Endpoint Detection and Response (EDR) and Modern SOC

I’ve worked with EDRs the past two years of my professional life. While I do have a love/hate relationship with EDRs, I believe more companies should adopt it, but do not rely on it solely

Today’s enterprise architecture is moving towards leveraging the benefits of cloud technology, and the security architecture starts to mimic that of the Zero Trust Security Model. The zero trust concept itself is not new, but it’s recently becoming a buzzword again. I personally have worked on a global project back in 2018 for a Pharmaceutical company with the aim to harden their network architecture and to achieve the so-called zero trust model. We basically reviewed most of the firewall logs across different regions and blocked all unnecessary traffic (almost manually…).

Nonetheless, today’s zero trust architecture is believed to be achieved by a strong Identity Access Management (IAM) controls, which means: believe no one unless they are authorized to access. However, even ‘authorized credentials’ can become a blind spot for the company. I will discuss more about this in Incident Response in Zero Trust world.

In this post, I am going to discuss the role of EDR in Modern SOC that has cloud environment and zero trust model integrated.

Role of EDR in Modern Security Operations Center (SOC)

1. EDR acts like a Digital Video Recorder on the endpoint, recording activity to catch incidents that evaded prevention measures such as Firewall, NGAV, IPS and IDS. It ensures that SOC has comprehensive, real-time visibility into everything that is happening on their endpoints — eliminating the risk of “silent failure,” which allows intruders to remain in your environment undetected.
   EDR acts as a single pane of glass. Most of EDR console displays alerts and you’ll be able to get additional information such as the alert process tree and the incident graph. You can also see a detailed machine timeline that shows every behavior for a historical period.
   EDR uses IOAs (indicators of attack) to automatically identify attacker behavior and sends prioritized alerts to the dashboard
2. EDR collects telemetry data on suspicious activity and may enrich that data with other contextual information from correlated events. EDR also detects indicators of attack (IOAs) that might have evaded other defenses and enables proactive threat hunting across an entire environment.
   EDR also helps SOC respond to and remediate threats effectively, getting you back to business quickly. This wealth of data collected coupled with intelligence allows SOC to hunt beyond IOCs. This in-depth, proactive analysis finds malicious patterns of activity that may not have been detected otherwise.
3. Automatic threat detection and response ensures optimal zero trust model implementation. Combination of endpoint security, network security and strong IAM is the only way to achieve holistic protection and implement the Zero Trust model across your entire security architecture.
   
   A true end-to-end Zero Trust strategy makes it harder for attackers to get into the network
4. The servers that underpin cloud workloads often hold the most critical assets in the company. If ransomware attacks a server, they can feasibly cost a company thousands or even millions of dollars by locking up business-critical data.
   Further, memory protection and exploit prevention are often missed, by normal hardening
   Exploit prevention and memory protection that are enabled in EDR help secure your most critical assets against zero days and fileless malware.

Benefits of Investing in EDR

1. The cost of after incident would cost a lot of money for the enterprise. It is estimated that there is a ransomware attack on a business every 11 seconds on average, with global ransomware damage losses projected to reach $20 billion this year.
   The business value comes from faster detection of threats, already resident in the network, ideally before they cause substantial damage or steal critical data.
   EDRs usually does not require any on-premises management . Deploy in minutes and with only a lightweight agent on the endpoint, searches take place in the cloud database without any performance impact on endpoints or the network.
2. EDR excels at reducing dwell time, investigation time, and the remediation time, the three big metrics in IR. EDR also helps you prioritise and responds effectively to threats against your crown jewels
3. Improving visibility and embracing security automation is a step towards an optimal zero trust maturity model
   A Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security philosophy and end-to-end strategy. Response to common incidents, such as denying access to infected devices, should be automated to improve response times and reduce risk exposure.