About the EDR solution that is emerging these days.

I need to write a security story after a while. I've been busy for a while (although I'm still busy), so I've been writing to my blog and I'm just dropping visitors, so I'm going to talk about the security system that's been hot lately. Like year's security conference in the United States, RSA 2018, which has been popular in the IT press, especially in the field of security since last year, says that endpoint detection and response (EDR) solutions are in the spotlight. EDR literally means endpoint threat detection and response, so let's take a look at why it's in the spotlight. Of course, it is a theorem in the knowledge I know. As a result, there may be some wrong information.


What is an EDR solution?
E in the EDR solution stands for Endpoint, which means it looks like it's in English, but the endpoint just means the terminal we use (the client in a server-client relationship): PC, smartphone, tablet, etc. do. IoT products also enter endpoints in this sense, but typically the range of EDR solutions ranges from PCs, smartphones, and tablets. I'll tell you why.

The scope of the EDR solution is now more about enterprise security (security for users using enterprise systems) rather than consumer security (security for general users). Of course, there is a good chance that it will move from enterprise security to consumer security in the future (just a matter of time), but for now, most of them talk about EDR solutions as enterprise security systems. There are many types of enterprise security systems, such as authentication, encryption, malware detection, APT attack detection, and hacking prevention. EDR solutions are no authentication or encryption, but mainly detection and countermeasures.

Vaccine or HIPS is not EDR?
As mentioned earlier, the role of the EDR solution is to detect and respond to security threats on the device you are using. There is a security solution that comes to mind. It is none other than an antivirus solution, ie an antivirus. Vaccine also detects malicious codes, viruses, and removes or quarantines by checking installed applications and stored data in the terminal. In that sense, it's not wrong to say that a vaccine is also part of an EDR solution. But EDR solution vendors say vaccines are not EDR. Why?

Vaccines still use signatures and pattern matching to compare malware patterns or virus signatures and files to determine if they are correct or similar and to remove or quarantine them as malware or viruses. Signature- or pattern-based, these analyze and extract already damaged devices. In other words, because it is a post-processing method, new signatures or viruses that are not present in the signature and pattern DB attack.

Of course, after signature or pattern is created and updated in DB, it can respond to the malware or virus attack. However, proactive response to unknown attacks is difficult. In addition, new malware and viruses are growing rapidly. In this situation, the signature or pattern of the makers of vaccine engines is relatively slow, so that the response of malware and viruses is slow. Of course, there are active vaccines that predict the possibility of being a malware or virus, but the error rate is too high, so it is rarely used.

Other emerging security solutions include the Host Intrusion Prevention System (HIPS) and the Host Firewall (Firewall HFW provided by Windows OS or antivirus). In particular, HIPS is similar to a vaccine. In the case of a vaccine, if a file is scanned, HIPS is a solution that checks and responds to the network coming into the terminal. HIPS is similar to a vaccine. It is a system that compares the contents of packets in traffic with threat signatures and patterns in rule DB, and blocks them if they are correct or similar. While IPS is usually installed in a server system infrastructure to monitor and block traffic to and from the server, HIPS is only used to monitor and block traffic to and from a PC. HFW is similar. Since HIPS and HFW are also based on rules and policies stored like vaccines, there is a problem that it is difficult to cope with the times because new attacks increase more than the rate at which rules and policies are updated.

Is it difficult to secure server infrastructure?
And as mentioned earlier, in the enterprise security realm, there is not only security for user terminals, but also server and network infrastructure security. The aforementioned HIPS or HFW is a security solution that is installed and run on the user's device, but when it goes to infrastructure security, IPS, IDS (Intrusion Detection System), FW, Network Access Control System (NAC), Data Loss Prevention (DLP), and DRM (Data) Various security systems such as authorization management system are used. NAC, DLP, DRM system, etc. are security solutions related to authentication, so I will not mention them here. IPS, IDS, FW inspects traffic entering the server and detects and defends against violations of specified policies and rules. It is also difficult to preemptively respond because it is based on predetermined policies, rules, signatures and patterns.

In other words, even though enterprises are applying enterprise security systems, they can only respond passively from a growing variety of threats, and policies, rules, signatures, and pattern DB updates are delayed. Insecurities continue to threaten corporate systems. In addition, the security of the client connecting to the server is also a problem that the current vaccine, HIPS, HFW, etc. can only be as passive as the server infrastructure security system. In this situation, let's see what EDR solution is in the spotlight.

Principles and Methods of EDR Solutions

As mentioned earlier, the security of the server that is building the corporate system is the most important for the enterprise, and many infrastructure security systems (IDS, FW, IPS, etc.) are installed and operated. However, it was concluded that there was a lack of security for traffic entering a server and that the security of the client connecting to the server was important, so the need for a security system for monitoring, detecting, and responding to endpoints, or clients, was highlighted. I think. However, as mentioned earlier, security for clients should not be done even though vaccines exist. The reason for this is that we have skipped all of the above, and this is why there is a problem with current client security, which is mainly focused on prevention, and it requires proactive detection, not detection of pre-made patterns, signatures, policies, and rules. It's evolved into the current EDR solution.

