Being prepared for future cyberattacks is called cyber-resilience. And it’s not just about beefing up defenses. For a company, cyber-resilience is the ability to operate in the face of a cyberattack or other cyber-incident. It means having the technical and organizational measures in place to detect, respond to and recover from incidents, then adapt and learn from them. The concept is set forth in the ISO/IEC 27001 standard.

Or, as organizations often say themselves: how can a company stop ransomware from getting in, and if it does get in, prevent it from doing harm? That’s the question we’ll try to answer.

Where to start?

The list of attack prevention and mitigation technologies is almost endless. You should prioritize by assessing the risks and damage from various cybersecurity incidents, preventing the most likely attacks from the ATT&CK framework, and applying one of the many playbooks to mitigate specific risks (example 1, example 2). But there are some important first steps.  Firstly, is not to spread your efforts too thin – we recommend focusing on a handful of core solutions that will produce an effect so impactful that all other projects are best postponed until these fundamentals are implemented. All of the solutions on the list significantly reduce the risk of the most common attacks, simplify incident response and reduce damage if an intrusion does occur. So, if your company lacks something from this list, implement it today.

We cannot overstress the importance of implementing these technologies on ALL computers in your company. That means all endpoints (including all corporate and personal laptops and smartphones), all servers and all virtual and containerized workloads. There’s a major pitfall here: shadow IT. Despite your best efforts, you may not be aware of the existence of some computers and servers. So, start with an inventory of all IT assets to ensure that security policies cover the entire corporate infrastructure.

Endpoint Detection and Response

All computers, including servers and virtual machines, must have an EDR agent installed, with threat-blocking features enabled.  EDR is a core protection technology that combines malware protection with monitoring and response for more complex information security systems.

Make sure you can receive telemetry from all computers, since any internal or external security expert will need it to quickly analyze potential incidents. Leading vendors, such as Kaspersky, automatically block the vast majority of common cyberthreats, so make sure that all features for blocking known malicious activity are enabled on all computers under a unified policy.

Multifactor Authentication

By various estimates, 60–80% of cyberattacks begin with account theft. That’s why it’s considered inadmissible to protect access to computer systems with a password alone: it’s too easy to guess, steal or brute-force. User login must be performed with MFA. The most common form employs two factors (password and one-time code), hence it’s known as two-factor authentication, or 2FA.  The most cost-effective solutions use an authenticator app, but, depending on the specifics of the organization and the position of the employee, it can be any combination of an app, USB token, biometrics, etc.  In general, MFA is recommended for all company systems, but its deployment should be prioritized for services that are accessible externally, such as email and VPN.

Protected backups

Backups have long protected companies against more than just fires and hardware failure. They also guard against a number of cyberattacks. Ransomware operators are well aware of this, so just about every ransomware attack involves the targeted deletion of backup copies of information. For this reason, a backup strategy must account for all scenarios, such as rapid recovery from an easily accessible copy – in case of hardware failure or other IT incident, as well as guaranteed recovery in the event of a ransomware attack. It’s very likely that two separate backups will be required. Ransomware-resistant backups are ones stored on media that are physically disconnected from the network (not very convenient, but reliable), as well as in “immutable” cloud storage, where data can be added but not replaced or deleted (convenient, reliable and potentially expensive).  Having created your immutable backup, conduct a data-recovery training to (a) make sure it can be done, and (b) estimate the time required (plus this will speed up your team’s response in the event of a real attack).

Application and patch management

All computers in the company, be it a desktop, a virtual server or the laptop of an employee on a business trip, must have tools installed that allow administrators to manage the machine remotely. Critical actions include computer diagnostics (checking for availability of necessary apps, checking network status, VPN health, EDR updates, etc.), installing applications and updates, testing for vulnerabilities, and so on.

Such capabilities are vital, both for everyday work and during incident response. In day-to-day operations, they ensure cyber-hygiene, such as the prompt installation of important security updates on all computers. During incidents, it may be necessary to run, say, a specialized utility or install a certificate — and only administration systems should be allowed to perform this within a reasonable timeframe, including for remote employees.

Best suited for this task are UEM systems that allow you to manage a variety of devices, including work and personal computers and smartphones, and apply company policies to them.  You also have the option to arm yourself with highly specialized solutions, such as patch management, VNC/RDP and other systems.

Unique passwords

Privileged access management and identify security is a very broad topic.  Well-built identity security both increases the company’s level of protection and simplifies the lives of employees. But full implementation can be a lengthy project, so the initial focus should be on the essentials, the first being to ensure that each computer in the company is protected by a unique local administrator password. Use the free LAPS tool to implement this measure.  This simple precaution will prevent attackers from moving quickly through the network, compromising computers one by one using the same password.

Minimizing vulnerable services

Regularly scan your company’s IP addresses from the internet to make sure that servers and services that should only be available on the local network are not globally exposed. If such a service ever pops up on the internet, take prompt action to block outside access to it. If for some reason it needs to be accessible from the internet, apply regular security updates and protect it with MFA.  These measures are especially important for favorite hacker targets such as: web management consoles, RDP, Telnet/SSH, SMB, SNMP and FTP. It’s best to assume that all services are visible from the internet, and scan them for vulnerabilities, weak passwords and other defects regularly.

Cybersecurity: it’s not a one-dimensional object like, say, a boat. There are different sized boats, but besides things like that, a boat is mostly always a boat. But in infosec, a modern system of enterprise cybersecurity does a great many technically complex things, and the question arises: how can it all be labeled simply and catchily (if that’s at all possible) so as to be reasonably easy to understand? And how can you differentiate one security system from another? Often it’s difficult explaining such differences in a long paragraph – while in the name of a product or service? Like I say: tricky.

