Hello peers,
I am a System Administrator at a large tech vendor. I am currently researching EDR tools and wish to learn more about them.
What is your experience with EDR solutions? What is the best way to work with EDR security as a SOC consultant?
Thank you for your help.
Working with EDR security as a SOC consultant, you must aware for these:
1. Assessment and Planning:
Evaluate client's security needs, devise an EDR deployment plan, and set goals.
2. Vendor Evaluation:
Choose an EDR solution that fits scalability, integration, and compliance requirements.
3. Deployment and Configuration:
Install and configure EDR on endpoints, customize rules for optimal performance.
4. Data Collection:
Gather endpoint data while optimizing for visibility and resource efficiency.
5. Threat Detection:
Monitor for anomalies and threats using EDR's analytics and machine learning.
6. Incident Response:
Develop and follow an incident response plan, automate actions for faster resolution.
7. Threat Hunting:
Actively seek advanced threats using threat intelligence and historical data.
8. Collaboration and Reporting:
Work with client teams, share insights, and provide detailed incident reports.
9. Training:
Educate client's teams on EDR use, threat analysis, and incident response.
10. Continuous Improvement:
Stay vigilant, adapt detection rules, and keep up with emerging threats.
11. Compliance:
Ensure EDR implementation aligns with industry regulations.
By following these steps, you create a robust EDR strategy to enhance your client's cybersecurity posture and effectively manage endpoint threats.
Ok, When EDR first came out there were only a few vendors. Now the field is vast and almost every company has one. I've gone through most and here's what I found. You will also want an MDR to go with your EDR solution. You will want to work with the MDR to make sure they are not too aggressive. I had one remove a client's CSR app on 150 machines and have crazy issues with Adobe and Adobe knock offs. The MDR is so you can sleep. Most attacks happen either immediately or very early in the morning. If the EDR has tripped the machine the machine stays locked but has the ability to be compromised until you get the alert and respond. An MDR will take care of it when it happens. It's expensive but you're starting from scratch so it's worth it. I use one on some sites and not on others.
You will want to test the service for 2 months with your worst user and more productive user. They do not catch browser takeover "viruses". The ones that scream you watch porn the cops are coming call this number to remove it. They do not stop phishing. They do a great job on hackers and apps that phone home or try to sideways access computers as well as normal viruses or ransomware. Choosing the EDR you will want to test it and you need to understand how to tune it and call support during the testing. Use those support calls to evaluate how they respond. If they stink when there no issues they will really stink when an outbreak occurs. Remember everyone has their own opinion. I've used CrowdStrike, Sentinal One, Black Ice, Bit Defender Gravity Zone, Norton total security, and I'm currently using Malware bytes OneView. I like its reporting and it seems to report catches that the other didn't. I had one situation where a machine with Norton got hacked and it destroyed the machine but not the network. They all work great and have different price points and features. Don't get caught up in any feature that can't be proven out. If it says it protects you from bad websites and you go on one. Then it didn't work. At the same time if you whitelist a website and it won't let you access it then it again doesn't work. In most cases, I moved on for various reasons. It's best to get one that works with your RMM. If you don't have an RMM you will want one. Besides remote access, they also keep your machines up to date. The integration will help with deployment. You will also want to look at DNS and Web filtering and phishing filters. There's more but your probably asleep by now. I hope this helps.
@Marc Vazquez Great guidance on what to get.
Hi, EDR is the emerging technology that will help you to do RCA of any environment, and EDR does have the capabilities to detect unknown, script base or fileless attacks, even some of the EDR vendors have the capabilities to prevent the ongoing attack. It totally works on behaviour base analysis and the EDR agent will monitor everything individual process which are running in your endpoints. I do feel that every organisation should put the EDR to their environment because attacks are very sophisticated nowadays. It has the capability to do Incident Response as well which typically allows users to take remote access to endpoints and run some commands in order to do remote remediation.
Working with Endpoint Detection and Response (EDR) security as a Security Operations Center (SOC) consultant involves a strategic and hands-on approach to effectively manage and respond to potential security threats and incidents. To effectively work with EDR security:
Configure Tools: Set up EDR tools to monitor endpoints efficiently.
Customize Rules: Tailor detection rules for specific threats.
Monitor Continuously: Keep a watchful eye on endpoint activities in real time.
Proactively Hunt: Actively seek hidden threats beyond automated alerts.
Use Threat Intel: Integrate threat intelligence to enhance detection.
Respond Swiftly: Quickly assess, contain, and mitigate incidents.
Automate Tasks: Use automation for faster responses.
Collaborate: Communicate and work with other teams.
Analyze Post-Incident: Review incidents to learn and improve.
Stay Updated: Regularly train and adapt to new threats.
Iterate: Continuously refine strategies for better protection.