1. leader badge
    The solution can scale easily.At this point what is most valuable is the interface, which is easy to navigate.
  2. leader badge
    The solution makes it possible to see a threat once and block it everywhere across all endpoints and the entire security platform. It has the ability to block right down to the file and application level across all devices based on policies, such as, blacklisting and whitelisting of software and applications. This is good. Its strength is the ability to identify threats very quickly, then lock them and the network down and block the threats across the organization and all devices, which is what you want. You don't want to be spending time working out how to block something. You want to block something very quickly, letting that flow through to all the devices and avoiding the same scenario on different operating systems.
  3. Find out what your peers are saying about CrowdStrike, Cisco, SentinelOne and others in Endpoint Detection and Response (EDR). Updated: August 2020.
    438,246 professionals have used our research since 2012.
  4. leader badge
    Prevents ransomware getting through.The most valuable feature is that it just unintrusively works in the background to carry out the protection.
  5. leader badge
    Being a cloud solution it is very flexible in serving internal and external connections and a broad range of devices.It collects and caches and the knowledge of machine learning from different customers to take to the cloud. It makes it better to use for everybody. It allows for quick learning and updates and can, therefore, offer zero-day malware security. This sharing of metadata helps make the solution very safe.
  6. leader badge
    What I like the most about it is the dynamic grouping, where you get to group endpoints based on setup criteria. That's pretty cool. I like the simplified policy management and simplified white-listing process.
  7. One of the most valuable features is the Threat Emulation and Threat Extraction. These features are able to scan email attachments before the user is able to access the file and then provide a safe copy of the attachment. Malicious files never get to the users machine. This is a very valuable feature of this solution.
  8. report
    Use our free recommendation engine to learn which Endpoint Detection and Response (EDR) solutions are best for your needs.
    438,246 professionals have used our research since 2012.
  9. The most valuable feature for me is the ability to whitelist, blacklist, and be very granular as to what I blocked, what apps I blocked, and what websites I block. I think that's probably the most valuable feature.
  10. The solution is efficient.For me, the technical support is good.

Advice From The Community

Read answers to top Endpoint Detection and Response (EDR) questions. 438,246 professionals have gotten help from our community of experts.
Menachem D Pritzker
On July 15, 2020, several verified Twitter accounts with millions of followers were compromised in a cyberattack. Many of the hacked accounts we protected using two-factor authentication, which the hackers were somehow able to bypass. Hacked accounts included Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Mike Bloomberg, Warren Buffett, Kim Kardashian, and Kanye West, Benjamin Netanyahu, and several high profile tech companies, including Apple and Uber. The hackers posted variation of a message asking follower to transfer thousands of dollars in Bitcoin, with the promise that double the donated amount would be returned. How could Twitter have been better prepared for this? How do you rate their response?
author avatarKen Shaurette
Real User

I like the potential for catching an unusual activity like that with our recently implemented endpoint detection tool, Cynet360.  It seems so far to have about the highest level of transparency into the endpoint with a 24x7x365 backing of monitoring.  

author avatarMenachem D Pritzker
User

@Ken Shaurette thanks! I missed it live, will catch the recording when I get a chance. What security platforms do you think would have done the best job at preventing the hack?

author avatarPrasanna VA
Real User

It's understood that internal tool probably shared by Internal Employee as RCA. The tool was used to reset associated Mail Address of account thereby Password Reset of Choice. In MFA of Identity related features, it's more secured on keeping it with associated Mobile Secure Pin or SoftCrypto Code in Future to avoid compromise at this moment is the lesson learned. 

author avatarreviewer989748 (Security Analyst at a financial services firm with 201-500 employees)
Real User

The use of two factor authentication by Twitter

author avatarParesh Makwana
Reseller

This is one of the Identity theft issue, which means some one hack your password or account and do activity which he she is not suppose to do. basic reason of hack of your identity or password is Social engineering. second reason is system has week privilege access management. If you have less control on admin id or privilege id then enter firm has to suffer along with the customer of that firm. For me the take away of this event is to protect privilege ID and you good PAM PIM tool with two factor and UBA included.  