The EDR solutions that are coming out are not very new. It uses the various security solutions installed on the user's terminal mentioned above, vaccines, HIPS, HFW, but takes various actions before that. The hallmark of an EDR solution is that detection is not one way. Of course, there are more than two or three ways to detect the security solutions mentioned above, but the EDR solutions do not (but of course) detect the traffic coming in from outside or being stored in a file. Observing activities and behaviors, as well as the activities of applications running in the background of the system, involves determining whether the activity pattern is a threat. To this end, big data techniques will be included, and machine learning techniques and artificial intelligence techniques will also be included.

Thinking this way makes it easier to understand. On the premise that an enterprise uses a PC, for example, an EDR solution allows an agent to be installed on each PC, whose role is to read all the actions that take place on that PC, such as files and memory created by the application as it runs. Monitoring or organizing all the data, or sending and receiving data over the network. It also monitors and organizes all the actions that users take through the application. Based on this arrangement, if a pattern DB of its own exists, compared with the contents of the pattern DB, if there is a problem, it is prevented, or it is isolated or removed.

If it does not exist in the pattern DB, it is sent to the collection and analysis server, and the collection and analysis server collects data from each PC into the big data system, analyzes it, and proceeds with machine learning based on the analyzed content. Based on the contents, threats are determined using artificial intelligence through machine learning, and the results are sent back to the agent on the PC. The agent blocks, quarantines, or removes them based on the results.

Alternatively, the agent may not detect itself and send it to a collection and analysis server where it can take action and take action. This is because when the agent has a DB for detection, the agent becomes heavy, so the agent only observes and cleans up, and sends the cleaned data to the server. Through this method, the threat can be determined. The collection and analysis server can be installed in-house or through cloud services provided by the EDR solution. Today, instead of installing a collection and analysis server in the enterprise, the EDR cloud services provided by the EDR solution are often used. This is because the system is much larger, less burdensome for the enterprise, and data can be easily collected through various external channels.

And if an agent is sent to a collection and analysis server or to an EDR cloud service that is not in its own database, the load or traffic on the system will be enormous. Therefore, the collection and analysis server or the EDR cloud service can create so-called whitelists for safe behavior based on the data sent from each PC, allowing each agent to skip over them. Of course, this whitelist is constantly updated.

In addition, the collection and analysis server or EDR cloud service does not only see the data coming from each agent. It also sends signatures, patterns, policies, rules, etc. to various agents through various external channels. It also improves the performance of artificial intelligence through machine learning by receiving data on incident response or forensic data. In this way, the principle of the EDR solution is that the collection and analysis server or EDR cloud service creates signatures, patterns, policies, or rules-based on continuous incoming data, sends them to each agent, and updates them to prevent zero-day attacks. do.

In other words, detection proceeds through machine learning and artificial intelligence-based on the data collected by the agent. Responses to detection are based on signatures, patterns, policies, rules, etc. that are continuously updated in the collection and analysis server or EDR cloud service. Through the vaccine, HIPS, HFW, etc. that exist in the agent, it is removed, quarantined, or rejected. In other words, EDR solutions are actively utilizing these solutions, rather than the vaccines, HIPS, or HFW, which are not completely different from those mentioned above, and can use their signatures, patterns, rules, and policies through machine learning and AI, or through various external channels. EDR solution is to preemptively respond to unknown malware, viruses, or hacking techniques by updating based on the incoming data.

Existing vaccine companies are strong.
For this reason, the companies that make EDR solutions are usually run by companies such as AhnLab, Hauri, Fireeye, and SGA in Korea, and overseas by Symantec, Silence, Trend Micro, etc. In other words, the company was building HFW solutions. Of course, some companies bring open-source antivirus (HI virus), HIPS (host intrusion prevention system), HFW (host firewall) solutions and combine them with open source big data systems and machine learning systems. The companies that stand out are the ones that have deployed the previously mentioned vaccines or are building firewalls, IDSs (intrusion detection systems) and IPSs (intrusion prevention systems). Perhaps it is because we can never ignore the know-how of detection and analysis. No matter how big artificial intelligence is implemented through machine learning through big data systems.

EDR solution is the AI ​​version of the active vaccine?
We talked about the background and principle of the birth of the EDR solution. But as I've been clearing up and looking at EDR solutions, I've heard that EDR solutions aren't a new solution that's completely different from the existing vaccines and security solutions installed on clients. As I mentioned earlier, there is an active vaccine among the vaccines. So far, there are so many false positives and false positives that the solution has almost disappeared from the market.

In the case of active vaccines, the existing patterns are modified little by little to make new patterns. The reason is that new malicious codes are usually made by modifying existing malware. It is a structure that adds and detects it, and because of this, it was a disadvantage that there were many errors and false positives.

Of course, it is no exaggeration to say that the development of big data systems, machine learning, and artificial intelligence have led to the current EDR solution. By operating all of these on cloud services, the burden on system maintenance is reduced for the enterprise, and the data pool can be collected from various channels for the service company, which is a win-win structure. The EDR solution came into the spotlight because the perception that the real part of security, not server-side security, is now client-side is that the object of security has changed and that it has become recognized by not only security companies but also businesses. I thought it might be a reason for receiving.

Comments

Popular

5 Steps To Protecting Your Digital Home

Document Security System To Prevent Confidential Leakage

Safe Mobile Payments And Banking Tips Hackers Hope You Don't Know