Educause Security Discussion mailing list archives
Re: EDR Solutions
From: "Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>
Date: Thu, 21 Jan 2021 20:52:47 +0000
It’s probably worth mentioning that if you have the A5/E5 license level for Microsoft 365, you have access to “Defender for Endpoint”, the umbrella name for a suite of features including EDR. It looks to me as though Defender for Endpoint is a rebranding of Defender ATP. Steve Steven Lovaas Chief Information Security Officer Colorado State University Steven.Lovaas () ColoState edu<mailto:Steven.Lovaas () ColoState edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Steven Alexander <steven.alexander () KCCD EDU> Date: Thursday, January 21, 2021 at 1:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] EDR Solutions It's not just a buzzword. EDR solutions, e.g. CrowdStrike, SentinelOne, block primarily based on behavior rather than signatures (although they use some block lists/static scanning depending on the product). They can also provide details about what a program/script did or tried to do: network activity, DNS lookups, registry changes, files opened, etc. They can also show you the full process tree, e.g. totallynotatrojan.exe created ASDFD234234SEDRF.ps1 and tried to execute it. With traditional AV, I was often left asking: what is this, where did it come from, what did it do? With EDR (we use CrowdStrike), I can answer those questions. It can take a little while to get up to speed on your chosen platform and learn how to get the information you want, but there is far more available than with traditional AV. The ability of EDR tools to detect/block suspicious behaviors (e.g. process tampering) makes them better suited to stopping hands-on-keyboard attacks, fileless malware, custom tools, etc. e.g. we've had a few instances where CrowdStrike blocked obfuscated PowerShell scripts that were dropped via a browser exploit or as a payload from something a user downloaded. In each of those instances, we had a pretty good picture of what happened just from the CrowdStrike interface. We also had a similar incident several years ago when we were using traditional AV; the AV did not block it and the user's machine was infected with ransomware. We were only able to figure out what happened in that case by doing a forensic analysis of the machine after the fact. That's just an anecdote, of course, but the difference in capabilities is why we wanted to switch to EDR. When we did our assessment, we looked at CrowdStrike, SentinelOne, and EndGame. We liked all three but thought CrowdStrike was the more mature product. We run it on our servers and workstations. I would not switch back to traditional AV. Steven Alexander Director of IT Security Kern Community College District ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Mattehew Prescott <matt.prescott () ACU EDU> Sent: Thursday, January 21, 2021 8:49 AM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] EDR Solutions I know this thread has been done a few times. But I have a few questions? What really is EDR? What value does it bring to an AV solution? Is it just a buzzword? Currently, we have Sophos InterceptX w/o EDR. We are looking for an AV solution for both endpoints and servers(not resource heavy). What would you suggest? Thanks, Matt Prescott, Security Analyst Information Technology (o) 325-674-2882 Abilene Christian University [Abilene Christian University] ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fwww.educause.edu%252fcommunity%26c%3DE%2C1%2ClhGqt3L3OD4wRe6MvW8wRBp-yQ9G6VV-1nhkvJmm3IrneXxXPOo9MULdYN4pAr8LFUo0hfAKW5vlPRrh40ksRHj6Z7hC4AQ5WGpk_9nucIhOmnLygFtfXg%2C%2C%26typo%3D1&data=04%7C01%7Csteven.lovaas%40COLOSTATE.EDU%7Cb2ecb1552a1f41593b5e08d8be4c4aa9%7Cafb58802ff7a4bb1ab21367ff2ecfc8b%7C0%7C0%7C637468582185311935%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=vyp6hEKyUPX8jSy8bqM23rmvC%2B77ctJ0%2Fcd7B9MCYco%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Csteven.lovaas%40COLOSTATE.EDU%7Cb2ecb1552a1f41593b5e08d8be4c4aa9%7Cafb58802ff7a4bb1ab21367ff2ecfc8b%7C0%7C0%7C637468582185311935%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cl2ymi3%2BIKkoWJEiqIqxlnqLOPelftgWiM2bI8FXdP0%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- EDR Solutions Mattehew Prescott (Jan 21)
- Re: EDR Solutions Steven Alexander (Jan 21)
- Re: EDR Solutions Lovaas,Steven (Jan 21)
- Re: EDR Solutions Beth Albertson (Jan 22)
- Re: EDR Solutions Lovaas,Steven (Jan 21)
- Re: EDR Solutions Steven Alexander (Jan 21)