author avatarRussell Webster
Real User

Span of control, Solid RBAC, Privileged Access Management (PAM) 

Rony_Sklar
How can businesses ensure that they are protected from EternalBlue attacks?
author avatarRicardoGranados (Ingram Micro Inc.)
Consultant

You can use Palo Alto Cortex XDR networks to protect against this type of attack at the endpoint level.

author avatarDawid Van Der Merwe
Reseller

EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.


Ref:


https://cve.mitre.org/cgi-bin/...


https://www.avast.com/c-eterna...

author avatarNikki Webb
User

EternalBlue exploits a vulnerability in outdated versions of Microsoft Server Message Block.


So the only known mechanism to protect against EternalBlue is to download the latest Windows software update and install the patch.


Microsofts Support Forum has a full step-by-step guide to walk you through this process and ensure that your business is utilising the latest version.


Additionally, you should ensure that the following safeguards are in place:



  • Anti-virus software - AI product like SentinelOne is needed, traditional anti virus is just not up tot he job anymore

  • Secure offsite backup with “attack-loop” prevention

  • Filter for .exe attachments in emails

  • Encrypt sensitive data


PATCH PATCH PATCH - is the answer every time 

author avatarDr Trust Tshepo Mapoka
Reseller

EternalBlue exploits officially named MS17-010 by Microsoft is a vulnerability that affects outdated versions of Microsoft Server Message Block (SMB). The quickest mechanism to protect against EternalBlue is through system PATCHING, i.e. download the latest version of Windows software update and install the patch.

author avatarMarc Vazquez
Real User

The best part of AI products like Sentinel one is they are monitoring for this type of exploit. It's not just anti virus software. There is also a SOC that reacts when a machine is compromised. The hacker would use the exploit to get onto the machine this would alert the SOC. As soon as the hacker executes the cypto code the connection is severed with the hacker, the code is frozen and reversed. The machine would be kept offline until the security is checked. You would then unfreeze the machine. All this is automatic. As support you would get 10 to 15 emails explaining what was done. You would log into the portal to verify and unfreeze the machine.

author avatarSteve Pender
Reseller

By far the most important thing to do to prevent attacks utilizing Eternalblue is to make sure that you’ve updated any older versions of Windows to apply the security patch MS17-10.


If, for some reason, that’s not possible, other mitigations include disabling SMBv1 and not exposing any vulnerable machines to internet access.


Ensuring you have a capable EDR security solution should go without saying, but if your organization is still behind the curve on that one, remember that passive EDR solutions are already behind-the-times and active EDR is required.


Please contact me on cybersec@global.co.za for more information on SentinelOne and Cyber Protection Services

author avatarParesh Makwana
Reseller

EternalBlue” exploit that targeted open server message block (SMB) ports and was used to great effect in the recent WannaCry ransomware attack.


Attacks leveraging the EternalBlue exploit generally follow this pattern:


  1. A vulnerable system with an open, unpatched port is identified.

  1. EternalBlue (or another exploit) is used to achieve remote code execution.

  1. The DoublePulsar backdoor is uploaded. This allows remote control of the infected system and the upload of an additional payload.

  1. An arbitrary payload is injected into the target system’s memory using the DoublePulsar backdoor. In the case of WannaCry, this payload was ransomware, but it could potentially be any payload, including malware that does a much more effective job at hiding on a system.

  1. In the case of WannaCry, the payload also contained code that attempted to spread additional infections with the EternalBlue/DoublePulsar attack chain. This effectively made WannaCry a worm, a kind of malware that could spread without any kind of user intervention.

Though Microsoft published a patch for a number of the exploits contained in the Shadow Broker’s dump, unpatched systems still remain vulnerable to this kind of attack. It is important to note that a potential attacker could use any payload in the attack chain described above.


