Cloud Security and Governance – Mind the Security Gap Workloads are migrating to the Cloud with…
Endpoint Detection and Response Solutions – EDR / XDR / MDR
Endpoint Protection Platforms (EPP) are ever evolving, changing, and growing.
If you speak to any vendor of EPP, they will come up with value-added benefits to tempt your business to go with their product rather than a competitor, but the truth be told, the protection of endpoints was the first cybersecurity protection solution widely available, and has been around for a very long time. Considered the most basic of controls, Endpoint Solutions MUST evolve with the threats. To this end, over the last couple of years, there has been an emergence of EDR (Endpoint Detection and Response).
So what is EDR?
The main problem businesses were facing, was that the attack surface of an endpoint and the complexity of the surrounding infrastructure evolved, but they were still relying on antivirus solutions that relied on signatures, sometimes out of date signatures, to identify and prevent a malicious file from executing. Further to that, attack types had changed and malicious actors were no longer interested in writing malicious files for victim machines but were more interested in stealing data or encrypting data for ransom. Those that were creating malicious files, had devised ways of padding files with extra bytes to avoid detection or evolved attacks to include memory “fileless” attacks.
EDR – the good and the bad of detection
EDR was developed to provide a business with the visibility to “see” unusual activity occurring in an environment using behaviour analytics, some threat intelligence and host intrusion detection sensing, specifically around the endpoints. The problem immediately identified was that with increased visibility came an increased amount of security data to ingest, which required more resources, often burdening already over-burdened security teams, if there were any security teams at all. EDR also had no signatures to refer to, so that meant that SOC teams were inundated with data and false positives to process. Enterprises quickly found that they now needed an EDR and EPP, to sufficiently protect their endpoints.
Converge of prevention and detection techniques
Recently, vendors have started to converge these two solutions together bringing prevention techniques and detection techniques into one single solution. The problem, however, was that now the platform’s security data would grow exponentially and security teams would have no chance of analysing these huge amounts of data, so many of the vendors have integrated machine learning tasks into their solutions in order to prioritise what the solution considers a high impact threat, by piecing various pieces of data flow together, allowing analysts to review the information rather than having to piece the data together themselves. These solutions are also correlating data from threat source feeds externally to identify any similar threats emerging from that feed worldwide. Some solutions are even completing deep analysis of suspected malware files in order to determine “known good” and “known bad” files in an online sandbox.
Introduction of XDR
The security industry hasn’t stopped there, however, most recently, vendors like Palo Alto Networks have introduced XDR which basically extends the converged EDR into their firewalls, their endpoint solutions, and their CASB solutions based on the assumption that an enterprise is already using their solutions, and those security information points act as sensors, sending security data to a threat analysis engine for processing.
Extension to MDR
This leads us on to MDR (Managed Detection and Response). In many cases, a business needs these type of technologies to manage their IT risk, but cannot afford to throw multiple resources at these toolsets. Business’ IT departments are also already dealing with infrastructure, capacity, Business As Usual (BAU) and some security activities. Most of the IT team have limited experience in security analysis. It makes sense then that these businesses use an experienced MDR team to detect, analyse, prioritise and offer remediation to security incidents, allowing the IT teams to focus on their tasks.
Integration of various tools
Secure-ISS offers MDR services by integrating various tools like converged EDR, XDR, SIEM, IDS, threat hunting and vulnerability management for our security analysts in our 24/7 security operations centre, providing our customers with unparalleled security expertise and advice.