In today's information-oriented world, it is becoming increasingly difficult to respond to cyber-attacks against companies with conventional security products alone. In such an environment, EDR, which detects abnormalities in devices, is attracting attention. In this article, we will explain how EDR works, its functions, and how it differs from antivirus, as well as EDR surveys to understand virus intrusion routes and damage.
EDR stands for Endpoint Detection and Response, a security measure that detects unauthorized activity on PCs, smartphones, servers, and other digital devices and notifies administrators. With changes in the way of working due to the spread of teleworking and other factors, EDR to enhance security of these digital devices, known as endpoints, has been attracting attention.
This section describes the differences between EDR and other security products such as EPP, NGAV, and NDR, as well as the features of each.
EPP stands for Endpoint Protection Platform, also commonly referred to as antivirus software. The difference between EDR and EPP is that the main purpose of EDR is to minimize damage after a threat has entered the system, while the main purpose of EPP is to protect against threats before they enter the system.
NGAV stands for Next Generation Anti-Virus and is a next-generation EPP. It uses machine learning technology to detect and eliminate anomalies that have movements and characteristics similar to malware (viruses and other malicious software). It is characterized by its ability to respond to unknown malware that is not in its database, but like EPP, its main purpose is to prevent threats before they enter the system, which is the difference between it and EDR.
NDR stands for Network Detection and Response, and refers to security measures that detect and respond to unauthorized activity on a network, The difference is that EDR is a measure for endpoints, i.e., devices such as PCs and servers, while NDR is a measure for the network, i.e., communication activity after an intrusion.
This presentation will explain the importance of EDR, which approaches threats that cannot be prevented, rather than preventing them from entering the system, as well as the background to the growing attention to EDR.
Cyber-attacks are becoming more advanced and sophisticated with the evolution of technology. Even if security measures are taken, attacks can quickly surpass them, making it nearly impossible to completely prevent intrusions. For this reason, EDR, a mechanism to minimize damage based on the assumption that an intrusion will occur, is becoming more and more important.
The proliferation of mobile devices such as smartphones and tablets is also having an impact. There are an increasing number of cases of intrusion into corporate servers via employees' smartphones or through Wi-Fi environments in the city, and conventional security systems are finding it difficult to cope with such intrusion.
Another factor is the diversification of work styles due to the Corona disaster. With the spread of remote work, there are more opportunities to work from home or outside the office, and attack routes have become more diverse. In such a network environment, perimeter-type defenses that separate internal and external networks have their limits. Therefore, it is necessary to strengthen security at endpoints in accordance with the zero-trust concept of "no unconditional trust.
There are a wide variety of EDR products, and each product has different features and costs, so it is important to select the right product for your security situation. In addition, some of the tools that are widely used as EPPs also provide EDR, but some of these products may not have sufficient EDR functionality. If you need a full-fledged EDR function, select a product with EDR functions as its main feature.
This section explains what EDR investigates and what can be learned as a result.
When EDR investigations detect suspicious behavior or suspicious programs, they can catch up lateral movement from the active endpoint (terminal) where the compromise originated. If you have an EDR license that retains logs for a certain period of time in the past, you can also identify intrusion routes by analyzing the process retroactively from the point of detection.
EDR investigations can collect and analyze information such as the type of malware detected, the intrusion route, and whether or not information has been leaked, to identify the root cause of the security breach and visualize the damage situation.
While EDR has many advantages as described above, there are also several disadvantages. One is that it is costly to implement. Another is the need to devote resources to operations. It is necessary to secure personnel with the knowledge and experience to respond to threats when they occur, and to establish an operational system that can respond quickly.
FRONTEO's "Cyber Security Investigation Package" is recommended to eliminate such disadvantages, as FRONTEO has conducted more than 10,600 fraud investigations and is recommended by several insurance companies to provide high-quality cyber security investigations. We can investigate from a single PC.
We provide not only EDR investigations, but also Dark Web investigations as a single package, and can conduct additional investigations such as Wi-Fi vulnerability investigations, NDR investigations, and penetration tests. For companies that do not have personnel with specialized knowledge, concerns remain about the speed and expertise of contingency response. Based on the know-how gained from our overwhelming experience, FRONTEO will support your initial response to cyber attack damage.
→ [Related Article] Cyber Security Survey Package "Cyber Security Survey Package" service website
→For inquiries about FRONTEO's EDR investigations, click here.