EDR (Endpoint Detection and Response) is a class of solutions for detecting and investigating malicious activity. Unlike antiviruses, whose task is to combat typical and major threats, EDR solutions focus on identifying targeted attacks and complex threats.
EDR Architecture
In general, the Endpoint Detection & Response class system consists of agents installed on endpoints and a server side. The agent monitors running processes, user actions, and network communications and transmits information to a local server or cloud.
The server component analyzes the received data using machine learning technologies and compares it with indicators of consensus (IoC) and other available information about complex threats. If the EDR system detects an event with signs of cyber incident, it notifies security personnel.
What is IoC?
Hazard Indicator, IoC (Indicator of compromise) In the domain of computer security on the observed network or a particular device object (or activity), this most likely indicates unauthorized access (ie, danger) to the system. These indicators are used to detect malicious activity at an early stage and prevent known threats.
What Could an Indicator of Compromise Be?
The following can act as a compromise indicator:
- Unusual DNS queries.
- Suspicious files, apps and processes.
- IP addresses and domains belonging to botnets or malware C&C servers.
- Significant number of calls to a file.
- Suspicious activity in administrator or privileged user accounts.
- Unexpected software update.
- Data transfer over rarely used ports.
- Untypical behavior for a person on the website.
- The signature or hash is the sum of the malware.
- Unusually sized HTML responses.
- Unauthorized modification of configuration files, logs or device settings.
- Too many failed login attempts.
Features of EDR Products
Most modern EDR solutions can:
- Collecting data from endpoints in real time,
- Recording and storing information about user actions, network activity, and running programs for later study and investigation.
- Detecting and classifying suspicious activity and informing security services about it,
- Taking steps to prevent the attack,
- isolate suspicious files,
- stop malicious processes,
- disconnecting the network,
- Integrate with endpoint security solutions, SIEM systems and other security tools
Endpoint Detection and Response products (EDR) enable information security professionals to perform a proactive threat search (Threat Hunting) and analyze atypical behavior and suspicious activity.