Endpoint Detection and Response (EDR) is a term used to describe cyber security technologies that help organizations to detect threats that target devices such as laptops, servers and desktops.
EDR combines elements of next-gen antivirus with additional functionality to deliver real-time anomaly detection, support threat hunting and help automate incident response processes.
EDR solution works by collecting endpoint data and using behavioral analytics to examine it for evidence of suspicious activity. When an anomaly is detected, an alert is generated for human investigation. Endpoint telemetry can be used to perform kill chain analysis, contain and quarantine infected devices, create custom threat watchlists and block malicious IPs. This provides security teams with a crucial layer of visibility to identify and respond to intrusions.
Netbull is providing that technology as a Service, following the “service as you grow” approach. It is also available to expand the endpoint telemetry capabilities combining them with security incident monitoring and management service, to achieve deeper threat visibility and coverage.
In each endpoint (desktop, laptop or server) an EDR agent will be installed, which will enable security analysts to handle promptly and effectively with any detected threat. The analysts will have full knowledge of the incident in a minimum of time, and in collaboration with the administrators, will carry out remediation actions.
The technical characteristics of this service are:
- Detection based on file reputation: The solution contains a complete database for each file it has been detected and a corresponding good or bad reputation. As a result, known malware is quickly and easily quarantined without the need for a scan.
- Polymorphic malware detection: Malicious software developers often write different variations of the same malware to avoid common detection techniques. The solution can detect these variants or polymorphic malware through fingerprinting. The fingerprint will look for similarities between the suspicious file’s contents and the contents of known malware families and convict if there is a match.
- Machine learning analysis: The solution is trained by learning algorithms to identify malicious files and activity based on the attributes of known malware. Machine learning capabilities are supported by a cloud service to ensure a better and more accurate model. With this technique it is possible to detect zero time malware.
- Attack detection and prevention: Through attacks on software and the memory of an endpoint a hacker can penetrate a network by avoiding the traditional protection mechanisms against malware. With our solution it is possible to detect any attack at the endpoints.
- Malicious activity protection: The solution continuously monitors all endpoint activity and provides detection and blocking of abnormal behavior of a running program on the endpoint. For example, when endpoint behavior indicates ransomware, the offending processes are terminated, preventing endpoint encryption and stopping the attack.
- Indicators of Compromise. Our solution constantly analyzes malwares to detect new types of threats and create behavior profiles for new emerging threats. These profiles are also known as Indicators of Compromise. Indicators such as file locations and registry modifications, are elements that the solution can use to identify compromised systems.
- Vulnerability Detection: The solution identifies vulnerabilities in endpoint software to reduce the chances of a successful attack that exploits a software vulnerability. The endpoints that use vulnerable software are recorded and prioritized based on the Common Vulnerabilities and Exposures CVE rating: the more sever a vulnerability, the more prominent be on the list.
- Low prevalence: The solution will automatically identify executables that exist in low numbers across the endpoints and analyze those samples in the vendors cloud-based sandbox to uncover new threats. Targeted malware or advanced persistent threats are often fly under the radar and start on only a few endpoints, but with low prevalence. Our solution will automatically hunt this software to uncover the 1% of threats that would have gone unnoticed.
For more information and detailed presentation of EDR as a Service, please fill and sent the Talk With An Expert form and we'll contact you the soonest possible.