Basic tool to protect from EternalBlue


1) Second generation AV 


2) Cloud Backup


3) Cloud Second generation VPN and Firewall


Rony_Sklar
How can businesses protect themselves against Mimikatz malware?
author avatarTechnicalconsult568
Reseller

Mimiktaz is a post exploitation tool that dumps passwords from memory (credentials theft) and exploit phase generally is the 2nd stage in attack life cycle as mostly said attacker exploit a vulnerability The collected credentials can then be used to access unauthorized information or perform lateral movement attacks.


EDR most probably helps you in detection and protection as it is works in monitoring and collects events,memory dumps...etc


EDR works by providing IOCs which is already provided by EDR vendor and you can also create custom IOCs and also TTPs and front line threat intelligence all those gives you capabilities in early detection exploit phase and knowing who is targeting your organization.

author avatarBryan Hurd
User

Besides having Microsoft Defender which detects this threat, also the newest versions of the Microsoft Operating Systems for endpoints and servers have new functionality to reduce the threat from Mimikatz. Making sure individual users do not have admin rights, implementing least privilege and multi-factor authentication also will help. Drop me a note here or on LinkedIn if additional discussion desired. 

author avatarBozhin Bozhinov
Real User

Um, this is Mimi's cat stealing the gold ticket.

author avatarParesh Makwana
Reseller

Protection against ransomware requires a multi-layered approach, with both preventative measures and recoverability capabilities. Due to the variety of attack methods, there is no single silver bullet that will provide comprehensive protection. As no protection is 100% effective, organizations must ensure they have recoverability capabilities in place for when they are compromised. Mimikatz malware is mainly used for Password stealing from your device, First we talk about protection that can be happen with couple of tools and awareness .


Preventative Measures


1) End Point Protection -AV product which does not require signature updates or endpoint device scanning, but uses Machine Learning (ML) techniques to identify malware.


2) Perimeter Protection - Sits inline between your company and the Internet, protecting your enterprise from cyberthreats, stopping intellectual property leaks, and ensuring compliance with corporate content and access policies. Product security capabilities provide defence–in– depth, protecting you from a broad range of threats including malicious URL requests, viruses, Advanced Persistent Threats (APTs), zero–day malware, adware, spyware, botnets, cross–site scripting, and much more.


3) Implementation of Privilege Identity Management with 256bit encryption Password vault. Look Out for an Unnecessary Amount of Requested Permissions


4) Recoverability - Offline Backups - This protection essentially involves maintaining an inaccessible, offline backup of data. I believe this offline copy is best offered in the Cloud, so therefore recommend a Managed Backup service for backups.


5) Download Apps Only from Official App Marketplaces.



Rony_Sklar
Can EDR replace antivirus, or are both needed?
author avatarShreekumarNair
Real User

You can use EDR solutions to track, monitor, and analyze data on endpoints to enhance the fortification of your environment. Generally, EDR tools do not replace traditional tools like antivirus and firewalls; they work beside them to provide enhanced security capabilities. It is becoming the preferred technology for enterprises to provide better security for their networks when compared with the traditional antivirus.

EDR solutions have many capabilities and advantages which are not offered by traditional antivirus programs. It comes loaded with different analytical tools that run in the background to ensure the monitoring and reporting of threats. However, all EDR solutions do not perform the same range of functions. Their scope and nature of activities differ depending on the type of EDR solutions that you choose.

Traditional antivirus programs are more simplistic and limited in scope compared to the modern EDR systems. Antivirus is generally a single program which serves basic purposes like scanning, detecting and removing viruses and different types of malware.

