EDR Systems
Overview
Leveraging EDR system logs to detect and respond to advanced threats, malicious activities, and anomalous behavior on endpoint devices.
Sample products
- CrowdStrike
- Carbon Black
- SentinelOne
- Microsoft Defender for Endpoint
- McAfee Endpoint Security
- Symantec Endpoint Protection
Use Case Categories
| Category | Description |
|---|---|
| Malware Detection | This use case involves the identification and neutralization of malicious software including viruses, worms, and trojans. EDR products leverage signature-based, heuristic, and behavior analysis techniques to detect and isolate threats on endpoints before they can execute or spread, ensuring the integrity of systems and data. |
| Anomalous Behavior and Threat Hunting | EDR solutions excel in detecting deviations from normal endpoint behavior, which may indicate a security breach or unauthorized activity. They provide tools for proactive threat hunting, enabling security teams to search for indicators of compromise (IOCs) and take preemptive actions against potential threats. |
| Configuration Compliance Monitoring | This use case focuses on ensuring that endpoint configurations adhere to established security policies and standards. EDR platforms continuously monitor endpoints for changes in configuration that could expose them to security risks, providing alerts and remediation capabilities to maintain compliance and enhance the organization's security posture. |
| Advanced Persistent Threats (APTs) Identification | EDR products are crucial in identifying APTs—sophisticated, long-term cyberattacks aimed at stealing information or espionage. They analyze patterns of behavior over time to uncover low-and-slow attacks, utilizing advanced machine learning and AI to differentiate between benign activities and potentially malicious operations, ensuring timely detection and response to these stealthy threats. |
Core Use Cases
| Alert Name | Description |
|---|---|
| Signature-Based Malware Detection | Detects malware based on signatures of known malicious files. |
| Behavioral Heuristics for Malware | Identifies malware through abnormal behavior and heuristic analysis. |
| Ransomware Activity Detection | Detects activities typical of ransomware, such as rapid file encryption. |
| Malicious Document Identification | Identifies documents containing malicious macros or exploits. |
| Unusual Network Connections | Detects endpoints initiating unusual external network connections. |
| Suspicious File Creation Patterns | Detects patterns of file creation that are typical of malicious activity. |
| Persistence Mechanism Identification | Identifies techniques used by malware to maintain persistence on a system. |
| Unauthorized Configuration Changes | Detects changes to system configurations that violate security policies. |
| Non-Compliant Software Installation | Identifies installation of software that is not compliant with organizational policies. |
| Insecure Protocol Usage | Detects use of insecure protocols that may compromise data security. |
| External Command Execution | Detects execution of commands and scripts typically used by attackers. |
| Lateral Movement Detection | Detects behavior indicative of lateral movement within the network. |
| Data Exfiltration Attempts | Identifies attempts to exfiltrate data outside the organization. |
MITRE ATT&CK
T1063, T1059, T1486, T1204, T1043, T1105, T1547, T1222, T1128, T1132, T1021, T1041