Maybe that’s why Kaspersky is still associated by some with “antivirus software”. But actually, detecting and neutralizing malware based on an antivirus database is today just one of our security technologies: over a quarter century we’ve added to it a great many others. The word antivirus today is more of a metaphor: it’s known, understood, and thus is a handy (if not too accurate or up-to-date) label.

But what are we supposed to do if we need to tell folks about complex, multifunctional protection for enterprise IT infrastructure? This is when strange sets of words appear. Then there are all the abbreviations that come with them, whose original idea was simplification (of those strange sets of words) but which often just add to the confusion! And with every year the number of terms and abbreviations grows, and memorizing them all becomes increasingly… also tricky. So let me attempt here to take you on a brief excursion of all this gobbledygook these complex but necessary names, terms, descriptions and abbreviations – hopefully to do what the abbreviations struggle with: bring clarity.

From EPP to XDR

Ok. Back to the boat; rather – antivirus.

The more accurate name of this class of products today is Endpoint Protection or Endpoint Security. After all, as stated above, it’s not only antivirus that’s protecting endpoints these days, but a collection of security measures. And sometimes the varied endpoint technologies are given an updated name – including the word “platform”. Somehow that sounds more appropriate, and more accurately descriptive – it also seems fashionable, as is its abbreviation: EPP (Endpoint Protection Platform).

Endpoint Protection Platform is, in essence, a concept that dates back to the 1990s. It’s still needed, but for quality protection of distributed infrastructure other methods are required. Data needs to be collected and analyzed from the whole network to detect not only singular incidents, but also whole chains of attacks, which aren’t limited to a single endpoint. Threats need to be reacted to across the whole network – not just one computer.

Fast-forward a decade or so, and in the early 2000s there appears a class of products called SIEM – security information and event management. That is, a tool for the collection and analysis of all infosec telemetry from various devices and applications. And not only for today: a good SIEM can pull off retrospective analysis – comparing events from the past and uncovering attacks lasting many months or even years.

So, by this stage (the early 2000s for those at the back not paying attention!) we’re already working with the whole network. But there’s no “P” for “Protection” in SIEM. So the protection was provided by the EPP (Endpoint Protection Platform; you at the back – detention after school!). However, EPP doesn’t see network events; for example, it could easily miss an APT (advanced persistent threat).

Therefore, in the early 2010s, along comes another abbreviation to fill the gap and cover both security functions: EDR (Endpoint Detection and Response). On the one hand, it provides centralized monitoring of the whole IT infrastructure – allowing, for example, to compile traces of attacks from all the hosts. On the other, an EDR-type product uses for detection not only EPP methods, but also more advanced technologies: correlational analysis of events and the picking out anomalies on the basis of machine learning and dynamic analysis of suspicious objects in a sandbox, plus assorted other threat hunting tools to assist investigation and response.

And when we do EDR ourselves here at K, of course we need to put our stamp on it, to give us KEDR.

So far, so good great. But… there’s no limit to perfection!

Fast-forwarding again, this time to the early 2020s, and a new abbreviation is introduced and quickly becomes all the rage in the cybersecurity industry: XDR (eXtended detection and response). This, to put it crudely, is EDR on steroids. Such a system analyses data not only from endpoints (workstations), but also from other sources – for example the mail gateways and cloud resources. Which totally makes sense, since attacks on infrastructure can come from any and all kinds of entry points.

XDR can be even further enriched in terms of its expertise by further data from:

• threat-analysis services (ours is called TIP (Threat Intelligence Portal),
• network-traffic analysis systems (ours – KATA ),
• security-events monitoring systems.

Such data can also come in via similar services provided by third-parties.

XDR’s response capabilities are also advanced. More and more protective actions are becoming automated, whereas before they were all done manually. Now the security system can itself respond to events based on cunning rules and scenarios input by experts.

Complicate or simplify?

I hope it’s clear by now that any EDR or XDR system represents a large, complex collection of technologies. However, the functionality of different providers’ EDRs or XDR can differ greatly. For example, each provider determines what and how much their experts input into an EDR/XDR to better reflect and thus repel modern-day attacks. So, though they’re all called EDR/XDR, they’re by far not all the same.

For example, on Kaspersky XDR platform, besides the listed-above XDR capabilities, there’s also a module providing interactive training for raising client-companies’ employee cyber-literacy. And no other XDR does such a thing! Surely that’s a good reason to cheer if not boast?…

Actually, sceptics may not be happy. They might say that if we add simply everything we’ve got to enterprise protection – kitchen sink and all – won’t this simply be too much? A morass that becomes too complex, cumbersome, and hard-to-understand and master. “Whatever next?” they think: marketing types coming up with YDR next year, then ZDR the year after?!

Ok, we get it. And we listened to our customers too. And over the years we’ve come to realize that in enterprise cybersecurity, by far not all companies need everything plus the kitchen sink. Often, more up their street we’ve found is a basic set of EDR tools plus clear and convenient instructions on how to use them. This is especially the case for small and medium-sized businesses with small teams of infosec specialists.

So what have we done to meet these more essential needs? We’ve come up with our new and improved KEDR Optimum: “advanced detection, simple investigation and automated response in an easy-to-use package to protect business against the latest threats”. For example, in its new alert cards, besides detailed descriptions of suspicious events and threats, there’s also now a Guided Response section. This gives step-by-step recommendations for investigation and response regarding discovered threats.

Recommendations like this have been prepared based on the decades of dedicated work of our leading experts, and come in the form of links to detailed descriptions of protective procedures. This not only raises reaction speeds, it also allows infosec specialist trainees to boost their skills, for example – with interactive pop-ups:

Another thing KEDR Optimum can now do is to keep an eye on infosec specialists possibly inadvertently blocking this or that critical system object. After all, malware can sometimes launch using legitimate operating system files – and blocking such files can hinder the operation of the whole IT infrastructure. With KEDR Optimum – you’re covered.

