What Is Active EDR? 

SolarWinds^® Endpoint Detection and Response (EDR), powered by SentinelOne, offers multiple features to help enhance your customers’ security at the endpoint level and give you unprecedented control in the fight against cybercrime. Today, we wanted to spotlight one specific feature—ActiveEDR. ActiveEDR tracks and contextualizes everything on a device, helps identify malicious acts in real time, and lets you automate the required responses. Read on to discover why the feature was developed and how it represents a leap forward in endpoint-based detection.

Background

In the short history of cybersecurity, we’ve seen how technologies become outdated pretty quickly as the threat landscape continuously changes. When threats began to emerge in the 90s, many businesses moved to install antivirus protection. These new products were able to fight against a relatively small amount of known viruses, although they couldn’t combat novel attacks.

Malware authors adapted quickly with trojan horses and worms running after the new gold.

Added to this was the explosion of the Dark Web and the ability of cybercriminals to share and sell tools and tactics without being traced. Trade in ransomware tools alone created a microeconomy among online criminals. When cryptocurrency was born, it solved a huge problem for these malicious groups, as they could now exploit individuals and businesses by siphoning processing power from their machines to generate new cryptocurrency without leaving a financial trace. Ransomware remains a problem, especially as cryptocurrency prices have decreased. 

Making AI accessible to everyone

To meet these challenges, enterprises needed better solutions. When AI technology became available, it didn’t take long for new innovative products to replace the legacy tools based on signature detection.

These new endpoint protection platform (EPP) tools trained an AI model on a large number of samples, then used an agent on the endpoint to tackle file-based malware. As much file-based malware reuses existing malware, the AI could detect similarities in file behavior without needing a local agent with constantly updated signature hashes. In other words, they could look at file behavior to supplement signature-based protection. 

These new tools provided some relief to the enterprise, but malware groups quickly discovered that EPP products were utterly blind to memory-based malware, lateral movement, and fileless malware attacks. To make things worse, sophisticated hacking tools made their way to a wider audience. Through leaks, nation-state malware tools and techniques became available to cybercriminals. The enterprise needed a new solution.

To fill this gap, a new line of products called endpoint detection and response (EDR) tools was born. EDR answered the need of the enterprise to be able to at least see what was happening on the corporate network. Visibility was the solution, and its new home was the cloud.

But these EDR solutions created a new set of problems. Many EDR solutions, as they stand today, provide visibility, but require skilled personnel who can take the vast amounts of data the solutions generate, contextualize it, and then use it to mitigate cyberthreats. Greater demand for talented cyberanalysts has created a massive labor shortage in the security industry. At the same time, cloud-based solutions suffer the problem of increased dwell time—the delay between infection and detection. Solving these problems is where ActiveEDR comes into play.

With so many activities happening on every device, sending all this information to the cloud for analysis might offer visibility, but it’s still far from solving the main problem—the flood of alerts facing understaffed security teams. What if you could put the equivalent of a skilled SOC analyst on each of your devices? An agent who can contextualize all the device’s activities and identify and mitigate threat attempts in real time?

SolarWinds Endpoint Detection and Response has some similarities to other EDR solutions, but unlike those, it doesn’t rely on cloud connectivity to detect a threat. This effectively helps reduce dwell time to run time. The agent uses AI to make a decision without depending on cloud connectivity. The ActiveEDR feature constantly draws stories of what is happening on the endpoint. Once it detects harm, it’s capable of mitigating not only malicious files and operations, but the entire “storyline.”

Consider this typical scenario—a user opens a tab in Google Chrome and downloads a file they believe is safe. They execute the file without realizing it’s malicious. The program initiates PowerShell to delete the local backups and then encrypts all data on the disk. ActiveEDR knows the full story, so it will mitigate this at run time, before encryption begins. When the attack is mitigated, all the elements in that story will be taken care of, all the way to the Chrome tab the user opened in the browser. It works by giving each of the elements in the story the same ID, then sending these stories to the management console, allowing visibility and clarity for security analysts and IT administrators.

A new experience for security analysts and IT technicians

The work of a security analyst or MSP technician using passive EDR can be hard.

Swamped with alerts, the analyst needs to assemble the data into a meaningful story. With ActiveEDR, this work is done instead by the agent on the endpoint. The solution has already assembled the stories so the security analyst can save time and focus on what matters. Instead of assembling stories, the analyst can review full, contextualized stories, based on a single indicator-of-compromise search. This allows security teams to understand the story and root cause behind a threat quickly. The technology can autonomously attribute each event on the endpoint to its root cause without relying on cloud resources.

Conclusion

Most current antivirus, EPP, and EDR solutions don’t solve the cybersecurity problem for the enterprise. To compensate, some rely on additional cloud services to close the gap. But relying on the cloud increases dwell time. Depending on connectivity, you could be way too late in the game to deal with the threat, as it takes only seconds for malicious activity to infect an endpoint, do harm, and remove traces of itself. This reliance on connectivity to the cloud makes many of today’s EDR tools passive as they rely on operators and services to respond after it’s already too late. SolarWinds EDR transforms the EDR to be active, allowing it to respond in real time, turning dwell time into no time.

ActiveEDR empowers security teams and IT admins to focus on the alerts that matter, helping reduce the time and cost of bringing context to the complicated and overwhelming amount of data needed with other, passive EDR solutions.

The introduction of ActiveEDR is like other technologies that helped humans become more efficient and save time and money. Like how the car replaced the horse and the autonomous vehicle will replace vehicles as we know them today, ActiveEDR is transforming the way enterprises understand endpoint security. Discover how to take a more active approach toward endpoint security by learning more about SolarWinds EDR today.