Endpoint Detection & Response
Are Endpoints a concern to security? Endpoints are often the weakest links in a network, providing the attack surface through which hackers can launch malware attacks, steal data, take control of network resources, or interrupt essential business processes.
Are we talking about Anti-Virus?
No. Endpoint security serves as the true successor to legacy antivirus for enterprise cybersecurity. First, it offers your IT security team a central management portal, which helps them keep track of all endpoints and maintain visibility. It also allows them to monitor problem areas and suspicious data traffic movement. Additionally, through centralized management, you can also protect the endpoints of remote workforces. Antivirus can’t provide that.
Second, endpoint security can also restrict what devices can or cannot connect to your endpoints. Thus you could bar a USB carrying a malicious malware payload from installing on certain USB ports without permission. Antivirus doesn’t offer such capabilities.
How to best protect endpoints?
While today’s antivirus solutions can identify and block many new types of malware, hackers are constantly creating more. Many types of malware are difficult to detect using standard methods. For example, fileless malware—a recent development—operates in the computer’s memory, thus avoiding malware signature scanners.
To bolster security, an IT department may implement a variety of endpoint security solutions, as well as other security applications, over time. However, multiple standalone security tools can complicate the threat detection and prevention process, especially if they overlap and produce similar security alerts. A better approach is an integrated endpoint security solution.
What is EDR and what are its primary functions?
Endpoint detection and response (EDR), also known as endpoint threat detection and response, is an integrated endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities. The term describes a security systems that detects and investigates suspicious activities on hosts and endpoints, employing a high degree of automation to enable security teams to quickly identify and respond to threats.
The primary functions of an EDR security system are to:
1. Monitor and collect activity data from endpoints that could indicate a threat
2. Analyze this data to identify threat patterns
3. Automatically respond to identified threats to remove or contain them, and notify security personnel
4. Forensics and analysis tools to research identified threats and search for suspicious activities
EDR as a Managed Service
Introducing EDR is challenging for many companies. On the one hand, integration into an SOC, into a SIEM (Security Information and Event Management) solution and into SOAR (Security Orchestration, Automation and Response) processes is not trivial, but is actually very demanding. On the other hand, the necessary security-related expertise must be available to interpret the EDR alerts and to continuously keep the EDR and the security concept up to date. Setting EDR up once is not enough; the solution’s configurations, detection rules, policies and procedures (playbooks) must be continuously updated to automate SOAR processes. The shortage of skilled workers poses something of a problem in this respect. By 2026, Switzerland will be lacking 40,000 ICT professionals. Many companies do not have the security expertise needed to run EDR operations themselves, so it could be worthwhile for them to examine the Managed Services option for EDR.
Swisscom’s approach to EDR
Swisscom’s EDR provides end-to-end visibility across all endpoints, e.g. client, server and mobile devices, in order to detect advanced attacks. Automated investigation and remediation of security alerts takes the pressure off the customer’s security and operations team. The Service comprises the following functions:
- Endpoint Detection & Response (EDR) is the service that detects advanced attacks
- The EDR cloud platform is the platform that receives security telemetry data from the endpoints and uses this to generate security alerts
- The EDR cloud dashboard provides an overview of detected security alerts
- The Endpoint protection shields endpoints to prevent malware, attacks and malicious activity.
The Service is implemented together with the Customer within a project and in the following four phases:
- Creation of a standard solution design
- Implementation of best practice configuration
- Onboarding of the EDR service and the endpoints
- Brief introduction to the EDR dashboard
The included Swisscom service management services Incidents, Service Requests, Maintenance and Monitoring offer the Customer the following added value:
- Support and enquiries via the Swisscom Service Desk
- Execution of the service requests defined in the catalogue
- Continuous updating of the best practice rule sets and security policies
- Integration of new features on the EDR platform and dashboard
- Life cycle management (agent)
- Service and endpoint monitoring
The service can further be combined with Swisscom’s SOCaaS, CSIRTaaS and Microsoft 365 Management.