Antiviruses are more of a decentralized security system that falls short of providing adequate security to the ever-expanding digital networks. The IT network and perimeter of enterprises have witnessed even faster growth due to the mobile revolution.

author avatarMatthias De Toffol
User

Hello EDR can replace a normal AntiVirus and can offer even more, as they can effictively can respond to an attack, isolate the end device or restore destroyed data. After that you can analyse the attack. We're using SentinelOne for us and our customers and are more than happy, as we're protected against new and old ransomware

author avatarITSecuri7cfd (IT Security Coordinator at a healthcare company with 10,001+ employees)
Real User

So this is what WIKI says about EDR.
EDR systems detect all endpoint threats and provide real-time response to the identified threats. ... EDR systems also collect high-quality forensic data which is needed for incident response and investigations. Overall, EDR security systems are much better equipped at handling cyber threats than traditional antivirus.

But INHO, it depends. It depends on the products you are looking at, it depends on the cost, it depends on what you are trying to cover or prevent from happening and it depends on the tools' capabilities. Some tools are better than others. Some a/v is better then EDR, Some EDR is better than a/v. It's a very active space with a HUGE amount of contenders all vying for your security dollars. You just have to ask them the right questions and bounce their answers against their competitors, your bosses, and your friends opinions to get out of it what you need, for the least cost and most coverage. Do some POCs, RFIs to see what fits for you and your environment and needs first before you decide. Then spend the next 3 yrs extracting every bit of juice out of the tool you can to make it purr like a kitten.

If you don't need it and you can get by on defender as a 80% solution then go with defender. If you need carbon black and mcafee do that. It comes down to your needs and what's good enough for you.

author avatarRicardoGranados (Ingram Micro Inc.)
Consultant

EDR is an add-on for Endpoint Protection. EDR is for detecting post-intrusion threats or persistent advanced threats. EDR enables identification and prevention of reconnaissance attack, lateral movement, command and control channel and data filtering. EDR can also analyze user behavior against a baseline.

author avatarreviewer1272021 (IT Security Architect at a tech vendor with 51-200 employees)
User

Yes, EDR will replace traditional A/V with most solutions. Make sure to validate with your vendor but the reputable ones certainly cover A/V. You do not need to have both as this is unnecessary overhead. Any (reputable) EDR will have known bad MD5 already included.

author avatarNikki Webb
User

EDR can replace antivirus, if you get the right EDR solution. A solution that comprises EPP and EDR into one is a replacement for traditional antivirus. EPP provides all the protection you would get from antivirus and more. Happy to discuss further if you have anymore questions

author avatarMatthias De Toffol
User

There is never 100% security and I'm warning of using too much end-point-protection on the client, as each one has a little bad impact of performance.
And when using two they will slow down each one.
To replace an Anti-Virus just use a good EDR, which replaces the AV and which does even more.

author avatarCesar Eterovich Rodrigues
Real User

Yes, it is a good level of protection to have EDR alone, but for better protection I recommend having the two solutions together but with different manufacturers between EDR and AV

Frank Yang
I work at a tech services company with 5,000 - 10,000+ employees.  We are currently researching EPP and EDR solutions. What are the main differences between EPP and EDR?  Thanks! I appreciate the help. 
author avatarOm Salamkayala
Real User

I think most of the comments cover all the key points.

EDR-End point Detection and Response.
Its main functions are: To monitor, record activity on endpoints, detect suspicious behaviour, security risks and respond to internal external threats.
Which further includes- Providing Authenticating log-ins, Monitoring network activities, and deploying updates.

Its Capabilities: 1. Continuous endpoint data collection.
2. Detection engine
3. Data recording.

It is considered as next layer of security

Its limitation:
No in depth visibility
IR team needs to deal with false alarm and have to handle restoring process.
Struggle to find the attackers who infiltrated for the damanage caused.
Not an holistic approach

EPP-End point protection platform.

Its functionality covers:
Antivirus
Anti-malware
Data encryption
Personal firewalls
IPS
DLP
It works mainly on signature based approach and more broader detection techniques.
It is considered as first line defence.

