Issue No. 111November 2021
EDR – Tools for a Changing Threat Landscape
Information Security is among the chief concerns of most businesses. Whether these concerns have crystallized enough to be given the proper nomenclature, most business owners and stakeholders are concerned about their overall security posture. This raises any number of questions, such as: ‘How will this change affect the security of my business?’, ‘Are we doing enough to secure our systems and data?’. In the past, antivirus software would have taken up a good portion of these types of conversations. Many users, even today, feel secure in the knowledge that their computer systems are protected by antivirus software. That means that if something like ransomware were to gain access to their system, their antivirus would find and destroy it…right?
Unfortunately, this is often not the case, nor the full picture. Although a robust managed antivirus solution should be a part of any enterprise’s security posture, it is just one layer of security that must be in place for business-critical infrastructure to remain safe and secure. Typically, antivirus software must be working in conjunction with a firewall appliance to prevent malicious software from gaining access to an environment. This would also typically be coupled with robust spam filtering and perhaps phishing protection to secure one of the main points of egress into the network—email. Additionally, these systems should generally be paired with enterprise backup and recovery software to ensure that should an infection of some type gain a foothold into the network, it can always be eliminated by restoring from backups. Although all of these tools are critical, they are also missing a critical component—monitoring and notification.
For the sake of argument, assume that your business’ network is laid out similarly to my description above, and you have just been targeted by a criminal organization with ransomware. This version of ransomware is entirely new, having been specifically developed to target your enterprise. This means that many antivirus products wouldn’t be able to stop the virus that was disguised as an otherwise innocuous email. Since the ransomware payload gained entry to your network via an email to a mid-level employee, your firewall had no chance to detect or mitigate the threat. Since your antivirus software cannot see it, it cannot stop it either. What happens now? But wait, you say, we have backups! Indeed you do, and indeed assuming that they are configured in such a manner as to make them immune to potential infection and encryption by the same ransomware now cutting a catastrophic swathe through your network—how do you know when it is time to use them? How do you know that you have an unchecked outbreak happening under the watchful eyes of IT staff and security products? This then, is where EDR comes into the picture.
EDR stands for Endpoint Detection and Response, and is a newer addition to the security landscape than some of the more familiar technologies outlined above. Think of EDR as a security camera system for inside your network. Where your antivirus software may have missed detecting an infection because it had never seen it before, EDR won’t have the same issue because it monitors for behavior that looks like an infection. Because the software is looking out for the actions that the piece of ransomware takes, rather than for the ransomware itself, it is not hampered in the same way as even some top-of-the-line antivirus might be by a newer unrecognized, infection.
Consider again the same scenario, but this time with the addition of EDR deployed across the corporate network. The infection still sneaks past the firewall, and eludes antivirus deployed on workstations and server. The EDR, however, sees the traffic out from the ransomware software to command and control servers, along side thousands of encryption operations the software is performing and kicks into action.
Now, the simmering sickness spreading unchecked has been replaced with a blaring klaxon to your IT department. Something is very wrong indeed. Leveraging the rest of the security solutions already in place, IT can block the infection’s ability to spread, and quickly has a grasp if which systems have been affected. Backups are spun up and restores initiated. An unmitigated disaster becomes a crisis that can be contained, and managed.
The threat landscape for today’s businesses is constantly evolving. Ensure that your IT provider is deploying the most robust and capable solution stack possible to keep your infrastructure and livelihood safe.