Why you should use EDR? | Emsisoft Endpoint Detection & Response | Emsisoft Endpoint Protection
Hello, and welcome to our video. Today we’re going to talk about why you should use EDR.
Emsisoft endpoint protection products are among the best in the industry, validated by independent testing and awards, and by over 20 years on the market. But today’s cyber threats are more sophisticated and targeted, requiring additional layers of protection, with centralized monitoring, hunting and investigation of any suspicious incidents by professional cyber security specialists.
With the ever-increasing threats of zero-day vulnerabilities, living-off-the-land attacks, and relentless attempts at credential compromise, EDR provides the foundation necessary to detect, respond, and recover from an incident.
Emsisoft EDR gives a consolidated view of activities and detections taking place during normal day to day operations, and after a cyber-incident takes place. It actively monitors endpoint activities in real-time, allowing for the early detection of suspicious or malicious behavior. This enables security teams to respond quickly before a threat can escalate.
Incidents are detections by one of Emsisoft’s multiple monitoring technologies (those being Web Protection, File Guard, Behavior Blocker, Behavior AI, and Threat Hunting), and can be viewed for a single workspace or across all workspaces from the Global incidents page. We see a top 5 header showing the elements and devices that have triggered the most incidents. As well, the Global view shows the top 5 the workspaces and the Workspace view shows the top 5 user accounts with the most incidents.
It’s important to point out that not all incidents are malicious. Behavior AI, for example, tracks almost 2000 different Mitre ATT&CK patterns in real time, and whether these patterns are malicious typically requires a greater context in order to come to a conclusion as to whether they represent a threat. A series of suspicious activity taken together may provide the appropriate context to signify malicious intent.
Detailed information including the nature of the detection, the execution tree, timeline, summary of resources affected, and links to third party forensics tools including VirusTotal and Mitre ATT&CK all provide vital information for a root-cause analysis.
Drilling into the details of an individual incident, let’s look at the areas of information that’s captured and presented:
Right at the top of the page, a quick glance tells us:
- the workspace and name of the executable,
- the highest level of severity that was triggered, and by which monitoring layer,
- any action that’s been taken so far,
- a link to the remediation history (more on this in a moment),
- The verdict for the incident, as determined by one of your analysts, and
- “a ‘Remediate threat’ button which allows you to isolate the device in question, quarantine the executable, rollback any malicious file deletion or encryption, and end device isolation after remediation.”
Next let’s look at the Threat indicators for the incident. The threat indicators provide the information you need to quickly bring you up to speed on some key information, including:
- the detection layer or layers that flagged the incident, along with its severity,
- the file that was executed, and when it was first seen,
- the endpoints where the activity has been observed,
- whether the executable is digitally signed, and
- links to third-party sources, including Mitre Attack, VirusTotal, and Google, to assist in any investigation
Beside that we see the Execution tree, which can provide insights into the root cause of an incident. It shows the relationships between processes, allowing you to trace activity back to the initial process and user account that allowed malware to enter the organization.
The execution tree can also aid in identifying deviations from normal execution patterns which may be indicative of malicious activity. For instance: was a process initiated as a scheduled task, or by a user? And: what parameters, if any, were called when the process was executed?
If the file has executed multiple times, or on more than one endpoint, we can view each individual execution tree by selecting the device and process ID from the drop-downs. It’s worth noting that the color of the process ID in the dropdown denotes the severity of the specific occurrence: red text for malicious activity, orange for likely malicious, yellow for suspicious and so on.
The tree itself displays clues as to the risk associated with a process as well. Processes that can generally be trusted such as verified windows components and digitally signed programs are displayed in green, while others are shown in grey or in the color representing their severity at detection time.
Below that, we see the incident Timeline, which presents the chronological sequence of events across all affected devices. This helps in understanding how an incident unfolded, identifying the initial compromise, and tracking the progression of malicious activities. The timeline serves as a foundation for incident reconstruction and is therefore essential for developing effective mitigation and remediation strategies by prioritizing actions, addressing vulnerabilities, and containing the impact of the incident in a systematic manner.
Finally the Events table provides a detailed view of all of the relevant activities and impacts of the incident. You can search, sort and view which files have been modified, registry entries that have been added, deleted, or changed, processes that have been started or terminated, network activity, and threat detections and severity generated by the incident. When choose to view only events of a certain type, such as Registry events, you see much greater detail, with data columns specific to that event type.
Implementing an EDR system is a foundational building block for cyber defense, and is seen as so important in the effort to protect businesses that it’s often a requirement for regulatory or insurance compliance.