EDR

Endpoint Detection and Response

How does EDR work? Endpoint detection and response is a cloud-delivered service, which allows a company’s network to detect, investigate and respond to threats.

This process provides advanced analytics to detect suspicious behavior on your network, so you can investigate and respond quickly.

The setup is designed to automatically gather and visualize data evidence from multiple sources, which helps you understand the investigative process as it evolves. This can help you quickly and confidently respond to threats.

Six Key Factors of EDR

1. Continuous real-time monitoring

ITC makes sure all of your devices have real-time monitoring with EDR.

Continuous real-time monitoring is when event information from other devices are sent to the cloud, which is where the risk of incidence becomes visible and available for immediate inspection or an historical search.

2. Advanced cloud-based analytics

ITC uses advanced cloud-based analytics, so EDR can perform and protect your systems properly.

Advanced cloud-based analytics enable a rapid adoption of analytic engines and techniques to inspect a devices activity, which can uncover threats that might have slipped through other security measures.

3. Mapping

ITC sets up EDR initially for a two week detect mode to learn the systems and all users therein.

Mapping can be done to detect the framework and behavior of a threat and its associated risk

4. Artificial intelligence

ITC will complete setup after the two week detect or learning mode, so EDR, like AI, can go to work protecting your systems better and faster than any human can detect.

Artificial Intelligence (AI) can be used to guide an investigation by exploring, combining different strategies, asking and answering questions and collecting a broad range of data to process artifacts from devices and make sense of the threatening alerts.

5. A flexible data display

ITC can also set up EDR to have a flexible data display.

A flexible data display allows you to toggle between different views of the same data. This way users, with various levels of experience, can understand how events are connected without moving through multiple screens.

6. Evidence searches optimized

EDR will optimize searches throughout your systems and detect, contain and remove any threats.

Searches for evidence are optimized, as you can perform an historical search, a device search or real-time search

Threat Priortization

Threat prioritization helps you to determine the level of the threat, its effect on your environment and the immediacy of response.

Threats can be traced from the time when they first affected the endpoint. Threats are also categorized by rank and color-coded, to help you better understand the severity of maliciousness.

The detection engine analyzes activity on a monitored endpoint. If the activity indicates malicious or suspicious behavior, it is categorized and assigned a severity level.

You can analyze the life-cycle of a threat by the details, attributes, impacts, activity and events provided. Things like an external network connection, increased authorization level, data exfiltration, encryption of the data and etcetera will help the analyzation of each threat.

HOW NETWORKS GET HACKED

Four Ways to Analyze a Threat

Initial trigger details

The first and last time the threat was detected

The number of impacted endpoints

Age ... the time from the last detection

If you check the number of impacted endpoints that have triggered detection for a selected threat, keep in mind each endpoint has an indication number within parenthesis to show the number of times the threat was detected on that endpoint.

If an endpoint indicates more than one detection, the endpoint name can be expanded to show details such as activity date and severity for each detection.

3 Ways to Respond Remotely to a Threat

Contain. Remove. Dismiss.

Containment

Removal

Dismissal

Containment is important early in the course of handling a threat, and the reason why is because when you deploy a reaction and select all displayed result to take action, the event will be executed on all impacted endpoints present in your environment.

Removing a threat remotely when the investigation is completed. You will need to delete artifacts such as process, folder, file, registry value or content permanently from the endpoint.

Dismiss, exclude or delete a threat from

the potential “threat list” if the threat is

non-malicious. You can also edit the exclusion criteria in the “threat list.”

Containment can ultimately:

Reduce the increase in threats damage on the endpoint
Avoid spreading threats in the environment
Minimize the impact to zero without any data loss
Provide time for developing a tailored remediation strategy

You can use the following reactions to respond to threats remotely by quarantining devices, killing or stopping the process, executing user logoff and

an operational shutdown, scheduling a reboot and ending the quarantined devices.

Book Appointment

Services

AI based EDR