meant to work in conjunction with traditional defenses that ask “is this a known threat?” (in the case of antivirus) or “is this user credentialed for this network?” (in the case of a firewall). EDR asks “is this regular activity?” The two ways of considering attacks are complements in a layered security approach, not a replacement one for another.

Cyber threats now often involve attackers who gain legitimate access through social engineering (like phishing) or credential theft (like data breaches), then use standard software for malicious ends. It’s only through analyzing behaviors that these kinds of attacks can be identified.

To speak to Bryley’s Roy Pacitto about EDR defenses for your organization, please complete the form, below, schedule a 15-minute, no-obligation call. Or you can email Roy at RPacitto@Bryley.com or reach him by phone at 978.562.6077 x217.