Tuesday, 20th October 2020

Trend EDR: Protecting endpoints proactively

How IT managers protect corporate networks from targeted attacks By Chris Connell, Deputy Vice President of Global Sales and Director of European Operations, Kaspersky.

The cyberthreat landscape has experienced dramatic changes over the past few years, due to new previously unknown threats, file-less attacks, ransomware and cryptominers. In particular, targeted attacks on companies are constantly developing into an ever-greater danger. In addition, attackers are exploiting the fact that many companies are no longer able to cope with the complexity of their own IT environment. Anyone losing track of the situation cannot immediately analyse and block attacks and eliminate consequential damage.

The basic rule is that no company is too small to be attacked by cybercriminals. The challenge is that small and medium-sized companies often do not know what threats they are actually exposed to, while at the same time their cyber-defence resources and expertise are often severely limited, making it difficult for them to deal with complex threats.

Simple endpoint protection is no longer sufficient

Generally speaking, the security software used must provide comprehensive protection (for all endpoints and servers, whether Windows, Mac, Android, or Linux), but must also be intuitive to use. Cybercriminals have been able to systematically modify hashes and encrypt character strings ever since malware authors were able to easily circumvent signature-based detection and binary scanners. In addition, they are increasingly using special memory-based malware that leaves no traces on the hard disk and is only active in memory. Such attacks therefore generally remain undetected by traditional security solutions. It is therefore no longer sufficient to block “just” the threats at the endpoint – if this is at all possible. Today’s businesses need tools that enable them to detect and respond to the latest and most sophisticated threats.

EDR as a necessary add-on for proactive protection

Endpoint Detection and Response (EDR) is a cybersecurity technology that addresses the need for real-time monitoring and focuses on endpoint analysis and incident response. EDR provides comprehensive visibility of the activity of each endpoint in the infrastructure managed from a single central console, coupled with valuable security feeds that can be used by IT security professionals for further investigation and response. EDR is designed to proactively detect new and unknown threats and previously unidentified infections that infiltrate organisations directly through endpoints and servers. This is achieved by analysing previously unassigned events that cannot be classified as “trustworthy” or “definitely malicious”.

What’s more, over a quarter (28%) of companies that have implemented an Endpoint Detection and Response (EDR) solution have been able to detect cyberattacks in just a few hours or even almost immediately after an incident happened [1].

EDR can be used to detect unknown malware in zero-day and APT attacks by using various advanced detection technologies such as YARA, sandboxing, IoC (indication of compromise) scanning, or retrospective analysis with event correlation based on dynamic machine learning.

The endpoint solution and EDR must work hand in hand to ensure reliable and effective protection against sophisticated threats. For example, an EDR solution will forward any suspicious file that is identified and that cannot be definitively classified as malicious, and share it with the sandbox. This additional security tool then automatically executes the suspicious file in an isolated environment and analyses it for potential threats. This makes it possible to determine whether there are any signs of possible intrusion by unauthorised people or unauthorised activities by employees or partners. Signatures, rules and restrictions used to be sufficient to counter such attacks. However, such measures are often no longer enough in an age of targeted and multi-level attacks.

Integrated endpoint protection from Kaspersky

Kaspersky Endpoint Security for Business [2] combines endpoint protection with EDR and a sandbox. This 3-in-1 approach enables IT departments and administrators to protect their increasingly heterogeneous networks from current and emerging threats. Integration allows a suspicious file to be automatically executed and analysed in an isolated environment. The information gained from this can be further enriched by the analysis performed by Kaspersky EDR Optimum. Kaspersky EDR Optimum offers a variety of response options to eliminate threats, such as isolating an endpoint with potential malware or quarantining a suspicious file. To ensure that the threat does not spread to other computers, security professionals can quickly and easily create Indicators of Compromise (IoCs) that point to a system violation without having to schedule an automatic check of endpoints for a malicious object. In addition, third-party IoCs can be uploaded, and scans can be performed to identify affected endpoints.

Outlook: Managed detection & response

In the future, acceptance in the field of EDR will greatly depend on providers and their ability to automate analysis, insight, and response, and to reproduce them without human intervention. EDR represents an important opportunity, especially for medium-sized companies. As these companies are particularly impacted by a lack of skilled workers and therefore cannot cover all factors of cyber security with in-house security experts, EDR solutions as a managed security service (MDR = managed detection & response) provide a remedy. Endpoint security is outsourced to service providers with a focus on security, enabling their in-house IT department to focus its resources on core competencies without compromising corporate security. Of course, this also enhances the company’s cybersecurity posture. The better the protection, the more time and resources are available to specialists for dealing with challenging attacks.

[1] Kaspersky IT Security Risks Survey 2019 (https://go.kaspersky.com/rs/802-IJN-240/images/GL_Kaspersky_Report-IT-Security-Economics_report_2019.pdf) [2] https://www.kaspersky.de/enterprise-security/endpoint

A recent HPE panel discussion sought to provide some answers to this question – topics covered inclu...
Pascal Geenens, director of threat intelligence, Radware, offers some fascinating insights into some...
You may be surprised to learn that one of the first computer viruses to bring millions of computers...
Why business decision makers should expand their network security strategy, By Chris Connell, Deput...
By Miles Tappin, Vice President, EMEA at ThreatConnect.
By Mikkel Stegmann, Principal Scientist at Fingerprints.
Digital transformation needs security at heart, says Jonathan Whiteside, Principal Technical Consult...