In the last article, we mentioned that Endpoint Detection and Response (EDR) is in line with implementing the concept of Zero Trust because EDR involves continuous monitoring which ensures Visibility. Now we’re going to take a closer look at EDR. To put it simply, by keeping an eye on what’s happening on your Endpoint, such as your PC, you will be aware of what’s going on with your computer and take actions immediately if any problem occurs.
As we can see from the above graph, EDR has more functions than Vaccine, including such capabilities as identification, protection, detection, response, etc., while Vaccine provides only a recovery function.
- Identification: When a program is running, we would know its maliciousness and reputation. Therefore, before implementing activities on the Endpoints, EDR would identify whether those activities are malicious or not by safely running them in a separate space first.
- Protection: This involves blocking programs that are determined malicious, or moving files to a safe place to be kept in quarantine. Beyond the cybersecurity field, quarantine seems to have become an ordinary term these days as we hear it so often in relation to COVID-19.
- Detection: Monitoring activities and behavior on Endpoints for detecting malware. Think about it like a CCTV. If someone commits illegal activities at an entrance, the security guard monitoring the activity on CCTV will not give access permission but instead will catch the specious guy. Malware detection is basically a similar concept.
- Response: Responding to detected behavior like blocking activity to prevent damages to specific areas of the system that would otherwise result in the failure of computer boot, and instantly backing up images, videos, documents, etc. that are about to be encrypted by ransomware into a protected area. The feeling of desperation when you lose data would be similar to that of when you lose your cherished anniversary pictures, a child’s birthday, and wedding photos. How devastated would you feel?
- Recovery: Recovering files that otherwise could not be opened due to encryption by malware by using the files backed up during the response stage. Imagine how happy you would feel when you get the files back that you thought were gone for good. It would be beyond what words could describe. I remember one time my computer suddenly went blank while I was editing my documents. I nervously turned the computer back on but uncertain what would happen to the work I was finishing. And as soon as I found out the document wasn’t lost (as it was backed up) after all, I couldn’t help thanking Microsoft! Sounds familiar?
Now that we know about the main functions of EDR, shall we go into more detail? This will be my main topic for the next blog post, and I look forward to your visit.