Malicious systems and technologies of cyber attacks appear quite often. Every month, new vulnerabilities are identified in different products, information appears about new ways to attack companies ' IT infrastructure, and new malware and other hacking software are created.
The development of information security products also does not stand still. Advanced technologies, including machine learning methods and other aspects of AI, are being actively implemented. One of these new products is EDR systems (Endpoint Detection & Response).
EDR is often referred to as an innovative solution in the field of information security. This article will discuss the principles of operation of this class of systems, their capabilities and disadvantages.
The system consists of two elements: an agent that is installed on the device, and a server part that acts as a processing center for the received information. Depending on the specific product, this center can be either a local server or a cloud.
Formally, EDR is a synthesis of EPP, since this product is focused on protecting the end device, and SIEM, since it analyzes data from all devices and "runs" them through a single processing center. As a rule, the system "focuses" on indicators of compromise (IoC) and author's rules that were set by the vendor or field specialists.
EDR, in the business context, is preferable to antivirus programs, since it is focused on protecting infrastructure and business processes within the network, rather than an enterprise device. It is also much more effective in detecting APT attacks.
For example, if you compare EDR and a regular antivirus, the first system will be more efficient due to the ability to analyze events at all network endpoints, their interdependence and correlation, which the antivirus cannot.
The functions of modern EDR systems include:
The last point is precisely responsible for machine learning of the system, which can independently develop scenarios for behavior and response to various incidents.
Another significant advantage of EDR systems that distinguishes them from related solutions is their integration capabilities. Moreover, both with "low-level" solutions such as screens or antivirus software that protect endpoints, and with" top-level " solutions of the SIEM class.
At the same time, EDR differs qualitatively from these related solutions, primarily because it provides a comprehensive approach to security, where monitoring and protecting the infrastructure is carried out through monitoring all connected devices at once.
Currently, it is most appropriate to use EDR in companies with a large number of end devices. Moreover, you can connect not only computers to the network, but also all IoT devices, from sensors on production lines and smart production systems, to printers and air conditioners.
Such "total protection" may seem redundant "in the moment", but it does not seem so in the context of strategic development, since attackers will sooner or later "get" to IoT devices, as they previously "switched" from PCs to smartphones.
The development of information security products also does not stand still. Advanced technologies, including machine learning methods and other aspects of AI, are being actively implemented. One of these new products is EDR systems (Endpoint Detection & Response).
EDR is often referred to as an innovative solution in the field of information security. This article will discuss the principles of operation of this class of systems, their capabilities and disadvantages.
Operating principle
An EDR system is a class of solutions for detecting and studying malicious activity on endpoints that are connected to the network. The endpoint can be either an employee's PC, or an IoT device, server, or other element of the company's infrastructure.The system consists of two elements: an agent that is installed on the device, and a server part that acts as a processing center for the received information. Depending on the specific product, this center can be either a local server or a cloud.
Formally, EDR is a synthesis of EPP, since this product is focused on protecting the end device, and SIEM, since it analyzes data from all devices and "runs" them through a single processing center. As a rule, the system "focuses" on indicators of compromise (IoC) and author's rules that were set by the vendor or field specialists.
EDR, in the business context, is preferable to antivirus programs, since it is focused on protecting infrastructure and business processes within the network, rather than an enterprise device. It is also much more effective in detecting APT attacks.
Opportunities
EDR as a class of solutions can not be called "know-how", because it does not add additional functionality to existing solutions, but combines them into a single and efficient system, working in a comprehensive manner.For example, if you compare EDR and a regular antivirus, the first system will be more efficient due to the ability to analyze events at all network endpoints, their interdependence and correlation, which the antivirus cannot.
The functions of modern EDR systems include:
- Collect data from devices connected to the network in online mode.
- Record data about all actions on these devices, from network activity to running various software.
- Data analysis and identification of potentially dangerous processes.
- Displays information for notifying the administrator.
- Automatic response to detected suspicious events.
The last point is precisely responsible for machine learning of the system, which can independently develop scenarios for behavior and response to various incidents.
Another significant advantage of EDR systems that distinguishes them from related solutions is their integration capabilities. Moreover, both with "low-level" solutions such as screens or antivirus software that protect endpoints, and with" top-level " solutions of the SIEM class.
Conclusion
The EDR system is the prerogative of mature, from the point of view of information security, companies. Not only because the system itself is quite complex in terms of configuration and operation, but also because there are many related solutions that perform similar functions and can be integrated at a lower cost.At the same time, EDR differs qualitatively from these related solutions, primarily because it provides a comprehensive approach to security, where monitoring and protecting the infrastructure is carried out through monitoring all connected devices at once.
Currently, it is most appropriate to use EDR in companies with a large number of end devices. Moreover, you can connect not only computers to the network, but also all IoT devices, from sensors on production lines and smart production systems, to printers and air conditioners.
Such "total protection" may seem redundant "in the moment", but it does not seem so in the context of strategic development, since attackers will sooner or later "get" to IoT devices, as they previously "switched" from PCs to smartphones.
