Endpoint Detection and Response. Basically a new term for antivirus/antimalware but that reports back to defenders and helps them respond to malicious software that may be on the device.
never worked in an environment with hard security requirements?
tell me, if your responsibility was to prevent, identify, and respond to breaches, what policies and technologies would you utilise to achieve this goal?
The comments on this site are really something after having worked for an engineering corp that was actively targeted for industrial espionage. You guys really don't wanna monitor what processes on your boxes are doing? Hopefully your servers don't do anything of consequence lol.
We've got one of those at work, and the most visible effect is it makes me feel like driving around with the handbrake on.
Then, every so often, it'll flag the code I'm working on as "malicious". It's pretty basic glue stuff, and launching the executable in their sandbox usually turns up nothing. Sure, I can add an exception for what I'm working on and my tools so it doesn't scan rustc every time it runs. But exceptions can only be paths. Aren't we lucky that bad guys would never ever overwrite the files I've excluded.
When we first started deploying it, I wrote a quick and dirty cryptolocker. Reading files and rewriting their content encrypted in AES. Didn't take any evasive action, just traverse directories and fetch all the files. I even went out of my way to do it multi-threaded, so I wouldn't have to wait too long while testing. Sure enough, it flagged my test-crypto.exe as suspicious. But I guess I'm not enough of threat, since I've tried renaming it to meh.exe and, wouldn't you know it, I could happily encrypt my own home folder without any bother.
So I'm still not fully convinced these aren't just like the antivirus of old, only with a different name.
Oh, I fully understand why it's needed, and I have experience working with EDR software - which is why I stand by my statement that I'd rather deal with ED than EDR because at least there's a remedy for the former :P
The company I work for recently had the beautiful experience of having Windows Defender delete our program from many of our customers computers during the weekend, with the consequent support calls the next day about "your program does not run and I'm losing money!" and the headache of having to find out why the exe is magically gone, since the antivirus going crazy is the last thing you think of.
"Thankfully" it seems they did a progressive rollout of whatever version of Defender that detects our software so we didn't get every customer angry at once, which would come pretty close to a business ending event.
So yeah malware seems an adequate word to me. Especially since there's no way to find out what heuristic we're tripping and no one to ask for help so there's no guarantee that this won't happen again in a few weeks.
The malicious mindset is right in the name. It redefines my computer to exist only in context of another thing. My hardware is now an """endpoint""" and not a standalone system.
It's not something that you're going to install on personal machines. It's something that the CISO wants installed on company machines for compliance reasons. And before you claim that you don't want your activity monitored on the company laptop, the laptop belongs to the company. There's no expectation of privacy.
In a corporate setting (where this kind of software is often used), „your“ computer is not really yours and does in fact only exist in context of another thing (the corporation).
XDR is a marketing term for a service that bundles or aggregates EDR with other types of enterprise level security monitoring. The endpoint part is still called EDR.