A solution to the arising unknown security threats is EDR (Endpoint Detection and Response)
As the name implies, EDR refers to a product that ‘detects’ and ‘response’ to security threats of ‘Endpoint’. Devices such as ‘PC’ or ‘Server’ and ‘Mobile’ and ‘IoT’ that we often use are endpoint products.
In other words, endpoints occupy a very important position when it comes to security as they are the last step in the devices we use. In particular, as cyber-attacks targeting endpoints such as ransomware and phishing increase in recent years, their importance is becoming more prominent. Of course, security products for endpoints already exist. These include “anti-virus” products that we commonly call “vaccines”, “anti-ransomware” specialized in “ransomware”, and “APT solutions” to defend against APT attacks. Nevertheless, why did EDR appear? And why can EDR be the choice between a variety of endpoint solutions?
Even though there are various endpoint solutions, the reason why EDR appeared is because of ‘Unknown’ or ‘Unknown Threat’. Vaccines, anti-ransomware, and APT solutions have a clear purpose. Its main purpose is to defend against viruses or malware attacking endpoints (vaccines), protect endpoints from ransomware attacks (anti-ransomware), or respond to APT attacks (APT solutions).
The problem is that the existing security solutions miss due to cyber attacks also evolving or zero-day vulnerabilities (unknown vulnerability. Because there is no way to solve it because it is not known, it is helpless if attacked, and even when and what kind of attack was performed), etc. Is that there is. In particular, there is no way to know with existing solutions if a virus or the like invades an endpoint using a zero-day vulnerability and does not move while waiting for an attack. In addition, just as security companies create security solutions based on advanced technologies such as AI or machine learning, attackers are also using these advanced technologies to attack. Based on “Adversarial Machine Learning,” he said, he is launching an attack that bypasses new defense techniques.
Attacks that use zero-day vulnerabilities, attacks that bypass defense techniques, or attacks that use “new” or “variant” malware that the solution to defend is not familiar with are difficult for existing solutions to defend. If you know that it is an attack, you will be able to defend it, because if you don’t know if this is an attack, you won’t defend itself. It means that you can defend or respond accordingly only by confirming that the other person is an enemy’. As a result, security companies check the existence of a “virus” or “vulnerability” used in an attack and learn this information into their security solutions through updates. That’s why the popular antivirus products for PCs update every time the PC is turned on.
Nevertheless, it is not easy to do a “proactive” response because endpoint security solutions are products intended to respond to “threats” that have already occurred or have already launched an attack. In particular, it is difficult to cope with “unknown” threats such as “zero-day” or new/variant malware described above.
EDR is a product designed to counter these unknown threats. In addition, it does not stop at simply finding a threat, but shows the found information as’visible’ to help users actively respond.
For this reason, EDR is not a B2C product such as a vaccine, but a B2B product used by companies or institutions. Unknown threats detected by EDR are notified to security personnel of enterprises or institutions so that they can respond. Hwang Sang-bok, head of East Security, said, “EDR is a solution that helps security personnel to find something that can be a problem, not to solve the problem on its own like a vaccine, and to respond. Accordingly, the current EDR can only be used by companies or organizations that have a security team that can create a security policy through minimal analysis.”