Re: EDR Solutions

["Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>]

It’s probably worth mentioning that if you have the A5/E5 license level for Microsoft 365, you have access to “Defender 
for Endpoint”, the umbrella name for a suite of features including EDR. It looks to me as though Defender for Endpoint 
is a rebranding of Defender ATP.

Steve

Steven Lovaas
Chief Information Security Officer
Colorado State University
Steven.Lovaas () ColoState edu<mailto:Steven.Lovaas () ColoState edu>




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Steven Alexander 
<steven.alexander () KCCD EDU>
Date: Thursday, January 21, 2021 at 1:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] EDR Solutions
It's not just a buzzword. EDR solutions, e.g. CrowdStrike, SentinelOne, block primarily based on behavior rather than 
signatures (although they use some block lists/static scanning depending on the product). They can also provide details 
about what a program/script did or tried to do: network activity, DNS lookups, registry changes, files opened, etc. 
They can also show you the full process tree, e.g. totallynotatrojan.exe created ASDFD234234SEDRF.ps1 and tried to 
execute it. With traditional AV, I was often left asking: what is this, where did it come from, what did it do? With 
EDR (we use CrowdStrike), I can answer those questions.  It can take a little while to get up to speed on your chosen 
platform and learn how to get the information you want, but there is far more available than with traditional AV.

The ability of EDR tools to detect/block suspicious behaviors (e.g. process tampering) makes them better suited to 
stopping hands-on-keyboard attacks, fileless malware, custom tools, etc. e.g. we've had a few instances where 
CrowdStrike blocked obfuscated PowerShell scripts that were dropped via a browser exploit or as a payload from 
something a user downloaded. In each of those instances, we had a pretty good picture of what happened just from the 
CrowdStrike interface. We also had a similar incident several years ago when we were using traditional AV; the AV did 
not block it and the user's machine was infected with ransomware. We were only able to figure out what happened in that 
case by doing a forensic analysis of the machine after the fact. That's just an anecdote, of course, but the difference 
in capabilities is why we wanted to switch to EDR.

When we did our assessment, we looked at CrowdStrike, SentinelOne, and EndGame. We liked all three but thought 
CrowdStrike was the more mature product. We run it on our servers and workstations.

I would not switch back to traditional AV.

Steven Alexander
Director of IT Security
Kern Community College District
________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Mattehew Prescott 
<matt.prescott () ACU EDU>
Sent: Thursday, January 21, 2021 8:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] EDR Solutions

I know this thread has been done a few times. But I have a few questions?
What really is EDR? What value does it bring to an AV solution? Is it just a buzzword?
Currently, we have Sophos InterceptX w/o EDR. We are looking for an AV solution for both endpoints and servers(not 
resource heavy). What would you suggest?

Thanks,
Matt Prescott, Security Analyst
Information Technology
(o) 325-674-2882
Abilene Christian University
[Abilene Christian University]


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fwww.educause.edu%252fcommunity%26c%3DE%2C1%2ClhGqt3L3OD4wRe6MvW8wRBp-yQ9G6VV-1nhkvJmm3IrneXxXPOo9MULdYN4pAr8LFUo0hfAKW5vlPRrh40ksRHj6Z7hC4AQ5WGpk_9nucIhOmnLygFtfXg%2C%2C%26typo%3D1&data=04%7C01%7Csteven.lovaas%40COLOSTATE.EDU%7Cb2ecb1552a1f41593b5e08d8be4c4aa9%7Cafb58802ff7a4bb1ab21367ff2ecfc8b%7C0%7C0%7C637468582185311935%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=vyp6hEKyUPX8jSy8bqM23rmvC%2B77ctJ0%2Fcd7B9MCYco%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Csteven.lovaas%40COLOSTATE.EDU%7Cb2ecb1552a1f41593b5e08d8be4c4aa9%7Cafb58802ff7a4bb1ab21367ff2ecfc8b%7C0%7C0%7C637468582185311935%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cl2ymi3%2BIKkoWJEiqIqxlnqLOPelftgWiM2bI8FXdP0%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community