Endpoint Detection & Response

Endpoint detection and response (EDR) is a form of security solution that offers real-time visibility into anomalous endpoint behavior by continuously recording, storing and monitoring endpoint information. 

EDR software solutions automatically initiate alerts for more detailed investigation when it identifies suspicious behavior. Using this information, security teams can also manually isolate, investigate and react to a variety of advanced cybersecurity threats that single out network endpoints.

However, a weak point in EDR is that if malicious software is already present on the endpoint, it can start doing damage and infecting other endpoints before security teams respond.

This is where sandboxing comes in – a sandbox creates a safe, isolated environment on the endpoint, where suspicious files can be held until they are investigated.

What Is Sandboxing and Why Is It Important?

A sandbox is a separate testing environment where users can execute files and run programs without compromising the system, platform, or application they are using. Software specialists use sandboxes to study suspicious code without endangering the network or device. 

Sandboxes are an automated solution for studying malicious files. They are a common method that security specialists use to detect threats and breaches, by testing software, URLs, and malware. 

Identifying malware in a sandbox creates an additional layer of defense, protecting against security risks such as covert exploits and attacks that exploit zero-day vulnerabilities. Endpoint and detection response (EDR) systems incorporate many of the most popular sandboxes used today. 

Sandboxing provides the following capabilities:

  • Helps you isolate the most dangerous and recent threats, minimize risk, and increase collaboration. As it operates in an isolated system, the sandbox protects the crucial infrastructure of an organization from harmful code.
  • Lets SOC analysts examine dangerous code within a controlled environment to understand how it functions in a system and to identify similar malware threats more readily. 
  • Provides an additional way of identifying malware, instead of relying solely on behavioral monitoring. As malware becomes more sophisticated, detecting it by monitoring  suspicious behavior becomes more challenging.
  • Enables analysts to understand how malware functions. The most complex antivirus and monitoring software can not always anticipate what malicious code will do once it is executed. Antivirus software can scan programs as they are downloaded, stored, and transported. 

EDR Solutions with Sandboxing

Here are some of the leading EDR solutions that offer sandboxing capabilities.

  • Kaspersky Sandbox
  • Cynet 360
  • Symantec Endpoint Detection and Response
  • Trend Micro Apex One
  • CrowdStrike Falcon Insight
  • FireEye Endpoint Security
  • Cisco Secure Endpoint

Kaspersky Sandbox

Kaspersky Sandbox is a component of Kaspersky Optimum Security, and is developed using best practices to fight APT-level attacks and sophisticated threats. Together with EDR and EPP solutions, Kaspersky Sandbox offers automated advanced detection by examining threats in an environment that is isolated:

  • Detection—suspicious objects are placed in a separate environment, where a detailed examination is carried out to rapidly isolate and block novel, evasive and unknown cyberthreats automatically.
  • Manageability—this sandbox is easy to operate and install and integrates with an organization’s infrastructure even without highly qualified IT security professionals.
  • Scalability—the fundamental configuration supports as many as one thousand protected endpoints. The solution easily scales and provides ongoing safety for large infrastructures.
  • Integration—the advanced detection abilities of Kaspersky Sandbox integrate with Kaspersky Endpoint Security for Business and Kaspersky EDR Optimum to offer a multi-layered endpoint security response. 

Cynet 360

The Cynet 360 threat identification and response platform streamlines organizational security by offering a holistic approach to an organization’s prevention and security requirements. Cynet 360 minimizes security spend by offering various capabilities in one solution, without demanding too much from an organization’s budget, manpower, and resources. 

The 360 platform offers the greatest level of organizational security by correlating indicators over systems, thereby ensuring accuracy and visibility of detection, without needing several cyber security approaches.    

