Watchdog


Eyes and ears and teeth Endpoint Detection and Response (EDR) pays attention to activity on endpoints. It uses machine learning to sort out what are normal and suspicious behaviors. What’s found to be problematic is reviewed by security analysts who have the ability to stop malicious events from spreading – this contains the damage so that remediation can begin.

What You Should Know About EDR

One Click Uncorked Qakbot

An employee received a questionable email attachment and attempted to open it, but stopped short of enabling macros. Instead, to get another opinion, the employee forwarded the document to another employee, who opened it and, without meaning to or being aware, installed Qakbot – stealthy malware used by criminals to deliver other types of malware.

But then the employee had second thoughts and sent an email about it to IT. Turned out the IT team was already working to resolve the issue.

We were taking remediation steps before that user’s email [arrived], the IT team leader said. EDR gave us a clear understanding of what we were dealing with and which user was affected, which made it easy for us to respond right away.

We were able to disconnect the machine and reset every password the user was tied to, the team leader continued. Within twenty minutes of receiving the initial alert [the damage was contained].

Without EDR, the Qakbot attack might have played out differently

How long would it have taken to fix this Qakbot attack without EDR? How would the trojan have been found without EDR? What damage would it have caused without having been discovered? How much money would the company have lost either through direct theft or through extortion?

So what is this great invention called EDR?

While conceptually EDR is easy to understand (like an endpoint guard dog that barks [to alert] and bites [the attacking software]), what IT departments implement can vary. The following is the EDR approach Bryley takes:

  1. EDR continuously monitors endpoints and collects data from activities that may mean a threat. Examples of this data are processes running on the machine, analyzing patterns of behavior and registry modification (i.e. have privileges changed?).
  2. That data is then collected and sent to a cloud repository where the heavy lifting of analysis is accomplished without bogging down the endpoint.
  3. Analysis is the key process for any EDR security solution. Machine learning scans for threat patterns. If escalated by the machine-learning software, a team of human analysts handles the threat hunting. EDR analyzes and interprets the data to learn from it in order to detect signs of suspicious behavior.
  4. Last, a rep assists in removing any threat that has been found. Incident response may also be automated or a combination of a rep and automation.

Four Reasons to Deploy EDR

  1. EDR can help organizations gain clarity on their defensive capabilities. Analysts will be able to see through every phase of the attack lifecycle, enabling security gaps to be closed. Forensic investigations provide deeper insights into the state of your devices.
  2. EDR can cut down resolution times from hours to seconds. Likewise EDR can trim lengthy attack investigations.
  3. EDR stops active attacks and keeps them from causing more harm.
  4. EDR stops lateral movements. EDR can limit the affected machines and track down attackers quickly; they have no time to go deeper into your network, and so they have nowhere else to hide.

A Word About XDR

Extended Detection and Response (XDR) is software that has grown – as networks have changed – from its EDR beginnings. XDR, like EDR, watches and comes to recognize unusual software behavior and suspicious network traffic, and acts if it finds anything suspicious.

The difference is XDR solutions extend beyond endpoints [the reach of EDR] and make decisions based on data from a variety of sources, according to Bryley partner SentinelOne. They take action across an organization’s entire [environment] … and optimize threat detection, investigation, response, and hunting in real-time.

XDR is like EDR for the network and Cloud.

EDR and XDR Are Part of a Layered Defense

Before a bad guy makes a move, EDR and XDR are guarding the gate inadvertently left unlocked (like an employee opening a bad document). EDR and XDR are powerful tools for stopping incursions while they’re happening. And EDR and XDR are powerful tools to slam the gate shut if the criminal makes a move.

Of course you don’t want to leave the gate unlocked (you wouldn’t tell employees to click every phishing email), but EDR and XDR have your back if there’s a gap – as we’ll explore next week in Why Criminals Love Finding No EDR.

Get more New England-based technology and security information. Subscribe to Up Times by Bryley monthly newsletter.

 

Subscribe to Up Times by Bryley, the monthly tech newsletter for New Englanders by New Englanders.

The malware known as Qakbot (pronounced quack-bot) was taken down by the FBI in 2023 – only to see a resurgence in new, elusive forms.

Qakbot’s use as a delivery mechanism (aka backdoor) for criminals makes infection on a computer especially dangerous – it’s been seen to install ransomware, keyloggers (to capture typed credentials), software to steal intellectual property and remote access trojans that let a remote attacker see and do what they want on an infected machine. Qakbot is also self-propagating throughout a network.