Endpoint Detection and Response
(OBJ .)
Endpoint Detection and Response (EDR)
- Category of security tools that monitor endpoint and network events and record the information in a central database
- Continuously monitoring and response to advanced threats
- Monitors endpoint and network events, providing data for the following
- Analysis
- Detection
- Investigation
- Reporting
- Alerting
- Focuses on incident data for enhancing security monitoring, incident response, and forensic investigations
How EDR Works
- Data Collection
- Collects data from endpoints (devices that are physically on the endpoint of a network)
- System processes
- Registry changes
- Memory usage
- Network traffic patterns
- Collects data from endpoints (devices that are physically on the endpoint of a network)
- Data Consolidation
- Sends collected data to a centralized security solution or database
- Threat Detection
- Analyzes data using techniques like signature-based and behavioral-based detection to identify threats
- Alerts and Threat Response
- Takes actions such as creating alerts or performing threat response actions when threats are detected
- Threat Investigation
- Provides tools for security teams to investigate threats, including detailed timelines and forensic data
- Remediation
- Removing malicious files
- Reversing changes
- Restoring systems to their normal state
File Integrity Monitoring (FIM)
- Validates the integrity of operating system and application software files by comparing their current state with a known, good baseline
- Identifies changes to
- Binary files
- System and Application Files
- Configuration and Parameter Files
- Monitors critical system files for changes using agents and hash digests, triggering alerts when unauthorized changes occur
Extended Detection and Response (XDR)
- Security strategy that integrates multiple protection technologies into a single platform
- Improves detection accuracy and simplified incident response
- Correlates data across multiple security layers to detect threats faster, including
- endpoint
- server
- cloud workloads
- network
Difference between EDR and XDR
- EDR is focused on the endpoints to detect and respond to potential threats
- XDR is more comprehensive solution because it focuses on endpoints, but also on networks, cloud, and email to detect and respond to potential threats
- It integrates multiple protection technologies