COI Report – Part VII
Page 258 of 425
that system etc.
It provides more real-time information (as opposed to simply historical logs) of detectable and observable events in the network, and does not rely on the detection of known signatures only. He recommends that the EDR be centrally managed, bringing him in agreement with Dr Lim’s recommendation for the implementation of what he refers to as managed EDR” (“MDR”). MDR allows for the achievement of enterprise network visibility for more effective detection of advanced cyber threats. More than simply EDR, MDR collects, correlates and analyses all data obtained within an EDR, and can determine communications and movements between endpoints indifferent parts of the network. The system runs on two levels there are software agents that run in the background on endpoints, and a centralised endpoint security management
system that monitors and controls the agents. In essence, MDR allows a look at the bigger picture – a holistic look at data on a system level.
37.3.1
Detection
745. EDR tools work by monitoring endpoint and network events, and recording this data for analysis, detection, investigation, reporting and alerting. Such tools use sophisticated analytics that identify patterns and detect anomalies in the network, including rare processes, strange or unrecognised connections, or other risky activities that are flagged based on baseline comparisons. This monitoring process can be automated, and anomalies will trigger alerts for immediate action or further investigation. Instead of being a signature-based system, EDR systems use anomaly-based detection which compares definitions of what is considered normal activity, with observed events, in order to identify significant deviations. As explained by Vivek, this detection method can be very effective at identifying previously unknown threats. Defending networks from cyber attacks necessitates a comprehensive
EDR system which should meet the following criteria a) Has comprehensive detection that (i) leverages on security analytics to identify threats, and (ii) automates threat detection across the Cyber Kill Chain.
|
