EDR (Endpoint Detection Response) protection systems are composed of several detection elements, such as antivirus, artificial intelligence and Big Data. This security solution is able to continuously monitor and supervise user devices to detect and respond to cyber threats, such as ransomware and malware.

How does it work?

This technology stack records and stores behaviours at the endpoint system level. In other words, a remote computing device that communicates with a network to which it is connected and uses various data analysis techniques to detect suspicious system behaviour. It also provides contextual information, blocks malicious activity and offers suggestions for restoring affected systems.

It is not anti-virus software, but may have anti-virus capabilities or use data from another anti-virus product. If the antivirus software is primarily responsible for protection against known malware, the EDR program finds weaknesses while executing the attack. In other words, it is able to combine traditional anti-virus with monitoring and artificial intelligence tools to provide a fast and efficient response to the most complex risks and threats.

So what are its characteristics?

  • Monitor and collect activity data to identify potential threats.
  • Analyse this data to identify patterns.
  • Automatically respond to identified threats to eliminate or contain them, and notify security personnel.
  • Forensic and analysis tools to investigate identified threats and look for suspicious activity.

In addition to antivirus, what applications are included?

  • Analysis tools supported by the use of machine learning to improve threat detection.
  • Sandbox: a virtual and isolated test system to check the behaviour of downloaded files.
  • Scanning IOCs and YARA rules, which allow analysis and detection of threats caused by complex threats in real time.
  • The use of whitelisting and blacklisting of emails, web pages and IPs.
  • Interoperability and interaction with other security tools, such as SIEM, IPS/IDS or anti-malware tools.

Do I need an EDR?

Although anti-virus software has evolved exponentially in recent years, it is still unable to locate threats beyond malware. In a more complex attack, such as those suffered by large companies today, they are still not effective. We are talking about cybersecurity threats, where social engineering is mixed with the human failures of employees. As well as more complex techniques (0-day vulnerabilities, ransomware, compromised accounts, persistent threats, etc.) in company networks. This can make them more difficult to detect and control, with consequent financial and reputational damage.

Although the investment is higher with this type of tool, the associated advantages mean that the investment pays for itself much sooner, as it significantly reduces the effects of the most sophisticated digital attacks against companies. At Esferize we work with Sentinel One, a versatile agent optimised for excellent performance on any platform, with a simple management system and local and cloud-based operation.