EDR Security – Ransom protection of endpoints
Ransomware, Phishing and a variety of endpoint threats
According to NIST’s security trends report for 2019, 70% of violations originate at the endpoint. The study analyzed more than 6 million enterprise devices and found that the main cause of endpoint violation was existing vulnerability, and only 42% of endpoints were actually protected from threats.
Endpoints are easy targets for cyber attackers, who use them to initiate a variety of attacks. Attackers typically use the endpoint as a means to an end – the network and the information it contains. Once they have information that is important to the organization, they sell it at the highest possible price, demand a “ransom” amount for restoring the information or removing the encryption, or use it to commit financial and identity fraud.
Here are some types of attacks that make endpoints an information security risk:
Phishing Attacks aimed at email users. Victims receive an email impersonating a legitimate entity, tricking the user into revealing sensitive information or downloading malware in a legitimate shell.
Malvertising Malicious Ads Containing Malware. Victims click on legitimate websites and get infected with malware
Ransomware A type of malware that blocks the victim’s access to encrypted data. The victims have to pay a ransom in order to return their data
Drive-by downloads Victims click on legitimate-looking websites, links or software updates. The click downloads malware or software that includes “ransomware encryption” without the victim’s knowledge
Unpatched Vulnerabilities Endpoints that are not updated on a regular basis in terms of UTM updates often fall into attacks. Threat players use such security vulnerabilities to hack into the network.
How does the EDR system work?
EDR security solutions provide real-time visibility to network endpoints, as well as proactive capabilities for identifying and responding to end-threats. To enable these capabilities, EDR solutions use the following mechanisms:
1. Data collection – data collection created by activities at endpoints, such as communication, user logins and execution of processes
2. Data log documentation – real-time data recording of security events at endpoints. Cyber teams on the EDR vendor side use this information to respond to security incidents as they occur
3. Detection Engine – Performs behavioral analysis, which establishes a normal norm as the basis of endpoint activity and identifies which anomalies represent malicious activity
To provide real-time endpoint visibility and analysis, EDR solutions perform these three tasks continuously. Once a threat is detected, the EDR solution will alert administrators and / or apply a predefined threat response.
The variety of EDR solutions available in the market is large and it is worth comparing and paying attention to the main features of each system in order to choose the solution that best suits your needs and budget.