And finally, I must mention just one other thing about KEDR Optimum. All the above was written by me – Mr. K. Prefer something more impartial? Be my guest! Head on over to independent testing laboratories to see what they think. For example: IDC, Radicati and SE Lab. There. 100% transparent and fair.

The results of a recent test — Enterprise Advanced Security (EDR): Enterprise 2022 Q2 – DETECTION — were revealed in an SE Labs‘ report. The British company has been putting the security solutions of major vendors through their paces for several years now. In this latest test, our business product Kaspersky Endpoint Detection and Response Expert achieved an absolute 100% score in targeted attack detection and was awarded the highest possible rating – AAA.

This is not SE Labs’ first analysis of our products for protecting corporate infrastructure against sophisticated threats. The company previously ran its Breach Response Test (which we took part in in 2019). In 2021, our product was tested in their Advanced Security Test (EDR). Since then, the testing methodology has been tweaked, and the test itself has been divided into two parts: Detection and Protection. This time, SE Labs studied how effective security solutions are at detecting malicious activity. Besides Kaspersky EDR Expert, four other products took part in the test: Broadcom Symantec, CrowdStrike, BlackBerry, and another, anonymous, solution.

Grading system

The testing was made up of several checks, but to get a feel for the results, it will suffice to look at the Total Accuracy Ratings. This basically shows how well each solution detected attacks at different stages, and whether it pestered the user with false positives. For even greater visual clarity, the participating solutions were assigned an award: from AAA (for products with a high Total Accuracy Rating) to D (for the least effective solutions). As mentioned, our solution got a 100% result and an AAA rating.

The Total Accuracy Ratings consist of scores in two categories:

• Detection Accuracy: this takes into account the success of detecting each significant stage of an attack.
• Legitimate Software Rating: the fewer the false positives generated by the product, the higher the score.

There’s one other key indicator: Attacks Detected. This is the percentage of attacks detected by the solution during at least one of the stages, giving the infosec team a chance to respond to the incident.

How we were tested

Ideally, testing should reveal how the solution would behave during a real attack. With that in mind, SE Labs tried to make the test environment as life-like as possible. First, it wasn’t the developers who configured the security solutions for the test, but SE Labs’ own testers, who received instructions from the vendor – as clients’ infosec teams usually do. Second, the tests were carried out across the entire attack chain – from first contact to data theft or some other outcome. Third, the tests were based on the attack methods of four real and active APT groups:

• Wizard Spider, which targets corporations, banks and even hospitals. Among its tools is the banking Trojan Trickbot.
• Sandworm, which primarily targets government agencies and is infamous for its NotPetya malware, which masqueraded as ransomware, but in fact destroyed victims’ data beyond recovery.
• Lazarus, which became widely known after the large-scale attack on Sony Pictures in November 2014. Having previously focused on the banking sector, the group has recently set its sights on crypto-exchanges.
• Operation Wocao, which targets government agencies, service providers, energy and tech companies, and the healthcare sector.

Threat detection tests

In the Detection Accuracy test, SE Labs studied how effectively security solutions detect threats. This involved carrying out 17 complex attacks based on four real-world attacks by Wizard Spider, Sandworm, Lazarus Group, and Operation Wocao actors, in which four significant stages were highlighted, each of which consisted of one or more interconnected steps:

• Delivery/Execution
• Action
• Privilege Escalation/Action
• Lateral Movement/Action

The test logic does not require the solution to detect all events at any particular stage of the attack; it is enough to identify at least one of them. For example, if the product failed to notice how the payload got onto the device, but detected an attempt to run it, it successfully passed the first stage.

Delivery/Execution. This stage tested the solution’s capacity to detect an attack in its infancy: at the time of delivery — for example, of a phishing e-mail or malicious link — and execution of the dangerous code. In real conditions, the attack is usually stopped there, since the security solution simply doesn’t allow the malware to go any further. But for the purposes of the test, the attack chain was continued to see how the solution would cope with the next stages.

Action. Here, the researchers studied the solution’s behavior when attackers have already gained access to the endpoint. It was required to detect an illegitimate action by the software.

Privilege Escalation/Action. In a successful attack, the intruder attempts to gain more privileges in the system and cause even more damage. If the security solution monitors such events or the privilege escalation process itself, it’s awarded extra points.

Lateral Movement/Action. Having penetrated the endpoint, the attacker can try to infect other devices on the corporate network. This is known as lateral movement. The testers checked whether the security solutions detected attempts at such movement or any actions made possible as a consequence of it.

Kaspersky EDR Expert scored 100% in this segment; that is, not a single stage of any attack went unnoticed.

Legitimate Software Ratings

Good protection has to not only reliably repel threats, but also not prevent the user from using safe services. For this, the researchers introduced a separate score: the higher it was, the less often the solution mistakenly flagged legitimate websites or programs – especially popular ones – as dangerous.

Once again, Kaspersky EDR Expert got 100%.

Test results

Based on all the test results, Kaspersky Endpoint Detection and Response Expert was awarded the highest available rating: AAA. Three other products earned the same rating: Broadcom Symantec Endpoint Security and Cloud Workload Protection, CrowdStrike Falcon, and the anonymous solution. However, only we and Broadcom Symantec achieved a 100% score in the Total Accuracy Ratings.

Leading information technology research and advisory agencies are paying special attention to the technology – describing it as the most promising for the coming years. It therefore comes as no surprise to see the list of XDR vendors growing rapidly as many new companies enter the market. Some vendors already offer full-fledged solutions, while others continue to build convergence among their IT-security products and upscale XDR functionality.

