Endpoint Detection and Response (EDR) Forum

Analyst at a security firm with 501-1,000 employees
Nov 26 2020

I'm an Analyst, Managed Security Services in a Legal firm. Where can I find information about pricing of multiple EDR solution and the support levels provided?

IT Central Station
Nov 02 2020

With remote work having become the norm for many, what security should businesses have in place? Do you have suggestions of specific products that businesses should look at?

Philippe PanardieThere is not a single answer. In our company, we use only company devices for workers at home and VPN appropriate clients to control the internet flows towards our company firewall. A behavioral endpoint product is recommended. This product is likely to cooperate with your corporate signature-based antivirus. Any good product could be used in that way. We chose well known Israel products, combined with our standard US products, at that time.
Letsogile BaloiSecurity is a multi-layered problem and as always the human end is the weak layer Increasingly I believe the human layer-layer8 needs more attention. This requires getting the basics right. How are we allowing external devices into our networks? DO we own these devices? VPN Tunnels? Or are creating a virtual working place and focus on IAM?  This is BYOD on steroids and multiplies the attack zone. A line has to be drawn and a Trust Zone created. Traditional devices have native encryption so we allow them as trusted devices and use their native encryption. Then other policies are made. Does the employee have access to good internet(In Africa this is an issue) or do they have to go to a coffee shop or some such place? A good behavioral endpoint product will help. In some cases a company intranet. Microsoft teams are proving very accessible in Africa.
Omer MohammedWearing a mask while accessing your service is not a joke hardening tunneling protocols and uses the most updated one it's kind of like wearing masks.
Senior Manager- Security Monitoring and Incident Response at Clarios

I'm a Senior Manager- Security Monitoring and Incident Response at a large manufacturing company. 

I am looking for thoughts from those who may have done a comparative analysis on these two products within the last 6 months or so.  Realizing these technologies have advanced rapidly over the past year or two I would like to hear some current observations.

While I am interested in the value/functionality of the platforms, I am currently focused on  assessments around EDR performance and ultimate functionality.

Thanks in advance for your thoughts.

Steve PenderIf you're looking for a NextGen, Machine Learning & AI-driven Active EDR with automated remediation, that has not been breached and is backed by a one million USD ransomware warranty.  Contact me at cybersec@global.co.za and I'll provide you with detailed comparisions between SentinelOne, Cylance and Carbon Black, showing how SentinelOne is superior to both Cylance and Carbon Black.  It will also be my pleasure to demonstrate the SentinelOne solution to you. The future of your company's cybersecurity is in your hands.
ITSecuri7cfdWe didn't consider either of these after demo and comparison from reviews of multiple EDR solutions we came up with SentinelOne on top and are now POCg it as an endpoint solution.
Paresh MakwanaCapability                               Cylance                   Carbon Black Leverages local ML Model        Yes                          No Leverages cloud ML Model.      Not required but      No                                               adds to efficacy Predictive Advantage              Yes                          No Prevents attacks from  zero-day threats                     Yes                          Partial Daily or frequent updates        No                           Yes Allows malware to execute      No                           Yes Cloud vs. On-Premise Mgmt     Cloud & On-Premise  On-Premise Single Agent                           Yes                           No Scale of Agents                       Infinite                    Limited Single Console                        Yes                          No Requires continual scans         No                           Yes Capable of convicting offline   Yes                         No Avg mem/cpu                         <70MB/1%                High Agent Update Cycle                Quarterly                 Daily ML Update Cycle                    3x Yearly                  N/A
Menachem D Pritzker
Director of Growth
IT Central Station

On July 15, 2020, several verified Twitter accounts with millions of followers were compromised in a cyberattack. Many of the hacked accounts we protected using two-factor authentication, which the hackers were somehow able to bypass.

Hacked accounts included Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Mike Bloomberg, Warren Buffett, Kim Kardashian, and Kanye West, Benjamin Netanyahu, and several high profile tech companies, including Apple and Uber.

The hackers posted variation of a message asking follower to transfer thousands of dollars in Bitcoin, with the promise that double the donated amount would be returned.

How could Twitter have been better prepared for this? How do you rate their response?

Ken ShauretteFor some good information from a leading expert check out the webinar today 7/17 on Brighttalk by Alex Holden..... We have a lot of questions about the Twitter breach but not so many answers. I can tell you that similar cryptocurrency fraud campaigns are on-going on different social media platforms and on a different scale. Tomorrow (Friday) at 11 am CT on BrightTalk https://lnkd.in/eRuXaca We will discuss what we know about the breach and disturbing patterns that are emerging everywhere.
Ken ShauretteI like the potential for catching an unusual activity like that with our recently implemented endpoint detection tool, Cynet360.  It seems so far to have about the highest level of transparency into the endpoint with a 24x7x365 backing of monitoring.  
Russell WebsterSpan of control, Solid RBAC, Privileged Access Management (PAM) 
IT Central Station

How can businesses ensure that they are protected from EternalBlue attacks?

