Is there an attacker in your network right now?
Even with the growing investment in cybersecurity, most IT leaders are still unable to definitively answer this question. There is so much to keep track of: users, devices, applications, alerts, vulnerabilities, patches – the list goes on. IT teams, especially those in smaller companies, simply don’t have the time to monitor their networks 24/7.
To date, nearly two-thirds of global organizations have been breached, with 56% of these breaches taking months or more to discover. And the longer a breach goes undetected, the more expensive it becomes, with response costs quickly skyrocketing to thousands a day. These attacks are also targeting smaller businesses, with about 58% of SMBs breached in 2018. For these companies, the consequences are even more serious: the National Cyber Security Alliance estimates that 60% of SMEs are affected within six months of an incident.
The situation seems bleak, with attackers evading organizational defenses left and right. As an IT leader with limited resources – but endless obligations – what can you do?
Enter endpoint detection and response, often abbreviated to EDR. EDR solutions are built to enhance your company’s endpoint protection (antimalware, spam filtering, and the like) with better detection and response capabilities. Think of your endpoint protection as a fence, and EDR as a constant patrolling security team, always looking for anyone trying to breach that fence. It’s the next layer of security when your preemptive defense can’t catch an advanced attack or one of your devices misses an important patch. Even if an attacker comes in, the game isn’t over – you have your security team ready.
EDR is becoming increasingly important in the fight against cyber-attacks, but many IT professionals still find it difficult to quantify the exact benefits to their business. To help you, we’ve created this guide. It explains how EDR works, why it’s needed to detect attacks, and how you can use it to improve your overall cybersecurity posture. We’ve also included some helpful information about evaluating EDR vendors, with references to independent test data.
HOW EDR WORKS
EDR collects a huge number of behavioral data events (such as process executions, network connections, and file operations) from your organization’s workstations and servers with lightweight endpoint sensors. This data is extremely valuable for detecting attacks, but becomes excessively impossible for human analysts to deal with. Think millions and billions of individual bits of information, with some real threats among all the noise – a real “needle in a haystack” situation.
By leveraging advanced analytics backed by machine learning, EDR can sort this data and capture attack indicators that match both known and never-before-seen threats. It does this by comparing accepted user behavior with the collected data and identifying unusual actions. Here are some concrete examples of what EDR can do:
- Detect fileless malware attacks delivered by websites containing malicious code, PDF documents loaded in browsers, or macros embedded in MS Office files.
- Identify unusual and unusual processes launched from your company’s workstations.
- Detect completely new types of malware in your environment, even without existing signatures
- Discover your employees with unknown or malicious applications.
- Isolate compromised computers and servers from the network to prevent a cyber attack from spreading further.
Rather than overwhelming you with a mountain of false positives, EDR can quickly and accurately narrow down the list to what’s really relevant. In the case of one specific customer, F-Secure’s solution tracked a total of 2 billion endpoint events over a month-long period — and found the 15 incidents that constituted actual threats.
Once threats are identified, EDR also helps you investigate and respond to them with automated actions and recommendations. This is extremely important for smaller companies, as they usually do not have the resources and expertise to handle difficult cyber incidents alone. With an EDR solution such as F-Secure Elements Endpoint Detection and Response, you not only discover any problems plaguing your IT environment, but also get concrete help to solve them.
A junior marketing employee’s laptop uploads data to an unknown server on the Internet. EDR detects this suspicious behavior within minutes, automatically isolates the computer from the rest of your network and alerts your IT team to investigate. With the help of EDR, your team quickly determines that this is a real attack (the employee’s computer has been hacked) and investigates its origin. They believe the cause is a process execution launch initiated by a malicious email attachment. Your IT team then restores the compromised device, updates your spam filtering solution settings to prevent employees from receiving this weaponized email attachment in the future, adjusts firewall rules to block connections to this domain, and informs users of the risk that your organization is running.
In this example, no traditional malware was found as part of the attack – there was nothing your endpoint security platform could prevent. Without EDR you would have fought an invisible enemy
This is the process behind our EDR solution, F-Secure Elements Endpoint Detection and Response:
- Sensors installed on your Windows computers, Mac computers, and servers track user behavior within your organization. The collected data events are streamed to our cloud database for real-time analysis. The sensors are invisible to your end users and your IT team does not need to take any additional actions to monitor your IT environment.
- Our cloud backend examines the collected data and separates suspicious events from normal user activity. This is done through behavioral, reputation and big data analytics, coupled with machine learning. The analysis is completely autonomous and requires no actions from your IT team.
- A filtered list of alerts appears on your dashboard, with clear images and attack information. You can easily see all affected hosts and related events on a timeline. The alerts are also contextualized, meaning they take into account the importance of the affected hosts, the prevailing threat landscape and current risk levels. With all this information available, you know what to focus your attention on first.
