MSSP Advancements • 5 MIN READ
EDR Essentials From an Analyst Perspective
by Vikas Lokhande, Eleanor Barlow • Aug 2022
EDR stands for Endpoint Detection & Response. This is a cyber security service, usually delivered by a Managed Security Services Provider (MSSP), which continuously monitors the endpoints of devices and responds to cyber threats, known malwares, and threat feeds, as well as behavioural and signature-based alerts.
How to Compare EDR Solutions
- An EDR solution should be able to analyse all the events from a machine, and it should be able to provide the user with Indicators of Attacks (IOAs), and from this, apply behavioural analysis on all processes. The right EDR solution should know what a normal process for any vendor is, not just vendors of a particular solution.
- From an analyst perspective, EDR should have the highest number of detection rules and signatures possible. Whichever EDR has maximum signatures, the better it is, because that gives you the maximum ways of identifying a threat.
So, if you compare EDR solutions, and run a malware attack simulation, you can see how many detections are gathered in terms of tactics and techniques. The solution with the highest number detected, will be the best. For instance, in the MITRE Engenuity ATT&CK evaluation, in which the EDR capabilities powered by SentinelOne, were tested alongside other capabilities, SentinelOne was able to detect all the TTP’s and then, from this, map the behavioural analytics.
‘The MITRE ATT&CK framework is, in essence, a knowledge base of adversary tactics, techniques, and procedures (TTPs). These TTP’s are based on real-world observations, used by various threat actors, that have been made globally accessible to be used as the foundation for threat models and methodologies. It is important to highlight how innovative this framework is. It has shifted the balance with regards to cyber warfare and created a means of allowing security teams in all sectors, from anywhere around the world, to see the different stages of adversarial attack, and help raise awareness of the mechanisms which can be used by attackers to launch attacks.’ – How the MITRE ATT&CK Framework Has Revolutionised Cyber Security
The Importance of Threat Intelligence Integration
Not only should EDR have the capabilities to detect and analyse maximum traffic, but it should also have a strong threat intelligence integration. This means that it should be digesting a lot of logs from that intelligence and data from everywhere. To do this, you need to have a team conducting proactive threat hunting, who are looking at real time attacks that are happening around the world.
Not all EDR solutions provide a way to do threat hunting, so they won’t all allow you to query for anything complex. But there are some solutions that provide this capability. And with this, they should also provide you with a way to create your own custom queries, and custom alerts.
Historic Logs and Cloud Storage
You need to have historical visibility. With real-time monitoring, you should be able to look at the historic logs to let you know what has happened in the past. The more historic logs you can keep, the better, because you never know when you may require which logs. To maximise the retention, these logs should be stored on the Cloud.
For on-premises you have a single box in your organisation, that then talks to the Cloud, and the data is stored in your organisations itself. It is great that the data is not leaving your organisation, but it is the single point of failure. For more on Cloud security, read our blog on ‘How Managed Security Service Providers (MSSPs) Are Responding to Cloud Acceleration’.
The Importance of a Dedicated Team
To run EDR properly, a dedicated team operating 24/7, who can look at all the alerts, review the configurations every month, and actively search for alerts that are coming on the console, is required. This is necessary to ensure that nothing is missed, to make sure that things are updated, the exclusions and inclusions are being created, so that everything is running as expected.
EDR will give you an alert when there is a signature, but there could be a lot of other elements that EDR might have detected, but not alerted you on. It alerts when it identifies a story/incident, to show how, for instance, a user jumped from one machine to another, and from this machine they ran PowerShell, and into that PowerShell they ran some script, etc. This would create an incident. But when a user jumps on a machine, that alone will not create an incident or alert.
People should realise that EDR is not just the alerts that are given, but the investigation behind them. That is why you need a team who are actively looking at these elements for you.
What Solutions on the Market Can and Can’t EDR Replace?
EDR cannot replaceFirewall, it does provide the functionality, but Firewall is very specific. It is always recommended to have the Firewall to do the firewall jobs and keep the EDR separate. EDR can, however, replace any existing antivirus solution. So, while it can’t replace Web Application Firewall or any perimeter device, it can replace any existing endpoint related solution.
Action Plan Moving Forward
You cannot stop threats, or attackers from creating new payloads and ways to penetrate your security controls. The only thing to do is to strengthen security you have in place. This means Zero Trust. Every company should follow the zero-trust module, there should not be any relaxation in that. Download our white paper on ‘Ransomware Controls – SecurityHQ’s Zero Trust x40’ for more on this and for practical tips and tricks.
Every organisation should have their own zero trust module, and they should always go through an assessment where they treat everything as compromised, and address and review the plan of action for recovery and worst-case scenarios. That way teams are prepared for every event.
Containment of a threat is the easier part because it is just isolating the machines from the network. But how to recover from it, that is where most organisations fail.
For more information on EDR and how it works, speak to an expert here.
Or if you suspect a security incident, you can report an incident here.