Marc VazquezThe best part of AI products like Sentinel one is they are monitoring for this type of exploit. It's not just anti virus software. There is also a SOC that reacts when a machine is compromised. The hacker would use the exploit to get onto the machine this would alert the SOC. As soon as the hacker executes the cypto code the connection is severed with the hacker, the code is frozen and reversed. The machine would be kept offline until the security is checked. You would then unfreeze the machine. All this is automatic. As support you would get 10 to 15 emails explaining what was done. You would log into the portal to verify and unfreeze the machine.
Dr Trust Tshepo MapokaEternalBlue exploits officially named MS17-010 by Microsoft is a vulnerability that affects outdated versions of Microsoft Server Message Block (SMB). The quickest mechanism to protect against EternalBlue is through system PATCHING, i.e. download the latest version of Windows software update and install the patch.
Nikki WebbEternalBlue exploits a vulnerability in outdated versions of Microsoft Server Message Block. So the only known mechanism to protect against EternalBlue is to download the latest Windows software update and install the patch. Microsofts Support Forum has a full step-by-step guide to walk you through this process and ensure that your business is utilising the latest version. Additionally, you should ensure that the following safeguards are in place: Anti-virus software - AI product like SentinelOne is needed, traditional anti virus is just not up tot he job anymoreSecure offsite backup with “attack-loop” preventionFilter for .exe attachments in emailsEncrypt sensitive data PATCH PATCH PATCH - is the answer every time 
IT Central Station

How can businesses protect themselves against Mimikatz malware?

Technicalconsult568Mimiktaz is a post exploitation tool that dumps passwords from memory (credentials theft) and exploit phase generally is the 2nd stage in attack life cycle as mostly said attacker exploit a vulnerability The collected credentials can then be used to access unauthorized information or perform lateral movement attacks. EDR most probably helps you in detection and protection as it is works in monitoring and collects events,memory dumps...etc EDR works by providing IOCs which is already provided by EDR vendor and you can also create custom IOCs and also TTPs and front line threat intelligence all those gives you capabilities in early detection exploit phase and knowing who is targeting your organization.
Steve PenderMimikatz is a tool developed by Benjamin Delpy that is used to gather credential data from Windows systems. There are many ways in which an attacker can utilize it. Although some security products block it by its hash or name, this is highly ineffective since anyone can compile Mimikatz as new versions making its hash unknown to reputation services. The SentinelOne agent prevents this by identifying and blocking it from reading the device passwords. In addition to other built-in protections, SentinelOne have added a mechanism that does not allow the reading of passwords, regardless of the policy settings.  Please contact me on cybersec@global.co.za for more information on SentinelOne and Cyber Protection Services
Bryan HurdBesides having Microsoft Defender which detects this threat, also the newest versions of the Microsoft Operating Systems for endpoints and servers have new functionality to reduce the threat from Mimikatz. Making sure individual users do not have admin rights, implementing least privilege and multi-factor authentication also will help. Drop me a note here or on LinkedIn if additional discussion desired. 
IT Central Station

There are many EDR solutions out there. In your opinion, what are the most important features that an EDR solution should have? 

Additionally, what are good questions to ask vendors when researching EDR solutions? 

Ian KellerThe answers given by Presh and Akhil are all spot one so I wont touch on those aspects. The questions I would ask are: 1. What are the financials over the next 5 years (CAPEX and OPEX)? I found a lot of vendors will cut their margins to the bone for the sale and then make that discount up through their annual renewals etc. 2. How sure are they on the timelines to implement?  3. What level of demostrated and certified skill do they have readily available for the duration of the project / contract ? 4. Are those skills available everywhere you operate or located only in one location? 5. What is the time and financial investment required to training internal staff to operate the toolset?
Akhil KumarThat's true that there are many EDR solutions out there, According to me the most important features that an EDR should have are: 1. Behavioral Based Detection : EDR should not just have Signature based or files based detection but should also have behavioral based detection. 2. Detection at Rest : This is a topic of discussion and based on the requirements, Most of the EDR solution detects and prevents an activity at execution, but it's good to have a detection at Rest capability, If a user downloads a malicious file and don't click on it, but it's good for an EDR solution to detect the file at rest. 3. Threat Intelligence : This is important for all kind of activities, if the EDR vendor is incorporating threat intelligence database and is comparing all the endpoint activities with the IOCs from the database, this provides a good value to the company and you can detect many malicious activities within the environment. 4. Provide access to Endpoint : The EDR sensor should provide remote shell to the machine, sometimes Security analyst need to get access to the machine to mitigate a malicious activity, this includes network isolation, and remote access etc. 5. Custom Alerts: Most of the EDR provides there inbuilt alerts and detection policies, but it's good to have capability of writing custom alerts for endpoints. Sometimes some of the alerts or policies are not general and is important for a particular business, so writing custom alert gives the freedom to write policies and alerts specific to that business. Good Questions to Ask vendors are: 1. About the sensor of their product, how much CPU power and other resources the sensor needs. 2. How frequently the sensor sends the data to the central location (Heartbeat of the sensor) 3. Do they have capability of sending all the endpoint logs to a third party tool or not : Sometime companies need to ingest all the endpoint data into their SIEM for correlation purposes.  4. Retention period of the data :  For How long they store the data. 5. Data transfer and Storing technique: How they are storing and processing the data is it safe or not, are they using SSL for sending data from Endpoint or not. 6. Can you create separate groups of machines in their platform : Companies need to have separate groups like HR, Finance, IT etc. because they want to apply separate policies to separate groups. 7. Do they have feature for manually banning the hash of a file: For zero day vulnerabilities or known bad files it's always good to collect IOCs and manually ban them in the environment. I hope this will help you with your question. Let me know if you have any other question or if you have any feedback for me. Thanks.
Paresh MakwanaMost Important feature is Prevention – First, this means Effectiveness, Simplicity and Performance. Additional Question to be ask to ERD solution provider. Predictive Advantage?Prevention First, Zero touch approachEasy Deployment and ManagementLow Performance ImpactProduct is at which Phase of Machine Learning? From 1-5Total Economic impact?
IT Central Station