- Real threats are isolated from the network. You now have two options:
- Investigate and respond to the issue with your own IT team, using automated response actions and guidance provided by the solution. If your security is managed by one of our certified service providers, they will take the necessary actions on your behalf.
- You can forward the issue to F-Secure’s incident response experts with our built-in Elevate to F-Secure feature. They will then investigate the threat and advise you on how to fix it before your business is damaged.
HOW ADVANCED ATTACKS HAPPEN?
To understand how EDR can protect your organization from targeted and advanced threats, we need to examine how attackers typically work. Attackers hoping to breach your preemptive layers of security usually start with one of these tactics:
Exploiting a Vulnerability: Common vulnerabilities in the security of your public systems are an attractive avenue of attack, with 57% of breaches resulting from known vulnerabilities that could have been patched. With more than 16,000 new vulnerabilities released each year, most companies find it extremely difficult to keep their entire infrastructure up to date. Using modern automation tools, opportunistic attackers can scan the public internet for any of these common vulnerabilities and potentially find thousands of devices that have not been patched.
Spear Phishing: Targeted, deceptive communication designed to trick someone in your organization into sharing sensitive information or opening an executable file. Spearphishing is very common and highly effective. Verizon’s annual threat report estimates that 32% of breaches involve this attack tactic.
Man-in-the-middle: The attacker intercepts your communications and only passes them on after examining or even modifying them, creating the illusion that you are talking directly to a trusted counterpart. Man-in-the-middle attacks are carried out in close proximity over unencrypted Wi-Fi networks or remotely via malware.
Buy access: Criminal organizations crowdsource so many attacks on so many systems, that a certain percentage of those systems can be compromised at any time. In many cases, attackers can save themselves time and effort by simply buying access to a system that has already been hacked. Do you know if your company has been violated in the past? If so, access to your systems may be available on the black market behind a cheap paywall.
HOW EDR HELPS YOU AS IT LEADER
As the person responsible for your company’s cybersecurity, EDR offers you several benefits:
- If someone asks about your security status, you can give a clear, confident and accurate answer: Cybersecurity is moving from a niche IT topic to mainstream risk management. IT managers face increasing pressure to report the security status of their company to senior management, including the board. When faced with the inevitable question, “How safe are we now?”, EDR empowers you to provide an insightful and honest answer. Combined with data from your vulnerability management and endpoint security platforms, you can clearly explain how well you are protected; what kinds of attacks your systems have encountered; whether your employees follow established IT security guidelines; and so forth.
- You can rest assured that every attack attempt is quickly detected and reported – without spending your entire IT security budget: As we’ve mentioned countless times in this guide, attack prevention alone is no longer enough. But developing effective detection and response capabilities is not an easy nor cheap task if you’re starting from scratch. A turnkey EDR solution is a great option for small and medium-sized businesses because you get all the core functionality of detection and response without the price tag that comes with fully managed services. Some solutions, such as F-Secure Elements Endpoint Detection and Response, even give you access to the security professionals usually reserved for these premium solutions. With our Elevate to F-Secure feature, you can route detections of serious or complex threats directly to the experts at our Incident Response Center – the same people who manage our corporate customers’ cybersecurity every day.
- When a threat is detected, you can react and fix it much faster: in addition to detections, EDR also provides you with tools and actionable recommendations for dealing with various security vulnerabilities. Host isolation, direct user communication, remote response actions – your EDR solution will guide you through the best way to resolve any given security incident as quickly as possible. While the goal is always to prevent an attack in the first place, these tools are invaluable if you find yourself dealing with an active threat.
- When a breach occurs, you can see and understand exactly what happened so it never happens again: detecting and stopping attacks is one thing, but understanding how they happened is just as important. To meaningfully improve your company’s security posture, you need to go back and look at the methods that were successful against your defenses. By collecting all relevant forensic data, EDR gives you the ability to analyze how an attack was carried out, learn from it, and strengthen your security against similar attempts in the future. Obtaining data on failed attack attempts is also important, as it may reveal that you are the target of a persistent cybercriminal.
- Under the EU General Data Protection Regulation or GDPR, companies are required to report data breaches within 72 hours. Instead of worrying about compliance issues, rest assured that your company can meet the requirements: we’ve already seen the first GDPR fines imposed on companies that have been infringed since the regulation came into effect. EDR helps you comply with the GDPR on two fronts: First, you can show EU authorities that you have taken the basic actions to protect your data by monitoring your IT environment. Second, if an attack goes through your defenses, you can gather enough information to report it to authorities within the 72-hour window.