Since the XDR concept is still in the making, let’s figure out what to consider when choosing an XDR vendor. In our view, a reliable XDR supplier needs to be able to provide the following:

1.      EPP and EDR synergy

An EDR (Endpoint Detection and Response) solution for advanced detection and response to sophisticated cyberthreats at the endpoint level is a key element of XDR. For its part, EDR cannot do its job properly without a robust EPP (Endpoint Protection Platform) solution – a fundamental endpoint protection technology that automatically sifts out a huge number of mass threats – on top of which EDR comes into play. So, when choosing an XDR vendor, you need to look carefully at the endpoint protection features to make sure there’s support for various types of endpoints: PCs, laptops, virtual machines, mobile devices, and various operating systems (OS). The quality of an XDR solution depends directly on the synergy between EPP and EDR on the vendor’s side.

2.      Comprehensive threat intelligence

It goes without saying that reliable and up-to-date threat intelligence is vital in effectively countering modern cyberthreats. Effective response is impossible without a full overview of cybercriminal tactics and techniques. Therefore, IT-security experts who use an XDR solution must have access to comprehensive, up-to-date threat intelligence; this additional context improves process of incident investigation and response by speeding it up.

3.      Interoperability with third-party solutions

Although XDR solutions are usually a single-vendor affair from the start, when comparing XDR solutions it’s important to consider how well they integrate and interoperate with third-party solutions. Opting for an XDR solution with a strong ability in this regard would both help sustain IT-security investments and serve the main purpose of XDR: collect, correlate data and alerts from multiple IT-security components and provided on top additional cross-product scenarios to increase efficiency of complex incident response. The more sources of data the solution collects, the more complete the picture of what is happening in your infrastructure will be.

4.      Technologies verified by independent experts and in practice

It is often difficult for organizations to independently evaluate the performance of intrinsically new solutions. In the case of XDR, it’s important to understand that the idea behind it is the consolidation of various IT-security tools into a single concept. Hence, the different components that make up this novel technology need to have been:

• successfully implemented worldwide;
• tested extensively by independent organizations – such as MITRE, SE Labs, or AV-Test;
• recognized by international analytical agencies – such as Gartner, Forrester, or IDC.

5.      Clear development plans

Since XDR is still a nascent infosec trend, potential buyers need to study (i) vendors’ plans for development of their solutions’ components, and (ii) vendors’ roadmaps for system refinement. The more purposeful and clear such intentions are – and the more willingly they are shared – the more trustworthy the vendor.

Our enterprise-level security solutions working in conjunction provide XDR capabilities to your company’s cybersecurity experts. Thanks to seamless interoperability our products allow your organization to control all key entry points to your infrastructure, increase visibility and provide centralized defense. If you want to learn more please visit Kaspersky Expert Security web page.

What’s wrong with the traditional protection?

Traditionally, it was the endpoints — servers and workstations — that were protected first from cyberthreats, and ultimately this became a fundamental step when it came to combating complex cyberattacks. Organizations also used basic network protection or installed advanced protection tools to close just one potential attack vector — for example, on just the endpoints (EDR solution) or the network (NTA solution), etc. But today’s cybercriminals are increasingly taking a multivector approach to staging their attacks, while using multiple entry points to the infrastructure, lateral movement through the network, a variety of attack tactics and techniques, and social engineering. All these factors broaden the attack surface and make it harder to investigate and respond. And to combat these kinds of cyberattacks, organizations needed a new tool with a comprehensive approach to building defense.

What is XDR?

XDR stands for “Extended Detection and Response.” “Extended” means that threats are detected and remediated not just at the endpoint level (PCs, laptops and servers), but also beyond. In other words, an Endpoint Detection and Response (EDR) solution that is responsible for detecting and countering threats at the endpoints level — the core element of XDR technology — is supplemented with different information security tools from the same vendor. In addition, these tools are closely integrated with one another and add additional scenarios that strengthen the process of combating complex cyberthreats.

What does XDR include?

The type and quantity of tools that are connected to an XDR solution depend directly on how many tools a given vendor’s portfolio contains and how integrated they are with one another. These could be, for example, products designed to protect mail, web, the network, cloud infrastructure, identity and so on. XDR also may be integrated with threat Intelligence tools — for example, threat data feeds and the platform to manage this data (Threat Intelligence Platform). XDR may also include the portal with  search capabilities for cyberthreats’s details and dependencies lookup. It gives the IT-security expert additional context, which is important to have when investigating cyberincidents. In general, today the XDR concept is the embodiment of the modern economic trend in information security — ecosystems.

Does implementing XDR mean all our previous security efforts were in vain?

Not necessarily. There are two types of XDR solutions on the market: native and hybrid. Native solutions are a good choice if you are creating your protection from scratch or continuing to scale up products that come from a single vendor. Hybrid solutions allow for integration with information security solutions from third-party providers, so whatever money you spent before won’t go out the window.

Isn’t XDR just yet another marketing trick invented by analysts?

No — it’s just the opposite: leading analyst research companies recognized the concept and name “XDR” after this category of solutions had been created on the market. The concept appeared as information security products and market needs evolved. These days, customers need more than a unified set of infosec tools by the same vendor. They also expect other benefits from this unification — for example, in the form of cross-product scenarios, process automation, resource saving and liabilities reduction. An XDR solution encompasses all these features.

What is the value of XDR for businesses?

First, amid a global shortage of information security experts, XDR provides holistic protection for an expanding, changing IT infrastructure against a rapidly evolving cyberthreat landscape.

Second, XDR simplifies the jobs of valuable, scarce resources such as IT-security specialists and engages them in the process of working with incidents.

