EDR
Endpoint Detection and Response
How does EDR work? Endpoint detection and response is a cloud-delivered service, which allows a company’s network to detect, investigate and respond to threats.
This process provides advanced analytics to detect suspicious behavior on your network, so you can investigate and respond quickly.
The setup is designed to automatically gather and visualize data evidence from multiple sources, which helps you understand the investigative process as it evolves. This can help you quickly and confidently respond to threats.
Six Key Factors of EDR
Threat Priortization
Threat prioritization helps you to determine the level of the threat, its effect on your environment and the immediacy of response.
Threats can be traced from the time when they first affected the endpoint. Threats are also categorized by rank and color-coded, to help you better understand the severity of maliciousness.
The detection engine analyzes activity on a monitored endpoint. If the activity indicates malicious or suspicious behavior, it is categorized and assigned a severity level.
You can analyze the life-cycle of a threat by the details, attributes, impacts, activity and events provided. Things like an external network connection, increased authorization level, data exfiltration, encryption of the data and etcetera will help the analyzation of each threat.
Four Ways to Analyze a Threat
1
Initial trigger details
2
The first and last time the threat was detected
3
The number of impacted endpoints
4
Age ... the time from the last detection
If you check the number of impacted endpoints that have triggered detection for a selected threat, keep in mind each endpoint has an indication number within parenthesis to show the number of times the threat was detected on that endpoint.
If an endpoint indicates more than one detection, the endpoint name can be expanded to show details such as activity date and severity for each detection.
3 Ways to Respond Remotely to a Threat
Contain. Remove. Dismiss.
Containment
Removal
Dismissal
Containment is important early in the course of handling a threat, and the reason why is because when you deploy a reaction and select all displayed result to take action, the event will be executed on all impacted endpoints present in your environment.
Removing a threat remotely when the investigation is completed. You will need to delete artifacts such as process, folder, file, registry value or content permanently from the endpoint.
Dismiss, exclude or delete a threat from
the potential “threat list” if the threat is
non-malicious. You can also edit the exclusion criteria in the “threat list.”
Containment can ultimately:
- Reduce the increase in threats damage on the endpoint
-
Avoid spreading threats in the environment
-
Minimize the impact to zero without any data loss
-
Provide time for developing a tailored remediation strategy
You can use the following reactions to respond to threats remotely by quarantining devices, killing or stopping the process, executing user logoff and
an operational shutdown, scheduling a reboot and ending the quarantined devices.