Protection of computers and servers

Continuous telemetry: EDR collects data on system activity (processes, network connections, user activities) on computers and servers.

Example: EDR system logs user activity on the company laptop, including running processes and network connections. It detects that a Word application is attempting to connect to a suspicious server in Russia - an activity that is unusual for this programme.

Contextual behavioural analysis: the use of AI and machine learning mechanisms to identify unusual behaviour that may indicate malware activity, such as ransomware, spyware or keyloggers.

Example: The AI mechanism used within EDR detects that a process running in the background of the computer starts scanning files en masse and sending data to an external server. The mechanism classifies this as suspicious behaviour typical of spyware and immediately blocks the process.

Zero-day threat detection : through behavioural analysis, EDR solutions can identify attacks that are not yet known to traditional signature-based systems.

Example: The attacker is exploiting a newly discovered vulnerability in Windows that has not yet been patched. The EDR detects that an unusual in-memory process is attempting to run PowerShell scripts, blocking the threat even before it escalates.

Correlation of events: EDR focuses on detecting threats directly at endpoints, but also analyses and correlates various events within them to identify complex attacks.

Example: The EDR detects that on one of the endpoints, the user has opened a Word document, which runs a PowerShell script that attempts to download an executable file from an external server. The EDR then notices that the downloaded file attempts to install a background service and modifies the registry settings. By correlating these events, the system identifies that this activity is part of an APT attack and blocks further malware activity.

End-point isolation: if a threat is detected, the device can be automatically disconnected from the network to prevent further spread of the attack.

Example: An employee's laptop becomes infected with ransomware. The EDR system automatically disconnects the device from the company network, preventing the attack from spreading to other computers.

Stopping processes: the system automatically blocks malicious processes and deletes files that may pose a threat.

Example: EDR detects that a process named "notepad.exe" unexpectedly tries to change system files - something that standard Notepad does not do. The process is immediately stopped.

Automatic elimination of threats: built-in mechanisms can automatically delete malicious files, block suspicious network connections or undo changes made by malware.
Example: the system detects and removes the malicious file "malware.exe" downloaded from the suspicious website and blocks the connection to the server from which the file was downloaded.

Incident recording and visualisation: EDR systems record details about each potential threat, such as the source of the attack, changed files or IP addresses involved in the incident.

Example: When a phishing attack is detected, the EDR generates a report showing that the user clicked a link in the email, which triggered a malicious PowerShell script and an attempt to steal login details.

Attack path (attack chain): EDRs present graphical maps showing how the attack took place, allowing the source and extent of the attack to be quickly determined.

Example: A graphical map in the EDR system shows that the attacker entered the network via an unpatched web server, then migrated to the database server and attempted to steal customer data.

Compliance reports and audits: the automatic generation of reports makes it possible to meet regulatory requirements and prove compliance with safety standards.

Example: The healthcare company receives an automated report indicating that all endpoints are compliant with HIPAA regulatory requirements.

Network traffic detection: EDRs analyse and block suspicious connections between computers on the network, which may indicate an attacker's attempts to move to seize more resources.

Example: The attacker attempts to use the infected server as an exit point to other computers on the network. EDR blocks network connections that indicate an attempt at lateral traffic (e.g. port scanning).

Network segmentation: endpoint isolation prevents the propagation of ransomware attacks throughout the organisation.

Example: The infected computer in the sales department is isolated from the resources of the finance department, preventing attackers from accessing critical data.

Combining data from different sources: EDRs aggregate data from SIEM, firewall, anti-virus systems and other tools to provide a complete picture of threats.

Example: XDR analyses data from the SIEM, anti-virus system and firewall to detect a complex APT (Advanced Persistent Threat) attack involving different layers of the infrastructure.

Interaction with SOAR (Security Orchestration, Automation, and Response) systems: EDRs allow for the automatic implementation of remediation scripts and incident response procedures.

Example: upon detecting an attack, the EDR runs a SOAR script that cuts off the endpoint from the network, deletes suspicious files and sends an alert to the SOC team with full details of the incident.

Recognition of ransomware patterns: EDRs identify rapid file encryption, which may be indicative of a ransomware attack, and immediately stop such activity.

Example: The EDR system detects that the process "encryptor.exe" starts to rapidly change many files in the company directory. The process is immediately stopped before most of the data is encrypted.

Detection of data exfiltration attempts: EDR monitors network traffic and blocks attempts to send sensitive data to external servers.

Example: The attacker attempts to send a copy of the customer database to an external server. The EDR identifies abnormal outbound traffic and blocks the transfer.

Server security: monitoring processes running on servers in real time and protecting data from brute-force attacks or exploitation of software vulnerabilities.

Example: EDR monitors the company's mail server and detects a brute-force login attempt by an attacker, automatically blocking the attacker's IP address.

Cloud protection: integration with cloud services (AWS, Azure, Google Cloud) to detect and respond to threats in hybrid environments.

Example: XDR integrates with the AWS service and detects that an unusual user is logging into the administration console from an infrequent location. The login is blocked and the IT team receives an alert.

Prioritisation of risks: the system classifies threats according to risk level, allowing teams to focus on the most serious incidents.

Example: system classifies detected incidents as low, medium or high priority, allowing the SOC team to focus on the most dangerous attacks, such as ransomware.

Automated response: thanks to automated processes, the SOC can respond more quickly and effectively to threats.

Example: The EDR automatically implements firewall rules to block suspicious IP addresses detected during a phishing attack.

Threat analysis (Threat Intelligence): integration with threat knowledge bases facilitates the identification and evaluation of new attacks.

Example: EDR uses global threat databases to quickly identify new malware variants used by hacking groups