Third, XDR helps minimize the mean time to detect and mean time to response (MTTD and MTTR). This is crucial for combating complex threats and targeted attacks, where quick actions taken by the IT-security experts reduce the attackers’ chances of achieving their goal and inflicting financial or reputational damage to an organization. So even if you have limited expert resources, you can protect your organization from complex cyberattacks because XDR offers:

• Increased automation;
• The use of a single console;
• A single data lake environment;
• Close interaction between the iIT-security tools as a part of XDR and joint scenarios;
• A coherent picture of what is happening in the infrastructure;
• Built-in enrichment with trustworthy, relevant threat intelligence data;
• Superior prioritization of incidents;
• Fewer false positive alerts.

Do you have an XDR solution?

Our enterprise-level security solutions working in conjunction provide XDR capabilities to your company’s cybersecurity experts. Thanks to seamless interoperability our products allow your organization to control all key entry points to your infrastructure, increase visibility and provide centralized defense. If you want to learn more please visit Kaspersky Expert Security web page.

Trends have changed. Tools for complex attacks now periodically pop up — if not in the public domain, then on the open market; malware authors are increasingly renting out their creations under the malware-as-a-service model, and cybercriminal groups have united in cartels of a sort. The net result is that the cost of organizing an attack is plummeting. Consequently, the break-even point is falling, and cybercriminals can afford to attack even SMBs with fairly sophisticated tools.

As long as threats to the company are limited to employee carelessness and spam е-mails with malware attached, traditional endpoint protection solutions may suffice. But now that it’s obvious your business could become the target of a more serious attack, a new approach is required. These days, even with a small company as their target, attackers can carry out supply-chain attacks, hide unnoticed in the victim’s infrastructure for years, spy on it, and exploit zero-day vulnerabilities and malicious tools operating through legitimate software.

Enterprise-level companies use fundamentally different defensive tools against such threats, primarily Endpoint Detection and Response (EDR) solutions. But such platforms generally require if not their own full-fledged security operations center, then at least a proper team of infosec specialists. Not every company can afford to employ this amount of IT security.

But that doesn’t mean that corporate infrastructure has to be left unguarded. We have developed another approach to endpoint protection, featuring integrated EPP and EDR platforms with additional tools. Thus, we have created an automated solution that can counter both mass and advanced threats.

The main novelty here is the Kaspersky Endpoint Detection and Response Optimum component. In our product line, it occupies a niche between fully automated Kaspersky Endpoint Security for Business and our powerful, enterprise-class solution for targeted and APT attacks — Kaspersky EDR. Kaspersky EDR Optimum enables you to implement the basic EDR scenarios required for a wide range of companies, and it provides infrastructure visibility as well as incident investigation and response capabilities.

The above enables the solution to quickly pinpoint the root of the problem, evaluate the true scale and source of the attack, and deliver an automatic response across all workstations. That in turn minimizes any damage and ensures the continuity of business processes.

Probably the most noteworthy feature of our new product is its ease of use. It does not require a high level of user expertise, and because of its high level of automation, it requires much less attention and routine maintenance than you might expect from an EDR-class security solution. Those key elements allow small companies to begin building its defense against complex threats without spending significant resources and completely restructuring processes.

Depending on the functionality your company requires, our integrated solution can include additional tools for protecting mail servers and Internet gateways, as well as Kaspersky Sandbox, an advanced tool for examining suspicious objects in an isolated environment. This lets you automatically block advanced, unknown, and complex threats without involving additional resources, thus reducing the burden on IT.

If you are already using our time-tested Kaspersky Endpoint Security for Business, you can easily upgrade it with Kaspersky EDR Optimum capabilities by activating an additional license key. Learn more about our integrated approach and the functionality of our security solutions on the offer page, where you can also request a trial version.

Our understanding of turnkey protection

To answer that question, we must first define what we mean by fully integrated protection. If we’re talking about enterprises, then it means protection of the infrastructure at all stages of threat response:

• At the incident prevention stage, using endpoint solutions on endpoints;
• At the threat detection stage, by monitoring and analyzing data, which flows from client-side security solutions to the security operations center (SOC);
• At the threat-hunting stage, which involves testing hypotheses about new threats and performing retrospective scans of the historical data for new indicators of compromise and indicators of attack (IoCs/IoAs);
• At the threat-validation stage, during which the SOC team determines whether a particular suspicious event is a real threat or a legitimate action (false alarm);
• At the incident response stage, when we recreate the chain of attack and provide recommendations for remediation.

Endpoint Protection Platform and Endpoint Detection and Response (EDR) class solutions handle the first stage in automatic mode. At all subsequent stages, the involvement of SOC experts is critical. However, not every business can afford an in-house SOC.

What about companies without an SOC?

Having an in-house SOC is not a necessary condition for comprehensive protection. In fact, a majority of large companies do not have it — only about 20% do, comparing the total number of reviews for Endpoint Protection–type platforms with the number of reviews for EDR-class solutions (which assume the availability of a SOC) on the Gartner Peer Insights platform.

How do the remaining 80% get by? A sensible option for most is to delegate security functions. Expert work to seek out threats, assess and confirm them, and respond to incidents can be carried out by a managed security service provider (MSSP) or a security solution vendor that essentially takes over part of the MSSP functions (our case).

Under this approach, clients receive a set of solutions with a much wider functionality than ordinary EDR. It includes both threat detection by analyzing network traffic anomalies (Network Detection and Response, NDR) and the option to have incident information interpreted by experts (Managed Detection and Response, MDR). Our SOC is unique in that its experts have quick access to information about incidents and new threats worldwide, on which basis they can take steps in the interests of the client. And although threat detection and response processes (EDR + NDR = XDR) are already fairly well automated, we are constantly improving this area and plan to strengthen it in the future.

ATT&CK Evaluation methodology has already verified the effectiveness of our approach. Because of the specific nature of the approach, MITRE ATT&CK Evaluation Round 2 focused exclusively on the detection capabilities of our solutions. Therefore, incident response, prevention, and threat hunting — in which our SOC experts are uniquely skilled — were intentionally excluded from consideration.

