CybersecuritySecurity

Endpoint Detection and Response: A New Breed of Defense

Endpoint Detection and Response is a New Breed of Defense

Meet Lucy. She is affectionate and playful. She likes belly rubs and long walks on wooded trails. Lucy is great with kids. She can play ball for hours. Lucy is adorable and loved by many!

But if a stranger breaks a window or makes a threatening move toward her family Lucy will bark, claw, and bite with a ferocity that would make Chuck Norris whimper. Not only is Lucy a beloved pet, she is also a highly-trained guard dog.

When danger arrives, Lucy springs into action and will defend the family against all attackers until the threat is neutralized.

Why are we talking about Lucy on a tech blog? Because there is a new breed of cybersecurity defense: Endpoint Detection and Response. It behaves much like Lucy does.

What is Endpoint Detection and Response?

Endpoint Detection and Response (EDR) is a cybersecurity tool that monitors desktop computers, laptops, tablets, servers, workstations, and mobile devices for threats.

Like Lucy the guard dog, EDR responds immediately to suspicious behaviors.

The most sophisticated EDR solutions are active and intelligent. They use artificial intelligence to identify even novel attacks as suspicious behavior. Data science is applied at the endpoint and automated processes spring into action to neutralize the threat. EDR can be configured to simply report the threat to IT administrators, or to quarantine and kill malicious code the instant it tries to run.

How is EDR an improvement over traditional anti-virus?

Endpoint Detection and Response is sometimes referred to as Next-Generation Anti-Virus (NGAV) because it presents a new paradigm in protection.

Traditional anti-virus products use a definition-based approach to identify and quarantine threats. Anti-virus traditionally depends on a database of known malicious files—a list of virus definitions.

If a file is detected that matches a known virus signature, traditional anti-virus will prevent execution of that file, quarantine the file, and/or alert network administrators.

In a sense, traditional anti-virus is a bit like a jury in a court of law. Both traditional AV and a jury evaluate evidence and compare it to a known standard to determine a verdict or a course of action.

The problem with traditional anti-virus is that it is slow to respond. By the time a threat is detected, it may be too late.

More importantly, traditional anti-virus might not even recognize a novel threat (like new variant of ransomware) at all.

In contrast to traditional anti-virus, EDR is more like our loyal friend, Lucy the guard dog.

EDR is intelligent, autonomous, and active.

EDR does not rely on definitions or signatures of known viruses. EDR monitors devices for suspicious behavior. Artificial Intelligence detects behaviors that could pose a threat. It doesn’t matter if the malware has been previously identified as malicious. EDR is springs into action based on behaviors that appear threatening—even sophisticated attacks across multiple vectors.

Based on the EDR solution’s configuration, it may quarantine and kill threatening files, or it may simply alert administrators to the problem.

What does EDR look like in action?

SentinelOne is a product that has proven to be highly effective. Here are some videos that illustrate SentinelOne’s response to contemporary threats.

SentinelOne vs Sodinokibi REvil attack (Kaseya Supply Chain incident)

On July 2nd, 2021, adversaries perpetuated an attack on US supply chains. The attack was inadvertently distributed by Kaseya–a remote monitoring and management (RMM) tool widely used by managed services providers. This attack ultimately crippled hundreds of businesses by infecting over a million systems. The ransom demanded over $40,000 per infected endpoint in exchange for a key to decrypt the data on that device.

Here is a video published by SentinelOne that illustrates SentinelOne’s ability to stop REvil in its tracks:

Can SentinelOne mitigate and rollback an attack?

SentinelOne EDR features Storyline™ tools that enable a rollback and reversal of all malicious actions. Here is an illustration of SentinelOne vs the REvil variant that encrypted JBS and ultimately cost the company $11 million in ransom.

Conclusion

SentinelOne may not be as adorable as Lucy the guard dog but it shares many of her other most admirable traits. It is intelligent, autonomous, and active in it’s defense of your network. And compared to the cost of a ransomware attack it is a bargain.

If you are ready to deploy SentinelOne in your computing environment or if you are just curious to learn more, contact EXP Technical TODAY.