SPONSORED -The ‘new normal’ has meant that employees have had to adjust the way they work, and the main way that has happened is through employees having to work from home, beyond the IT perimeter and the scope of gateway level protection.
This has meant that organisations have had to reconsider not only how they can enable employees to work – giving them the tools they require to be as productive and efficient as they would be in the office – but also how they can secure this new way of working.
Businesses have been aware of cybersecurity threats for a number of years, but many have restricted their investment to ‘classical’ endpoint protection (EPP), which encompasses antivirus and anti-malware elements. While this is necessary as they provide a good foundation to stop threats in the pre-execution phase, cybersecurity considerations are far more complex than protecting just one phase of attacks.
Once an organisation can ensure its EPP provides the adequate protection from the pre-execution phase, it can then focus on the next layer of security provided by Endpoint Detection and Response (EDR). The objective of EDR solutions is to more readily identify, investigate and respond to advanced and complex malware threats.
Gartner describes the technology as “solutions that record and store endpoint system-level behaviours, use various data analytics techniques to detect suspicious system behaviour, provide contextual information, block malicious activity and provide remediation suggestions to restore affected systems”.
So why is this important now, in the ‘new normal’ working environment?
EDR provides organisations with the ability to respond remotely to cyber incidents and with many businesses signalling that remote working will continue beyond lockdown and pandemic measures, a technology that helps to contain an incident remotely is critical.
“The key features of EDR are the response functions, whereby the customer can use the tools to remotely respond to an incident such as an isolated device in order to contain the incident, stop the threat, prevent it from starting again, quarantine the sample in order to collect for analysis and deleting the threat,” says Richard Porter, Head of Pre-Sales, Kaspersky UK&I.
As EDR offers a varying degree of automation and manual remediation functions, organisations can tackle these incidents without having to deploy an engineer to physically collect a device, which is currently more challenging with staff working remotely.
According to Porter, the ability to respond to a threat within seconds of it being identified is also of significant value because of this ‘new normal’.
“The EDR technology should also have some threat hunting capabilities to hunt for an identified threat on other devices, meaning remediation can be performed proactively, and where appropriate, automatically. This also allows the organisation to understand if this is an isolated incident or part of a larger attack,” Porter adds.
Before the pandemic, there was already a cyber security skills crisis, with unfilled positions globally standing at 4.07 million. The ‘new normal’ has exacerbated this problem, as there will be less talent completing courses, wanting to move from existing jobs, or to take what may be seen as a risk to move into a new industry. This, coupled with the fact that the talent already within the business will have more work to do, means that businesses will have to find another way to handle the sheer volume of security-related work. The automation provided by EDR is therefore vital.
What do I get from Kaspersky EDR?
Gartner states that EDR solutions must provide the following four primary capabilities: the ability to detect security incidents, contain the incident at the endpoint, investigate security incidents and provide remediation guidance.
Not all EDR tools work in the same way. Some might perform more analysis on the agent, while others focus on the backend via a management console. The key in either of these models is that the EDR layer provides digital forensics, root cause analysis, threat hunting and incident response, which are not available in traditional endpoint security solutions.
When a threat enters the host, an endpoint protection engine uses a variety of approaches such as structural ML models and behaviour analysis to identify and neutralise the vast majority of what remains.
Thereafter, resources can be concentrated on the very small fraction that’s left, which can include complex, evasive and advanced attacks – often the most deadly and destructive of all.
This is where EDR comes in. It provides visibility to see what is happening on your endpoints, providing quick access to incident data and scanning for Incidents of Compromise (IoCs). While EPP can react to threats, EDR can investigate further to understand the root cause of a threat. For example, deleting a malicious file may still leave the hacker connected to the host via other means. EDR can then neutralise the threat.
EDR enables organisations to automate processes – such as scanning for IoCs, or simplify processes – such as the automated generation of a single alert card with all of the information required – in cases where automation is inappropriate or impractical. Responses can also be automated, either after an IoC scan or directly from the alert card, if for example, the security officer needs to isolate the host during analysis.
This will help those short on the right skilled staff, but will also come to the aid of large enterprises who have the staff but want to free them up from tedious manual tasks, so they can devote their time to the really challenging and rewarding aspects of the job.
Effective EDR implementation
Porter explains that with some vendors, the EDR add-on will provide additional protection such as behavioural analysis to identify new threats such as ransomware, but for Kaspersky there is a big difference.
“We don’t believe protection for ransomware should be additional technology as it is simply malware and so your endpoint security solution should be protecting you against such threats. Kaspersky Endpoint Security has included behavioural analysis since 2006, and so has matured and improved to include automated remediation, but is still regarded as a core standard feature,” he says.
This is why Kaspersky has EDR Optimum, a solution that helps businesses build true defence-in-depth against complex threats, without any additional overheads.
Its solution is easy-to-use, and comes equipped with highly automated detection toolkit and a streamlined workflow, meaning that all incidents are dealt with swiftly and efficiently, while saving your cybersecurity staff time and hassle. The ‘new normal’ means we’ll require a ‘new normal’ of cyber security protection too; Kaspersky EDR Optimum fits that requirement.