Dangerous “trial balloons”

Back in February, it was hard to miss news stories about the mysterious balloon floating across North America. While the public still doesn’t have definitive answers, it did raise a lot of questions. Who launched it? For what purpose? Was it detected soon enough? Once it was detected, were the right actions taken?

We can’t help but see the similarities with protecting businesses against cybersecurity attacks. Criminals regularly launch “trial balloons” to see if they can find a way to get past your security defenses. Once they find a vulnerability, they can return later with a well-prepared attack. Do you have the tools in place to detect these trial balloons? Do you have the policies? and procedures to respond appropriately?

EDR: your cybersecurity NORAD

The North American Aerospace Defense (NORAD) command protects the United States by watching for threatening activity by monitoring air and sea traffic. NORAD can detect anomalous behavior, identify the threat, determine what response is appropriate, and dispatch the necessary military resources.

Any business with computers connected to the internet needs its own electronic version of NORAD. Endpoint Detection and Response (EDR) tools, just like NORAD, monitor your network traffic and look for anomalies. Once detected, EDR can take action automatically and alert security experts who can then determine how to protect your business from the threat.

EDR monitors electronic events across the devices in your environment: PCs, phones, tablets, servers, and even cloud workloads. In addition to generating alerts, EDR also collects telemetry data that can be used to identify the source as well as correlate events across the network. Although EDR was originally developed as a forensic tool to gather data for analysis after-the-fact, EDR has evolved to include anti-malware tools and is beginning to use Artificial Intelligence to respond to emerging threats in real time.

Why you need EDR

Regardless of the size of your business, you are constantly under threat of attack. Attacks range from simple phishing emails to sophisticated malware designed to exploit specific vulnerabilities and to hide from standard security software. Often these attacks can only be detected by analyzing activity over time and using machine learning to connect the dots.

EDR solutions collect this data and analyze it looking for patterns. There are several key elements to a successful EDR implementation:

• Broad visibility: the foundation for EDR is a large data set. An effective EDR implementation needs to monitor as many network devices as possible to detect anomalous behavior quickly.
• Machine learning: malware evolves too quickly for a database of known signatures to protect against the latest versions. Machine learning allows EDR to look for suspicious behavior rather than specific malware signatures to detect new variations and zeroday exploits.
• Orchestrated response: once an attack is identified, your response must not only remediate the infected systems, but also inoculate other systems to prevent the malware from spreading.

With these elements in place, EDR can begin to proactively protect your business against attacks by:

1. Automatically quarantining files containing malware
2. Autonomously killing processes that are doing things they shouldn’t
3. Patching vulnerable apps
4. Proactively isolating network devices to prevent the spread of an attack

EDR is even more important now

While protecting your business against security threats has always been important, there are three key reasons why it’s even more critical now than in the past. Hybrid work has dramatically expanded the attack surface area of your network. Employees log in from homes, hotels, airports, coffee shops, and anywhere else. These remote users access applications including email, video conferencing, messaging, and file sharing that can easily be hijacked by cybercriminals. The intelligent monitoring capability of EDR is vital for enabling employees to continue to work how and where they need while also keeping the network safe.

Internet of Things has increased the number of devices on your network. Each manufacturer has a different security standard and update process, making it even harder for your security team to stay on top of vulnerabilities and the latest configurations. The automation features of EDR are critical for allowing your business to embrace the Internet of Things while keeping an inventory of all the different devices and keeping them up-to-date and configured properly.

Cybersecurity insurers know the effectiveness of EDR. Companies with quality EDR implementations cost less to insure than companies without EDR. Insurance companies are beginning to refuse to issue a policy to a company that doesn’t have EDR in place.

How to get started

Implementing a robust EDR solution requires planning. Here are a few of the key steps you’ll need to take:

• Identify end-points. Perform an inventory and determine which devices will require EDR software.
• Evaluate EDR solutions. There are many different providers, each with different approaches and features. Understand how each EDR solution will integrate with your network infrastructure.
• Plan and test. Once you’ve selected your devices and EDR solution, plan and test the solution in a lab environment.
• Configure and deploy. Create the specific policies for your environment and install the EDR software on production devices.
• Monitor and update. Review the alerts that are raised, adapt your security policies to respond to changing usage and threats, and ensure software stays up-to-date.

While not necessarily a simple process, deploying an EDR solution isn’t optional these days. If you don’t have EDR in place, you need to start the process immediately. If you do have EDR, now is a great time to review and update it to ensure it is keeping up with the latest security threats. Sadly, cybercriminals won’t wait until you’re ready, nor will insurance companies.