Endpoint Detection and Response (EDR) agents are the essential foundation for detecting and responding to attacks on your organisation. They ensure that all endpoint activity is captured and logged, and should contain a rich suite of features to enable Continuous Response. EDR is a rapidly growing area of cyber security and IT disaster recovery, augmenting standard endpoint products and providing better protection against sophisticated attacks together with the necessary information to help recover from attacks.
EDR also allows for attacks to be detected 24/7 and offers automated response actions for disaster recovery, even during non-business hours. The process of EDR deployment – when done prior to an incident – is often an illuminating and clarifying exercise to identify the exact number and location of endpoints in your organization, enabling teams to look at possible attack paths an attacker might exploit to access your critical assets, and eliminate those paths as part of the deployment. Other telemetry should include logs and network data.
For example, despite the alarming nature of the threat, ransomware attacks most commonly gain entry onto a user’s device via emails or vulnerability exploits, and are relatively predictable so they can usually be successfully identified and defended. To do so requires identifying weaknesses in the device and any installed software, then setting the appropriate safeguards in place to block any potential intrusion attempts, as well as to raise the alarm if any penetration does occur so that disaster recovery is implemented immediately.
Organisations should ideally also engage with a security partner to be prepared for any actual incidents. This means that you can build the crucial foundations for collaboration, ensuring ahead of an incident that you and your security partner have agreed processes, playbooks, roles, tools, and responsibilities in place. The same applies for disaster recovery after an incident. It can also mean that your business can test how you apply the Continuous Response methodology and get feedback on its efficacy. And if you don’t have the resources to defend against sophisticated cyber-attacks, in other words the time, people, budget or expertise, there are organisations that can provide them for you, such as cyber security company F-Secure’s with their managed detection and response service called Countercept.
How F-Secure Countercept does it?
After decades of collaborating with internal and external teams to detect and battle live attackers, and still more years of developing the F-Secure Countercept technology stack and service, we have devised a methodology which merges people, process, and technology that we call Continuous Response. It is this methodology that enables us to battle live, targeted attacks, and can be used by any company, regardless of security maturity.
At the core of the Continuous Response methodology are the three Cs – Collaboration, Context, and Control.
COLLABORATION
The minute an attack is detected, multiple teams mobilise in both your organization and ours
Collaboration supports seamless teamwork, communication and processes to enable fast decision making, communication and co-operation between experts and decisions-makers, both internal and external.
CONTEXT
When an attack hits you need access to the most pertinent data and telemetry from across your estate
People with The Threat Hunting skillset – supported by our proprietary technology stack – is paramount, as it fuels our ability to rapidly collect as much critical information about the incident as possible.
CONTROL
Investigation, containment and remediation actions are guided by Control
Control leverages the data assembled during the Context phase while harnessing the tools of our platform to capture forensic data, actively sweep multiple endpoints for the existence of particular indicators of compromise, and find key artifacts in the compromised machine’s file system, to ultimately contain the incident.