Endpoint Detection and Response (EDR) solution, in addition to an essential security controls within an enterprise/IT on endpoints (servers, laptops, desktops), are now becoming also a critical need for securing endpoints within the critical infrastructure Operational Technology (OT) / industrial Control systems ICS environments. This provides adequate protection against growing and sophisticated cyberthreats like Ransomware and other forms of malware or malware-less attacks on the IT, OT/ICS or factory or automation or production control networks (all these terms are used).
However, implementing such EDR solution requires careful planning and execution to avoid any downtime or disruptions both to enterprise applications environment (in IT) and to production operations (in OT/ICS).
Note: EDR solutions are not like Endpoint protection solutions which uses antivirus features, inspection of files for corruption, or analyze for suspicious behavior, against known signatures database, detect, and prevent mostly known attacks. EDR solutions uses (typically cloud based) Machine Learning (ML), Artificial intelligence (AI), behavior analytics and threat intelligence (TI) to detect threats and take the additional step of acting to eradicate threats and neutralize existing attacks by actively blocking and or isolating endpoints.
Threat Landscape and Business Needs
Ransomware attacks have surged since last few years and 2023 is no exceptions, rather seen a rise in such attacks. We've all seen some significant supply chain disruptions due to global ransomware attacks on small to large enterprise organizations. One (of the many) very recent example is highlighted below:
Businesses wants to minimize the number of endpoint security control solutions deployed for ease of management and for minimizing the impact on performance (especially the number of agents running on any given endpoint) and ultimately the production environment. The typical control requirements from such solutions are (but not limited to):
Note: cloud native/containers and other special purpose endpoint detection and response controls may exists (/need to have) as well - (not included here).
A Critical Telemetry source
EDR solutions are at the heart of, and one of the main, telemetry / log source (critical) as part of any broader XDR/MDR cybersecurity monitoring strategy.
EDR Solution Selection:
Feature comparison
- Mapping your business requirements both in IT and OT ensures that required telemetry is provided by your selected EDR tool is a required activity. This can be achieved using feature comparison and requirements analysis and or running a Proof of Concept exercise. Industry analyst reports could be another source for understanding products capabilities, strengths/weaknesses and company direction.
IT/OT EDR Project Execution Strategy
For details on executing such complex deployment or implementation projects, both in IT & OT/ICS environments please refer to #SecuringThings whitepaper by M. Yousuf Faisal here.
Documentation
Documentation of such implementation is critical, both in terms of guidance for IT users and Plant Users as well as guidance for implementation, back-end operations and maintenance teams (e.g, or plant project engineering team).
Relying on EDRs only
EDR solutions are one part of an IT and OT/ICS environments defense-in-depth layered model and not an all protection/detection solutions for all your cybersecurity needs. Solely relying on EDRs will expose your IT and OT environments for potential bypass/tampers and related attacks of such EDR solutions. Few reference examples below:
- A good write-up for a story about temporing EDRs here by Daniel Feichter from RedOps--> A story about tampering EDRs - RedOps - English
- 'AuKill' Malware Hunts & Kills EDR Processes (darkreading.com)
- Microsoft-Signed Malicious Drivers Usher In EDR-Killers, Ransomware (darkreading.com)
Lessons Learned (an actual implementation)
Below outlines few key examples of potential outcomes/benefits and Pitfalls/Don'ts from an actual global IT/OT EDR implementation.
Feel free to reach out or get in touch at info[@]securingthings[dot]com for any business needs, project support, discussions and or simply information sharing.
Follow or connect with me for future posts, interest, simply discussions:
- M. Yousuf Faisal Subscribe to SecuringThings Newsletter
- @SecuringThings