Categories
Computer & Network Security

Endpoint Detection and Response: Monitor and Mitigate Your Cyber Threat Environment

There’s one lasting cybersecurity misconception that’s misled many: that perimeter security is sufficient in itself. 

While preventing attacks using tools like anti-malware, access management, anti-phishing training, and SIEM are effective, they’re ultimately insufficient on their own. Endpoint protection and monitoring (EDR), paired with managed detection and response (MDR), provides the missing element here, pairing prevention (EDR) with response (MDR) to curtail any attempted intrusion before serious damage is done.

To make matters worse, threats have risen 400 percent since before the coronavirus—with a 40 percent growth in ransomware specifically. What’s more, the explosive growth of workers performing their jobs at home has greatly expanded attack surfaces. Here, we’ll delve into endpoint protection and response, its place in modern cybersecurity, and the benefits it supplies.

Why EDR is Relevant to Today’s Threat Landscape

Much of the internet and IT technology was not designed with security in mind. As such, security approaches are enormously varied, often unsophisticated, and rely on mistaken assumptions about today’s threat landscape.

Case-in-point is the industry’s overwhelming reliance on perimeter security or network security, often referred to as the castle-and-moat approach. The thinking is simple, use a few different technologies like firewalls, anti-malware applications, and other security tools to prevent each potential attack vector.

There’s no such thing as perfect defense against an unknowable threat landscape. Each year, organizations face a roughly a 50/50 chance of experiencing a cybersecurity incident. Between malware, ransomware, advanced attacks, insider attacks, and social engineering attacks, such incidents occur so often they’re almost predictable.

Social engineering attacks are a good example. Approximately 91% of data breaches start with a phishing email, according to a Deloitte study. One might assume that effective education and training could prevent most social engineering attack attempts. However, such attacks are incredibly sophisticated, often taking the form of a court notice, IRS refund, fax notices, and are successful through repetition. Falling prey may be a statistical likelihood.

In test attacks from cybersecurity firm Positive Technologies, a whopping 17 percent of employees fell for the fake scam (Done with permissions from leadership). Among those: 25 percent of managers, and 3 percent of security personnel.

While EDR itself can’t prevent an employee from an ill-advised disclosure of data to a phishing email, their later activity in the system—in elevating their privileges and moving across their system—would be visible to effective EDR.

What’s more, EDR serves another important function: reducing the crucial time period between network penetration and the discovery of compromise. Currently, companies take an average of 197 days before discovering an intrusion, according to a Ponemon study. Reducing discovery time can significantly decrease the cost of containment.

Given the extremely high volume of these attacks and the predictability with which they occur, then it follows that cybersecurity must not only prevent attacks but also focus on responding swiftly by containing or removing any such vulnerabilities.

How Endpoint Detection & Response Works

EDR complements typical network security by adding visibility in activity occurring on endpoints, analyzing the resulting data for signs of malicious activity or compromise, and issuing automated responses that contain or remove threats, and alert administrators.

Note that the added responsibility and technical sophistication necessary for effective EDR may be too much for many IT departments. That’s why managed detection and response, a service provided by many cybersecurity managed service providers, may be necessary to cover these responsibilities, 24/7 monitoring, and any necessary maintenance. Together, EDR and MDR combine to form a comprehensive incident response program.

Personal Devices in the Workplace Are On The Rise

The explosion in personal devices in the workplace forms one of the most pressing security concerns today. Approximately 90 percent of US employees use their smartphones at work, while 50 percent of companies with permissive personal devices usage policies had such devices breached, according to Trend Micro.

Given their enormous cost savings benefit and their preferred status amongst workers, this is unlikely to change. Still, this growth means business networks are hosting a high volume of endpoints that aren’t likely to be secure.

Popular operating systems, whether we’re talking about Windows, MacOs, IOS, Android, or others, rest on a foundation of insecure code and contain a wealth of vulnerabilities to boot. Also, the software they run may not be secure, and they’re easily able to download malicious resources from the web.

If such devices can be manipulated and controlled by hackers, either directly or through malware, one can’t assume trustworthiness. Attackers depend upon this weakness and use it to escalate their privileges to gain access to the resources they’re after.

Endpoint protection’s deep visibility shows which user owns the endpoint, the location in which it’s currently being used, any applications running on it, and any content it’s creating.

EDR greatly minimizes that risk, ensuring that, if and when a cybersecurity event occurs, it can be quickly shut down, through deletion, containment, and rapid notification of relevant personnel.

This is crucial as it currently takes organizations an average of 197 days to identify a breach and another 69 to contain.

Continuous Monitoring and Forensic Analytics

As we mentioned up top, perhaps the most transformative aspect of endpoint services is the greater visibility they lend to endpoint activity.

For instance, EDR can validate that packets coming from an endpoint have been created by a legitimate application. It can also monitor the file integrity of key resources, which are automatically flagged in the case of improper access to secure files and theft of sensitive data.

What’s more, this monitoring is continuous, meaning EDR is always on the hunt for signs of compromise, recording, and storing all related data.

The latter is essential in providing usable forensic data that can help security professionals understand circumstances surrounding any attack, and thus how to prevent the next one. Such investigations could uncover patterns of behavior behind such threats to predict future ones.

Real-time monitoring leverages file integrity monitoring of key data, applications, and devices to find compromise. This includes activities like changes to a malware-related registry, improper access to secured files, and sensitive data theft. EDR is also capable of monitoring critical system events like startups and shutdowns, license changes, hard disk failures, and changes to the systems clock. And with automated policy enforcement, any such event can be rapidly contained.

Single Source for Endpoint Management

The unprecedented visibility that EDR extends is crucial; users will find that having a centralized location to monitor network endpoints is immensely valuable and educational.

From here, policies can be set and automatically enforced. Historical data across each endpoint can be investigated, which can uncover routes to penetration not previously considered; every endpoint, affected user, and step in the hacking process.

Since EDR systems are tasked with monitoring all devices within a network, they’re often much easier to integrate into network infrastructure. Many EDR solutions are compatible with a wide range of security tools, allowing endpoint data to be analyzed alongside other security network data.

This accessibility is further enhanced by the simplicity and ease of use of many modern endpoint solutions. Drag-and-drop interfaces and easy-to-read analytics make them layperson-friendly—crucial if they’re to be understood by stakeholders.

Perhaps the most compelling, and necessary, component of an EDR solution is its ability to be remotely managed by cyber security professionals.

EDR remote management options allow trained and certified experts to monitor network activity, flag and respond to anomalous activity, and stop cyber attacks that would otherwise compromise your organization. Having experienced and trained security professionals on your side is a superior alternative to installing a piece of software and hoping the built-in software is sufficiently up-to-date and nuanced enough to effectively identify and respond to threats.

Where to Go From Here

The combination of endpoint monitoring with traditional network security gives organizations an unprecedented and holistic view of their organization’s threat surface—and the once-invisible activity occurring on it.

At SecurIT360, we are a team of skilled cyber security professionals that can partner with your organization to provide an EDR solution that is customized to protect your business, its data, and your bottom line. EDR can integrate with minimal lift from your team or changes to your existing security architecture.

Oh, and if you’re curious: the proper way to respond to a cybersecurity incident.

SecurIT360 is a managed services provider proficient in monitoring and incident response, assessments and penetration testing, compliance, and general cybersecurity consulting. Contact us to learn more.