New modern end point security solutions use a technology called Endpoint Detection and Response (EDR). EDR uses AI and analytics to defend against current security threats. Legacy AV systems use a static signature database to detect viruses. EDR based systems can learn and help protect your IT assets from modern day IT risks.
Modern day EDR solutions can detect both legacy viruses and malware threats.
Threat hunting is a feature where the EDR agent monitors system activity. Once a virus is activated, you can follow the breadcrumbs to track down what the virus did on your network/systems. You can also use the threat hunting feature as a troubleshooting feature. It monitors things like:
- Process Monitoring
- DNS Activity
- Registry changes
- File modifications
- Scheduled Tasks
- Batch / Command Scripts
- URL Web Access
Your EDR solution should be able to replace your legacy anti-virus.
Some of these applications can be installed on older Operating Systems. While the use of legacy or non-updating operating systems is generally not encouraged, EDRs may help protect legacy Operating Systems that cannot be upgraded due to application limitations.
EDRs can be used in the office, the cloud, or at home (remotely). Many organizations protect their entire hybrid cloud infrastructure with EDR platforms
The ability to rollback after an event is an amazing feature. For example, the EDR agent can tell the system to roll back using Microsoft’s built in VSS technology.
Containing a threat by blocking all network activity is very helpful in stopping the spread of a virus. The ERD agent can block all network traffic, except to talk to the ERD portal. Once you analyze and clean the system, you can allow it back on the network. While EDRs are clearly intuitive and provide clear value, their implementation and acclimation into your environment needs time – Weidenhammer recommends setting up an EDR tool in Detect Mode or read only for a few days. This will allow it to scan systems and find issues while getting used to the environment without making any major changes to network traffic or flow. Once you’ve had time to review the output of the EDR platform and review the polices, you can engage the system to run at full capacity.