Our EDR solutions are also have proven themselves as reliable and suitable for both in-house and outsourced SOCs. According to the above-mentioned  Gartner Peer Insights portal, our Kaspersky Anti Targeted Attack solution has entered the Top 3 and been recognized as a Customers’ Choice for Endpoint Detection and Response. A huge thank-you to all our clients who took the time to leave a review.

Overall ranking of EDR solutions according to Gartner Peer Insights. Source: Gartner

To sum up, I believe that the future of information security undoubtedly belongs to Security-as-a-Service, but with the option for the client to select the degree of automation of their chosen toolkit and to upgrade their turnkey solution with additional features.

According to the findings of analytical agency B2B International, commissioned by Kaspersky Lab and published in Kaspersky Lab’s New Threats, New Mindset: Being Risk Ready in a World of Complex Attacks report, targeted attacks became one of the fastest growing threats in 2017, increasing in overall prevalence over 2016 by 6% for SMBs and by 11% for enterprises.

More than a quarter of businesses (27%) admitted that they had experienced targeted attacks on their infrastructure, up from 21% the same time the previous year, and 33% of businesses felt that they were being specifically targeted by cybercriminals. Of the companies surveyed, 57% said they expected that a security breach would happen to them at some point, and 42% were still unsure about the most effective strategy to respond to these threats.

A traditional approach is no longer good enough

Endpoint protection platforms (EPPs), which typically exist in an organization’s infrastructure, control known threats such as traditional malware. They can also handle unknown viruses, which might use, for example, a new form of known malware directed at endpoints. These systems are excellent at protecting against known, and some unknown, threats. However, cybercrime techniques have evolved significantly in recent years, and cybercriminals have become more aggressive in their attack processes. The combination of common threats, unique malicious patterns, and activities based on complex infiltration techniques from cybercriminals makes advanced threats and targeted attacks extremely dangerous for any organization relying solely on a conventional approach to cybersecurity.

Businesses are at risk of theft or attack from every angle — to data and finances, intellectual property, sensitive commercial data, and specific personal or other sensitive data, against business processes and competitive advantage, and so on.

Incidents related to advanced threats have a significant impact on business: the cost of responding and process recovery, having to invest in new systems or processes, the effect on availability, damage to reputation and brand, financial loss, and so forth. Organizations need to consider not only the growing number of widespread malicious programs, but also the increase in complex advanced threats and targeted attacks.

That means they need to extend their protection beyond network, mail, and Web traffic to endpoints, including workstations, laptops, servers, and smartphones. These endpoints are commonly used entry points into an organization’s infrastructure during targeted attacks, making endpoint visibility critical in today’s threat landscape.

According to the SANS 2017 Threat Landscape Survey, 74% of respondents said that clicking a link or opening an e-mail attachment was the top way for threats to enter the organization, and 48% named Web drive-by or download. A full 81% of companies surveyed considered endpoint security tools the most helpful means of threat detection.

The need for specialized tools for endpoint detection and response

Clearly, just blocking the easy threats on endpoints is not sufficient; today, companies need tools that help them to detect and respond to the latest, most complex threats.

Why?

First, because of the specifics of the targeted attacks that cybercriminals use:

• Security systems bypass — attackers conduct a thorough investigation into existing infrastructure, including the endpoint security system being used;
• Zero-day vulnerabilities, compromised accounts;
• Malicious software or specially created, unique software;
• Compromised objects that appear normal and therefore remain trusted;
• A multivector approach focusing on penetrating as many endpoints as possible: desktop computers, laptops, servers, etc.;
• Social engineering and data obtained from insiders.

Second, because of the technological limitations of traditional endpoint protection products, which:

• Aim to detect and block common (uncomplicated) threats, already known vulnerabilities or unknown threats typically built on previously known methods;
• Focus on the visibility of each single endpoint and aren’t designed to visualize and monitor in real time all endpoints simultaneously from a single centralized interface;
• Do not provide IT administrators with the necessary threat information to provide insight into the threat context, and lack full visibility into individual endpoint activity, into processes, timelines, and potential relationships with every endpoint in the company;
• Offer no built-in mapping or correlation of several verdicts from different detection mechanisms into a single, unified incident;
• Do not support functionality for detecting abnormal activity, deviations in normal activities, and so on, or analyze the work of legitimate programs;
• Cannot retrospectively analyze lateral malware movement;
• Have limited capabilities for detection of fileless attacks, memory injections, or malwareless threats.

As we can see from the above, endpoint protection technologies work well with simple threats, which account for more than 90% of all threats. The cost of incidents associated with these threats (about $10,000) is negligible compared with the cost of incidents associated with an advanced persistent threat (APT) attack ($926,000). The earlier a purposeful composite attack is detected, the less the financial loss. In the face of complex threats, the quality and effectiveness of detection and response are of paramount importance. To protect against targeted attacks and APTs, organizations need to think about the use of specialized solutions to counteract targeted attacks and APT-level threats on endpoints.

The average cost of incidents, and the functionality gaps in traditional EPP solutions not designed to counter complex threats, clearly demonstrate the need for additional investment in specialized products for advanced threat detection and response. EPP products need greater flexibility and must include endpoint detection and response (EDR) functionalities or have the ability to integrate with standalone full-function EDR solutions, depending on a company’s size and requirements.

True end-to-end visibility and proactive detection

EDR is a cybersecurity technology that addresses the need for real-time monitoring, focusing heavily on security analytics and incident response on corporate endpoints. It delivers true end-to-end visibility into the activity of every endpoint in the corporate infrastructure, managed from a single console, together with valuable security intelligence for use by an IT security expert in further investigation and response.

Most endpoint protection platforms rely on stored patterns and signature files to stop known threats. More recent next-generation endpoint protection platforms, which use machine learning and deep-level detection mechanisms for threat hunting and discovery, also focus on delivering antimalware protection.

