This post complements the Wiki entry “Virus scanner”, which explains what antivirus programs are, how virus scanners work and what their advantages and disadvantages are.
He sheds light on Endpoint Detection and Response (EDR), a further development of virus scanners and endpoint protection, to support the development of Malware combat it with the help of new technologies.
Endpoint Detection and Response (EDR) is an advanced solution integrated with Endpoint Protection to enable continuous data collection, monitoring, and automated analysis and response functionality. It protects endpoints from advanced malware, APTs and phishing attacks protect.
EDR protects against malware, anomalous behavior, and fileless attacks using advanced analytics. It also deals with documenting and tracking the tactics, techniques and procedures (TTP/Tactic, Technique and Procedure) used as to how the attackers entered and moved through the network.
Most organizations implement endpoint protection, which is a means of reactive security, but integrating EDR also provides organizations with proactive security. Even with the best solutions, there is no 100% protection; it makes access more difficult for attackers due to the significantly increased effort and the required know-how.
The analysis of processes provides information about running programs on end devices. Malicious processes invoke other processes, and this information can help determine the parent process of a malicious process.
Information about all active and pending connections is collected.
Collecting information about end devices to detect abnormal system behavior. This information helps determine what has changed on a system in the event of an incident.
Collecting user information for machine learning can help determine their standard user behavior and thus detect anomalies.
Autostart control. This is one of the most common means of executing code and attacking systems, as some malware tries to hide in the Windows startup process.
The data is collected centrally for monitoring and used to detect threats. This collected data is useful to Security Operation Centers (SOC) and used in incident response.
If threats are detected, those responsible for IT security are alerted. If multiple threats occur, prioritization is carried out in order to effectively avert the danger.
EDR offers the ability to visually display the progression of the attack using correlated events.
If endpoints do not comply with guidelines or malware is discovered, EDR offers automated response options, such as isolating these endpoints from the network or isolating the entire network area.
Proactively by addressing potential dangers (Cross referencing to “Network Traffic Analysis”)
Replacement of regular endpoint protection for larger companies with their own SOC
For subsequent incident analysis