The Cynet 360 offers a range of enterprise security capabilities, tailored to organizations that need the best level of prevention and protection over thousands of endpoints:

  • Endpoint identification and response—the Cynet 360 platform detects and deploys threats over thousands of endpoints in less than two hours. Cynet 360’s comprehensive solutions correlate indicators and offer complete visibility over the whole enterprise.
  • Entity and user behavior analytics—the platform’s UEBA abilities help cybersecurity teams isolate compromised accounts, targeted attacks, and rogue insiders before they can harm the enterprise.
  • Incident response—the platform helps organizations that are under attack with 24/7 global incident response, run by a team of security experts.
  • Threat intelligence—the platform uses 20 internal and external databases featuring the most up-to-date information in threat intelligence, and integrates input from IOCs. Thus, organizations have an additional layer of protection against malicious and suspicious activities.
  • Sandbox—the platform offers a sandbox for the dynamic analysis of processes and the static analysis of files for the safe inspection of items that are deemed suspicious.   

Symantec Endpoint Detection and Response

EDR

Symantec EDR employs behavioral analytics and machine learning to expose and detect suspicious network behavior. Symantec EDR tells you of possible dangerous activity, prioritizes events for speedy triage, and permits you to navigate endpoint activity records throughout your forensic analysis of possible attacks.  

Symantec EDR lets you isolate endpoints that could be compromised, contain suspicious incidents, and remove malicious files and connected artifacts.  

Symantec EDR can move files to a sandboxing service to release possible malware in a virtual environment to study its behavior. The default sandboxing setting is Symantec’s cloud-based malware system—Cynic. You can also configure Symantec EDR to move unknown or suspicious files to an on-site sandbox appliance.  

Trend Micro Apex One

Trend Micro Apex One protection provides automated threat response and detection for an increasing number of threats, such as ransomware and fileless. Their cross-generational use of up-to-date techniques offers a high level of endpoint protection, which optimizes effectiveness and performance. 

Achieve actionable insights, greater investigative abilities, and centralized visibility by utilizing an EDR toolset, an open API set, and sturdy SIEM integration. You have the choice to carry out extended, correlated threat investigations that are more advanced than the endpoint and increase your security teams via a managed identification and response service.  

Apex One uses a variety of cross-generational threat techniques to offer the widest protections against all threat types, including: 

  • Efficient protections against injection, scripts, ransomware, browser, and memory attacks via new behavior analysis.
  • Cloud sandbox for analyzing URLs, multistage downloads and the like in a secure setting.

CrowdStrike Falcon Insight

EDR

Falcon Insight is an EDR unit as a component of the Falcon Endpoint Protection Enterprise model, which also features threat intelligence, NGAV, threat hunting, and USB device protection. 

The Falcon sandbox carries out in-depth analysis of unknown and evasive threats, broadens the results with threat intelligence and provides actionable indicators of compromise (IOCs), providing your security team with greater insight into complex malware attacks and improving their defenses

FireEye Endpoint Security

This endpoint solution features NGAV capabilities, an agent with four detection engines, and EDR. It offers a secure environment to classify, test, and document sophisticated malicious files. Malware analysis reveals the lifecycle of the cyber attack, from the first exploit and malware execution path through to callback destinations and attempts at binary download. 

Cisco Secure Endpoint

EDR

Cisco Secure Endpoint integrates detection, prevention, threat hunting and threat response ability in one solution, using cloud-based analytics. Secure Endpoint features a built-in, secure sandbox environment, run by CISco Threat Grid, to study the activity of suspicious files. 

Dynamic file analysis provides in-depth details on files, such as the original file name, the severity of behaviors, sample packet captures, and screenshots of malware running. This will give you greater insight into what is needed to contain the attack and prevent future attacks.

Conclusion

In this article I explained the basics of security sandboxing, and covered seven leading EDR solutions and the sandbox features they provide:

  1. Kaspersky Sandbox
  2. Cynet 360
  3. Symantec Endpoint Detection and Response
  4. Trend Micro Apex One
  5. CrowdStrike Falcon Insight
  6. FireEye Endpoint Security
  7. Cisco Secure Endpoint

I hope this will be of help as you evaluate endpoint protection solutions for your organization.

Leave a Reply