The main aim of EDR is the proactive detection of new or unknown threats, previously unidentified infections penetrating the organization directly through endpoints and servers. This is achieved by analyzing events in the gray zone, home of those objects or processes included in neither the “trusted” nor the “definitely malicious” zone.

Without EDR functionality, classical EPP doesn’t technically support deep endpoint visibility, retrospective and multiendpoint attack analysis and event correlation, or the ability to select from multiple event detections relevant to complex attacks to determine the appropriate response. Not all EPP solutions on the market support access to the threat intelligence required to understand a threat’s main tactics, procedures, and techniques.

All of these functions are necessary to defend against modern threats and targeted attacks. Companies have to understand that endpoint security can no longer be covered by a single EPP solution. EDR has a far better chance of detecting unknown malware strains in zero-day and APT-level attacks because it uses advanced detection technologies such as YARA rules, sandboxing, scanning of IoCs (indicators of compromise), suspicious activity discovery and validation, retrospective analysis with event correlation based on dynamic machine learning, incident investigation and containment, response automation, remediation capabilities, and more.

For reliable, effective protection from advanced threats, the EPP and EDR collaborate — the EPP handling known threats and EDR dealing with more complex unknown threats. Powerful EDR platforms can help analysts to investigate and improve their defenses, rather than just reacting to damage already caused by an advanced threat that traditional endpoint protection solutions would miss.

Additionally, an EPP provides not just protection, but also application, device, and Web controls; vulnerability assessment and patch management; URL filtering; data encryption; firewall; and more.

An integrated approach to counteracting advanced threats

Each of the systems described above complements something missing (or only partially present) in another system, which means the solutions need to integrate and interact with each other. EPP and EDR have the common goal of countering threats, but they also have significant differences. They take different approaches to protection against different types of threats and use different tools.

According to Gartner’s “Strategic Planning Assumption 2017 for Endpoint Detection and Response Solutions” report, by 2021, 80% of large enterprises, 25% of midsize organizations and 10% of small businesses will have invested in EDR capabilities.

The presence of preventive technologies such as EPP for the detection and automatic blocking of widespread threats and obviously malicious objects helps eliminate the need to analyze the large number of minor incidents that are irrelevant to complex attacks, increasing the efficiency of specialized EDR platforms aimed at detecting threats at an APT level. EDR, in turn, after detecting complex threats, can send verdicts to the endpoint protection platform. In this way, the two cooperate and provide a truly integrated approach to counteracting advanced threats.

Extracting maximum value from EDR

There’s something else we need to consider. Most organizations already need EDR functionality, but we also have to face the fact that a large percentage of these organizations don’t have the skills and resources for a full-blown EDR deployment or its proper use.

This is about the transition from simple EPP tracking by the IT department to the need to involve appropriate IT security team resources when using EDR. As we’ve seen, EDR technology offers much more than just standard protection. To maximize EDR’s benefits, businesses need security engineers and threat analysts with sufficient knowledge and experience. These professionals need to understand how to extract value from the EDR platform and organize an efficient process of incident response.

Depending on each organization’s maturity and experience in the field of security, and the availability of necessary resources, some businesses will find it most effective to use their own expertise for endpoint security but to call on outsourced resources for more complex aspects. Meanwhile, they can build up in-house expertise with skills training, through access to a threat intelligence portal and APT intelligence reporting, and using threat data feeds. Or — particularly attractive for overwhelmed or understaffed security departments — they can adopt third-party professional services from the outset, including:

• Security assessment services,
• Threat hunting,
• Incident response,
• Digital forensics,
• Malware analysis and reverse-engineering,
• 24/7 premium support.

The proposed solution from Kaspersky Lab

Kaspersky Lab’s approach to endpoint protection includes the following components: Kaspersky Endpoint Security, Kaspersky Endpoint Detection and Response, and Kaspersky Cybersecurity Services. For organizations unable, for reasons of regulatory compliance, to release or transfer any corporate data outside their environment, or that require complete infrastructure isolation, Kaspersky Private Security Network provides most of the benefits of global cloud-based threat intelligence as provided by Kaspersky Security Network (KSN,) without any data ever leaving the controlled perimeter.

These components adapt to the specific nature of each organization and its ongoing processes, delivering:

• A unique combination of renowned, leading preventive technologies to block the most common attacks;
• A range of advanced mechanisms and techniques to detect and rapidly respond to unique new and advanced threats;
• The ability to predict future threats and build proactive protection against them by using professional services;
• The ability to benefit from using global cloud-based threat intelligence without releasing any data from their controlled perimeter.

Kaspersky Endpoint Security is a multilayered endpoint protection platform based on next-gen cybersecurity technologies powered by HuMachine Intelligence, delivering flexible, automated defenses against a wide range of threats including ransomware, malware, botnets, and other advanced known and partly unknown threats.

Kaspersky Endpoint Detection and Response uses the same agent as Kaspersky Endpoint Security, providing a multifaceted approach to revealing and recognizing complex threats by using advanced technologies (including machine learning, sandboxing, IoC scanning, and threat intelligence). It responds to prevent future malicious actions through the timely discovery of advanced threats, sending the verdicts to Kaspersky Endpoint Security for follow-up blocking.

Kaspersky Cybersecurity Services offers prompt and professional assistance during an ongoing incident — and afterwards — helping reduce the risk of compromised data and minimize financial and reputational damage. The Kaspersky Cybersecurity Services portfolio includes our broad security training curriculum, up-to-the-minute threat intelligence, rapid incident response, proactive security assessments, fully outsourced threat hunting services, and 24/7 premium support.

Dealing with advanced threats requires advanced tools

To withstand advanced threats and targeted attacks, businesses need automated tools and services designed to complement each other and help security teams and existing corporate security operations centers (SOCs) prevent most attacks, detect unique new threats rapidly, handle live attacks, respond to attacks in a timely manner, and predict future threats.

