Endpoint Detection & Response (EDR) Solutions for IT & OT/ICS

Table of Contents

• Endpoint Detection & Response (EDR) Solutions for …

  • Introduction

  • Threat Landscape & Business Needs

    • A Critical Telemetry source

  • EDR Solution Selection:

    • Feature comparison

  • IT/OT EDR Project Execution Strategy

    • Documentation

  • Relying on EDRs only

  • Lessons Learned (an actual implementation)

Introduction

Endpoint Detection and Response (EDR) solution, in addition to an essential security controls within an enterprise/IT on endpoints (servers, laptops, desktops), are now becoming also a critical need for securing endpoints within the critical infrastructure Operational Technology (OT) / industrial Control systems ICS environments, to provide adequate protection against growing and sophisticated cyber threats like Ransomware and other forms of malware or malware-less attacks on the IT, OT/ICS or factory or automation or production control networks (all these terms are used).

However, implementing such EDR solution requires careful planning and execution to avoid any downtime or disruptions both to enterprise applications environment (in IT) and to production operations (in OT/ICS).

Caution: Such projects are heavy in terms of time and resource requirements, lots of planning, coordination, discovery, getting multiple approvals, as well as Pre & Post deployment related administrative and technical activities. 

Note: EDR solutions are not like Endpoint protection solutions which uses antivirus features, inspection of files for corruption, or analyse for suspicious behaviour, against known signatures database, detect, and prevent mostly known attacks. EDR solutions uses (typically cloud based) Machine Learning (ML), Artificial intelligence (AI), behaviour analytics and threat intelligence (TI) to detect threats and take the additional step of acting to eradicate threats and neutralize existing attacks by actively blocking and or isolating endpoints.   

Threat Landscape & Business Needs

Ransomware attacks have surged since last few years and 2023 is no exceptions, rather seen a rise in such attacks. We've all seen some significant supply chain disruptions due to global ransomware attacks on small to large enterprise organizations. One (of the many) very recent example is highlighted below:

Businesses wants to minimize the number of endpoint security control solutions deployed for ease of management and for minimizing the impact on performance (especially the number of agents running on any given endpoint) and ultimately the production environment. The typical control requirements from such solutions are (but not limited to):

Note: cloud native/containers and other special purpose endpoint detection and response controls may exists (/need to have) as well - (not included here).

A Critical Telemetry source

EDR solutions are at the heart of, and one of the main, telemetry / log source (critical) as part of any broader XDR/MDR cyber-security monitoring strategy.

EDR Solution Selection:

Feature comparison

• Mapping your business requirements both in IT and OT ensures that required telemetry is provided by your selected EDR tool is a required activity. This can be achieved using feature comparison and requirements analysis and or running a Proof of Concept exercise. Industry analyst reports could be another source for understanding products capabilities, strengths/weaknesses and company direction.

• Another useful/interesting GitHub project by @kostastsale @ateixei to keep tabs on for reference is:

IT/OT EDR Project Execution Strategy

For details on executing such complex deployment or implementation projects, both in IT & OT/ICS environments please refer to #SecuringThings whitepaper by M. Yousuf Faisal here:

Documentation

Documentation of such implementation is critical, both in terms of guidance for IT users and Plant Users as well as guidance for implementation, back-end operations and maintenance teams (e.g., or plant project engineering team).

Relying on EDRs only

EDR solutions are one part of an IT & OT/ICS environments defense-in-depth layered model and not an all protection/detection solutions for all your cybersecurity needs. Solely relying on EDRs will expose your IT & OT environments for potential bypass/tampers and related attacks of such EDR solutions. Few reference examples below:

• A good write-up for a story about tempering EDRs here by Daniel Feichter from redops--> A story about tampering EDRs - RedOps - English

• 'AuKill' Malware Hunts & Kills EDR Processes (darkreading.com)

• Microsoft-Signed Malicious Drivers Usher In EDR-Killers, Ransomware (darkreading.com)

Lessons Learned (an actual implementation)

Below outlines few key examples of potential outcomes/benefits and Pitfalls/Don'ts from an actual global IT/OT EDR implementation.

Feel free to reach out or get in touch at info[@]securingthings[dot]com for any business needs, project support, discussions and or simply information sharing.

Follow or connect with me for future posts, interest, simply discussions:

• M. Yousuf Faisal Subscribe to SecuringThings Newsletter

• @SecuringThings.

It’s a great day to start “Securing:Things”. 

#securingthings #endpointsecurity #endpointdetection #endpointresponse #itcybersecurity #ot #IT #digitaltransformation #otcybersecurity #otsecurity #icssecurity #criticalinfrastructures #itsecurity #cybersecurity #securityawareness  #assetowners #ciso #cio #cso #plantsecurity #plantmanagers #assetoperators #criticalinfrastructureprotection #manufacturing #power #utility #transporation #chemicals #healthcare #retail #criticalmanufacturing