Keeping in view of the above points currently Holistic Endpoints Security solutions approach is emerging ie EDR providers are incorporating aspects of EPP and vice versa resulting in considering EDR as a subset of EPP.

Examples of such products or tools
Symantec and Cynet.

I hope the above points cover the difference between EDR & EPP.

author avatarOwais Yousuf
Reseller

Endpoint Detection and Response (EDR) is a category of security tools that are designed to monitor and record activity on endpoints, detect suspicious behavior, security risks, and respond to internal and external threats.

EDR tools consist of three main mechanisms to fulfill this function:
• Continuous endpoint data collection—aggregates data on events such as process execution, communication, and user logins. This involves continually monitoring all events at the endpoints.
• Detection engine—performs data analysis to discover anomalies and detect malicious activity on endpoints. This step is crucial for sifting through events to identify genuine security incidents.
• Data recording—provides security teams with real-time data about security incidents on endpoints, which they can then use for investigative purposes. This can help inform endpoint protection strategies.

Incident Report teams still need to deal with multiple platforms and false alarms and to handle the restoration process themselves. IR teams often struggle to find the attackers that infiltrated the protection layers before they cause damage. To deal with all potential risks, a more holistic approach is needed, a platform which can be a solution to all types of threats. EPP (Endpoint Protection Platform) is the platform to achieve this goal.

Endpoint protection platform provides essential security for many types of endpoints, from smart phones to printers. An endpoint protection platform (EPP) is an integrated suite of endpoint protection technologies, such as antivirus, data encryption, intrusion prevention, and data loss prevention, that detects and stops a variety of threats at the endpoint.
An endpoint protection platform provides a framework for data sharing between endpoint protection technologies.

It might seem like the distinction between EPP and EDR is straightforward, but it is not that simple. Traditionally, EPP is defined as a first-line defense mechanism, effective at blocking known threats. While EDR is defined as the next layer of security, providing additional tools to detect threats, analyze intrusions, and respond to attacks.

author avatarChi Wing Wong
Real User

Endpoint protection (EPP) usually means anti-malware, anti-spam, anti-phishing, etc. These are features prevent attacks without a detailed explanation of why EPP stops an action and how the attack is.

Endpoint detection and response (EDR) usually means how to record the attack in detail and provide certain remediation methods to recover the affected machines or files.

In other words. EPP shows “what and when”. EDR shows “why and how”.

author avatarManoj Nair
Real User

An EPP is a security platform WITHOUT the extended capabilities of fighting malware like a zero-day attack.

An EDR, on the other hand, is specifically built to handle this situation.

Almost all endpoint security manufacturers have this product capability today in their line and always the EDR component is an add on and is as or more expensive than the use system.

author avatarJehyun Shim
User

EPP is focused on detecting malware, but EDR is focused on logging endpoint an event and this event is used for threat hunting or incident response. So you need advanced security analysts to get the desired effect.

EPP and EDR are not a completely separate solution. EDR is a core component of an EPP product. And many EPP vendors add EDR features to their EPP solution.

author avatarNeil Rerup
User

The biggest difference is time frames. EPP is meant to PREVENT infection. EDR is meant to deal with endpoints once they ARE infected.

author avatarNathanael Hale
User

I believe the biggest difference between EPP and EDR solutions is directly in the names, and both are crucial to security. EPP sits on the device and works to repel attacks from various sectors based on known threats (malware, phishing, etc. – all external); EDR monitors the endpoint to detect when something is wrong either because EPP failed to thwart the attack/didn’t know the threat or the enterprise user/device user does something malicious (insider threat) and EDR is able to respond autonomously at lockdown the malware/behavior.

Does that make sense?

See more Endpoint Detection and Response (EDR) questions »
Find out what your peers are saying about CrowdStrike, Cisco, SentinelOne and others in Endpoint Detection and Response (EDR). Updated: August 2020.
438,246 professionals have used our research since 2012.