With the right combination of technologies and services in place, organizations can establish and follow a comprehensive adaptive security strategy and be ready to deal with the ever-changing nature of cyberthreats, improving their protection and mitigating the risk of future attacks.

A purely protective solution is simply not enough anymore. Of course, that does not mean protective mechanisms are useless; they’re still perfectly able handle the overwhelming majority of mass threats. However, the larger your business is, the more interesting it looks to intruders who have the resources to prepare a complex, advanced attack. And against such attacks standard techniques are not always effective.

Where is the targeted attack’s complexity?

The key difference between targeted attacks and mass attacks lies in the thoroughness of the approach. Before making their move, attackers may invest a tremendous amount of work in collecting information and analyzing your infrastructure. They are patient. It may take several months to get ready to try to implant something in your network — and that something may not always be uniquely identified as a threat; it is not necessarily malware. It may be a kind of concealed communication module using common protocols, in which case the monitoring system will be unable to distinguish it from a legitimate user application.

Such modules become active at the last moment, when threat actors need to access the network, commit a malicious transaction, or sabotage a process. If you have a reliable protective solution, then it is likely to respond to the anomaly and prevent the incident. But even in that case, you will see only the tip of the iceberg. The main work of intruders will remain invisible (especially if they have thought out in advance how they will sweep the trails). And that is fundamentally wrong.

Why do you need to know how malefactors acted

One might wonder, what is the practical benefit of knowing how intruders infiltrated your infrastructure — especially if the incident was prevented? But there is a benefit, and every incident must be thoroughly investigated.

First, knowing the root of the problem will allow you not to run into the same trap twice. If you will leave everything as it is, relying only on protective measures, hackers will inevitably repeat the attack scenario, but having improving their methods, perhaps greatly.

Second, knowing how intruders got in will allow you to respond thoughtfully and, most important, promptly. The breach may not be due to software or hardware vulnerabilities. Attackers can gain access to your infrastructure through an employee, knowingly or not. Or the threat can came through networks of subcontractors or service providers that have access to your systems for business reasons.

Not to mention that the attackers could have other implants in your network, and the incident could be only one part of their plan, or a distracting maneuver.

What can be done?

To protect your infrastructure from targeted and advanced attacks, it is necessary to strengthen your security mechanisms with a system that will enable you to peer into the past. Attackers can delete information and mask their tracks as much as they like, but if you have an endpoint detection and response (EDR) system, then investigators can easily get to the root of an incident. And they can do so without further disrupting the continuity of business processes.

As a solution, we offer the Threat Management and Defense platform, a combined version of our time-proved Kaspersky Anti Targeted Attack and a brand new Kaspersky Endpoint Detection and Response solution with expert services. It lets you implement a strategic approach to managing cyberthreats.

Kaspersky Anti Targeted Attack, using proven effective technologies based on machine learning allows you to find anomalies in network traffic, isolate suspicious processes, and look for correlations between events. Kaspersky Endpoint Detection and Response serves to aggregate and visualize the collected data, which is critical in the investigation of incidents. And, thanks to the services, you can receive aid at any time in case of particularly difficult incidents, train your monitoring center staff, or raise awareness of the company’s employees overall.

To learn more about our Threat Management and Defense platform, please visit its dedicated Web page.

Wait-and-see approach

Classical information security strategy consists, for the most part, of preventive technologies and policies whose main purpose is to prevent outsiders from penetrating the information infrastructure. It works well with widespread threats. However, complex targeted attacks are sharpened to bypass that strategy. And when a cyberincident happens, everyone, including employees of IS departments, scramble to figure out how to respond.

In many cases, a business comes to the conclusion that doing nothing is the best strategy. Of course, bonuses may be lost, and orders will be issued to do whatever is necessary to prevent the recurrence of such an incident in the future (in other words — to improve preventive measures), and business will go on as before. The reason for this decision is that management is afraid of additional losses. After all, an investigation of a cyberincident may lead to stopping systems that are critical for the continuity of key business processes.

Meanwhile, in the aftermath of an attack, it is extremely important to analyze what happened, what information the attackers got, how long they stayed in your systems, and how they got there. Did they get financial credentials? Or your clients’ credit card data? Here you need to take urgent measures; otherwise, the incident will result in even greater losses.

Unified incident response process

To minimize the number of unpleasant surprises in case of a cyberincident, it is necessary to develop a process of response to complex and targeted attacks in advance. One of the new tools that can reinforce all viable strategies is an endpoint detection and response (EDR) class system. It supplements security operation centers with next gen methods such as threat hunting.

Such a system allows information security specialists to collect all of the data needed for detailed analysis from all workstations. IS specialists can remotely study the anomaly, surgically remove or block the threat, and launch recovery procedures. And they can do it in a way that is absolutely unnoticeable to users, without the need for physical access to their workspaces and without disrupting the continuity of the company’s business processes at all.

In many cases, EDR allows you to identify an incident at an early stage, when attackers have already penetrated your network but they have not caused significant damage, before they can transmit information out of your infrastructure.

However, there are a lot of EDR systems. Not all of them will suit the needs of every cybersecurity department. The right EDR solution can augment your security strategy; the wrong one can be destructive to your security processes and may even affect your system’s compliance with regulations. That is why we have prepared “A Buyer’s Guide to Investing in Endpoint Detection & Response for Enterprises 2017-2018,” a document that can help you with the choice.

 
More information on how to properly respond to cyberincidents can be found in our study “New Threats — New Approaches: Risk Preparedness for Protecting Against Complex Attacks.”

Details on our EDR solution, which is now in the pilot stage, are available at the Kaspersky Endpoint Detection and Response website.