Threat intelligence

EDR: What and how

There’s a lot of talk in the market about how endpoint detection and response (EDR) is the Next Big Thing. According to Gartner1, for example, “EDR tools provide a method for security and risk management technical professionals to answer two key questions about the security of their environment:
  • What happened here?
  • What is happening right now?

This does nothing to improve your threat defenses – or your stress levels. And it’s particularly concerning in an environment where SMBs and mid-size enterprises are becoming exposed to the more disruptive evasive attacks that can bypass automated security barriers -for example by leveraging approaches that are very similar to those used by legitimate system administrators, and require a more rapid and robust response.

What

In recent years, the trend in cybersecurity has been that rather than ‘commodity’ threats which are relatively easy for EPP to detect and prevent, cybercriminals are focusing more and more on ‘evasive’ threats specifically designed to bypass existing endpoint protection measures.

One reason is that it’s becoming much easier(and cheaper) for cybercriminals to find, combine and test ready-made tools and methods (including ‘rent-a-malware’ campaigns with 24/7 support), and attacks of this kind promise much higher chances of success than traditional scenarios.

Add to this the surge in remote working which is dissolving the corporate perimeter of many organizations, and it’s easy to see why endpoints will remain on the frontline in the battle against cybercriminals for the foreseeable future.

So what happens when EPP is confronted by an evasive cyberthreat? Not only are these threats hard to detect due to the range of evasion techniques being adopted - particularly the use of legitimate and system-native tools. By staying undetected for longer, they also have the time needed to explore and entrench themselves in a business’s infrastructure and do a greater amount of damage – be it a data breach, ransomware or spyware attack, or directly overriding operations.

The result? The average financial impact of a data breach2 is US$101,000 for SMBs and US$1.09 million for enterprises. Plus, the slower the response, the larger the average impact –rising to US$118,000 and US$1.34 million respectively for responses taking more than a week. With impacts like these, rather than asking ‘why should we invest in EDR?’ a better question for many businesses is ‘why haven’t we invested already?’

How

So what will EDR do for you if (and when) you invest in it? In simple terms, each time you receive an alert, EDR will help you understand where the threat came from, how it developed, what its root cause is, whether it’s touched any other hosts, and therefore what its scale is.

It should also guide you through a simple incident handling process including steps such as identification, containment, eradication, recovery, and analyzing lessons learnt to help prepare for future attacks. For example:

  • Identification. What did the EDR tool find? Is this a common or serious threat, and is a response required, based on context and details about the threat and the incident it created?
  • Containment. What needs to be done about the threat, such as isolating the host, preventing execution or quarantining suspicious files?
  • Eradication. Using an Indicator of Compromise (IoC) scan to find and delete related files, along with any other processes needed to eradicate the threat.
  • Recovery. Returning the network to normal – so, for example, if an infected host was isolated to prevent the spread of infection, this can be taken back out of isolation.
  • Analyzing lessons learnt. Such as integrating IoC data with existing security tools, reviewing access and web controls, blocking access to particular IP addresses or email accounts, or introducing security awareness training to help employees better understand and spot modern security threats.

To summarize, whether you use an in-house EDR tool and/or MDR, the solution should work alongside EPP to block large numbers of threats automatically, and, when incidents occur, enable you to investigate them more effectively. This means gaining more insight into what’s going on behind the scenes to get a better understanding of the threats you’re seeing, and being able to quickly and easily respond to them and seek out other devices that may also have been compromised, thereby strengthening your security posture - especially in relation to new, unknown and evasive threats.

Whether you want to strengthen your internal defenses or combat the latest threats with expert external guidance, Kaspersky can help. Our cloud-enabled Kaspersky Optimum Security lets you upgrade protection against new, unknown and evasive threats, through effective threat detection and response and 24/7 security monitoring, without prohibitive costs or complexity.

1 Gartner - Solution Comparison forEndpoint Detection and Response Technologies and Solutions - Jan 2020
2 Kaspersky - IT Security Economics 2020

Back to the EDR home page

Related articles
Threat intelligence

Endpoint Security - How to know what level of endpoint protection you need

Read more
Threat intelligence

How to find top cyber-tech talent in a global shortage
So why is there a skills shortage? And what can your business do to beat it?

Read more
Threat intelligence

Beware the power of the status quo.
Why are we so reluctant to embrace new technologies?

Read more

Talk to us

Please do not hesitate to contact us if you would like any further information or have any questions.

Request a call
Read more
© 2019 AO Kaspersky. All Rights Reserved   •   Terms of use   •   Privacy Policy