Why we love EDR: Better detection and response to malware
As the cybersecurity landscape continues to evolve and attacks continue to become more challenging to detect, endpoints are left incredibly vulnerable. An endpoint is any device physically connected to the end of your network: laptops, desktops, mobile phones, and VPNs are all endpoints and all potential attack vectors. To effectively protect these endpoints, Coalition may advise organizations to add an Endpoint Detection and Response (EDR) solution to their security stack.
What is EDR and why is it important?
Quite simply, antivirus software alone is no longer sufficient for mitigating cyber risk. Traditional antivirus uses signature-based threat detection methods to scan and remove viruses, worms, and malware, which is why it’s often known as anti-malware. Increasingly, attackers have shifted to using polymorphic malware, which allows the malware to mutate each time it runs, making it undetectable using signature-based antivirus software. This is where EDR proves invaluable.
Coined by Gartner analyst Anton Chuvakin in 2013, EDR collects and analyzes information from endpoints to respond to suspicious activity, including zero-day – viruses or malware that antivirus cannot yet detect – and polymorphic threats. Typically EDR solutions are comprised of the following features: Endpoint Protection Platform (EPP), which performs passive threat prevention, threat intelligence, a centralized management console, and active threat prevention.
EDR’s active threat prevention allows it to identify and stop threats before a human administrator can respond to them. Once an EDR solution has identified a problem, it takes steps to quarantine and remove the malware. Unlike traditional antivirus, where the detection is only as good as its signature library, which must be regularly updated, EDR relies on behavioral analysis to detect and remediate threats based on their observed activity on the endpoint. And this can happen very, very quickly.
Swift EDR responses = success
For some policyholders, having EDR has already helped them to prevent a potentially devastating cyber incident.
SentinelOne EDR proves valuable after an event
An architecture services client was impacted by an event and hired the Coalition Incident Response (CIR) team to remediate the event and clean up the network. We quickly deployed a SentinelOne EDR tool to monitor the endpoints and quickly received an alert that an encoded PowerShell script had been added to an endpoint, allowing the threat actor to maintain their presence and attempt to reinfect the client. The alerts provided by the EDR allowed us to locate and remediate any lingering threat quickly.
Quick alerting prevents an incident
A healthcare facility was running Sophos Intercept X Advanced with EDR on all servers on their network. They were alerted via the EDR tool that a web shell was found on the Exchange server (due to the Microsoft Exchange vulnerability found in early 2021). Thankfully the EDR not only found the web shell but blocked and removed it from the network, preventing the client from experiencing a cybersecurity incident.
Narrowly avoiding a ransomware event
During routine scans, CIR discovered a real estate client had hits on the dark web, confirming they had been compromised in the past. We advised the client to monitor their network with another EDR tool, Carbon Black. After one day of active monitoring, CIR was able to find a compromised endpoint and remove it from the client’s network. A few days later, Carbon Black detected a PDF obfuscating the Dridex banking trojan, a type of malware that often precedes a ransomware attack. Carbon Black alerted on and blocked the malware. Later that week, our threat intel team found that the threat actor group had posted details of the client’s revenue and other company information to their forums. The threat actor was preparing to flip the switch on the ransomware, but thanks to careful monitoring aided by EDR, the client dodged the ransom by mere days.
Choosing the right EDR
There is considerable variation in the EDR solutions available, and capabilities can vary significantly from vendor to vendor. More simplistic solutions may only collect and display data. In contrast, more advanced solutions may map behavior to the MITRE ATT&CK framework or even provide threat response capabilities that aid digital forensics investigations.
Coalition has a small, not exhaustive list of EDR solutions that may work for our clients, which include:
Comodo EDR
SentinelOne ActiveEDR
Carbon Black
Sophos Intercept X Endpoint
Fireeye EDR
McAfee MVision or McAfee EPO
Cisco AMP for Endpoints
Cybereason EDR
Palo Alto CORTEX XDR
Cylance EDR
Tanium EDR
Coalition Control: Scanning, monitoring, and EDR options in one platform
Choosing the right EDR solution for your organization may still seem overwhelming. If you’re unsure how to move forward with an EDR or any other cybersecurity risk mitigation strategy, you may want to consider signing up for Coalition Control. Coalition Control is our free (yes, really) integrated platform designed to help organizations manage their cyber risk. After signing up, receive a complimentary Coalition Risk Assessment (CRA) that details your organization’s cyber risk profile and the remediations that keep your sensitive data protected.
Coalition policyholders can access our partner technology ecosystem with access to significant savings on security solutions and services covering everything from EDR to identity and access management and remote network access.