Can EDR replace antivirus, or are both needed?

Matthias De ToffolHello EDR can replace a normal AntiVirus and can offer even more, as they can effictively can respond to an attack, isolate the end device or restore destroyed data. After that you can analyse the attack. We're using SentinelOne for us and our customers and are more than happy, as we're protected against new and old ransomware
ShreekumarNairYou can use EDR solutions to track, monitor, and analyze data on endpoints to enhance the fortification of your environment. Generally, EDR tools do not replace traditional tools like antivirus and firewalls; they work beside them to provide enhanced security capabilities. It is becoming the preferred technology for enterprises to provide better security for their networks when compared with the traditional antivirus. EDR solutions have many capabilities and advantages which are not offered by traditional antivirus programs. It comes loaded with different analytical tools that run in the background to ensure the monitoring and reporting of threats. However, all EDR solutions do not perform the same range of functions. Their scope and nature of activities differ depending on the type of EDR solutions that you choose. Traditional antivirus programs are more simplistic and limited in scope compared to the modern EDR systems. Antivirus is generally a single program which serves basic purposes like scanning, detecting and removing viruses and different types of malware. Antiviruses are more of a decentralized security system that falls short of providing adequate security to the ever-expanding digital networks. The IT network and perimeter of enterprises have witnessed even faster growth due to the mobile revolution.
Nikki WebbEDR can replace antivirus, if you get the right EDR solution. A solution that comprises EPP and EDR into one is a replacement for traditional antivirus. EPP provides all the protection you would get from antivirus and more. Happy to discuss further if you have anymore questions
Frank Yang
Sales Director at a tech services company with 5,001-10,000 employees

I work at a tech services company with 5,000 - 10,000+ employees. 

We are currently researching EPP and EDR solutions. What are the main differences between EPP and EDR? 

Thanks! I appreciate the help. 

Om SalamkayalaI think most of the comments cover all the key points. EDR-End point Detection and Response. Its main functions are: To monitor, record activity on endpoints, detect suspicious behaviour, security risks and respond to internal external threats. Which further includes- Providing Authenticating log-ins, Monitoring network activities, and deploying updates. Its Capabilities: 1. Continuous endpoint data collection. 2. Detection engine 3. Data recording. It is considered as next layer of security Its limitation: No in depth visibility IR team needs to deal with false alarm and have to handle restoring process. Struggle to find the attackers who infiltrated for the damanage caused. Not an holistic approach EPP-End point protection platform. Its functionality covers: Antivirus Anti-malware Data encryption Personal firewalls IPS DLP It works mainly on signature based approach and more broader detection techniques. It is considered as first line defence. Keeping in view of the above points currently Holistic Endpoints Security solutions approach is emerging ie EDR providers are incorporating aspects of EPP and vice versa resulting in considering EDR as a subset of EPP. Examples of such products or tools Symantec and Cynet. I hope the above points cover the difference between EDR & EPP.
Neil RerupThe biggest difference is time frames. EPP is meant to PREVENT infection. EDR is meant to deal with endpoints once they ARE infected.
Jehyun ShimEPP is focused on detecting malware, but EDR is focused on logging endpoint an event and this event is used for threat hunting or incident response. So you need advanced security analysts to get the desired effect. EPP and EDR are not a completely separate solution. EDR is a core component of an EPP product. And many EPP vendors add EDR features to their EPP solution.