Key capabilities of endpoint detection and response
EDR solutions share four core capabilities:
- Detection: continuous monitoring and file analysis to flag malicious behavior.
- Containment: isolating compromised endpoints to stop lateral movement.
- Investigation: per-incident analysis, including sandboxing, to find how a threat entered.
- Elimination: visibility into the full file lifecycle to remove the threat and remediate affected systems.
Detection
Threat detection is a foundational EDR capability. Advanced malware can be stealthy and can shift from a benign to a malicious state after crossing the point of entry, so accurate detection is essential to contain and neutralize it. With continuous file analysis, EDR flags offending files at the first sign of malicious behavior; if a file deemed safe later begins ransomware activity, EDR detects it and alerts your team to act.
EDR detection is only as effective as the threat intelligence behind it. That intelligence uses large-scale data, machine learning, and file analysis to identify threats, and EDR maps observed activity against documented adversary techniques in the MITRE ATT&CK framework. Without strong threat intelligence, an EDR solution cannot provide adequate detection.
Containment
After detecting a malicious file, EDR contains the threat to limit its spread. Malware aims to infect as many processes, applications, and users as possible. Network segmentation helps limit lateral movement, and EDR adds the ability to contain a malicious file and isolate compromised endpoints before the threat tests the edges of segmented areas.
This is critical against ransomware, which is difficult to remove once it has encrypted data.
Investigation
Once a threat is detected and contained, EDR investigates the incident. If a threat slipped through the perimeter, there is a vulnerability, an unknown attack technique, or an outdated device or application to address. Without investigation, the same threats are likely to recur. EDR provides the per-incident review needed to reveal these issues and align response with established guidance such as NIST SP 800-61, the Computer Security Incident Handling Guide.
Sandboxing is a key investigative capability. A suspect file is isolated in a simulated environment where it can be detonated, monitored, and analyzed without risk to the wider environment. EDR can provide sandboxing through integrated Cisco Secure Malware Analytics, learning the attributes of a malicious file to better defend against future threats.
Elimination
EDR must be able to eliminate the threat. Detecting, containing, and investigating a threat is a strong start, but without elimination the system stays compromised.
Effective elimination depends on visibility, so EDR should answer questions such as:
- Where did the file originate?
- What data and applications did the file interact with?
- Has the file replicated?
Seeing the entire timeline of a file is essential, because removing a single observed file is rarely enough; you may need to remediate multiple parts of the network. An EDR solution should provide actionable data on the lifespan of the file, and if it has retrospective capabilities, use that data to automatically remediate systems to their state prior to infection.
A complete endpoint security approach combines EPP prevention at the perimeter with EDR monitoring inside the environment to protect files throughout their lifecycle.