Project Description
A recent supply chain security breach showed how a legitimate application 3CX, a popular voice/video conferencing software can be turned malicious by attackers. This incident highlights the importance of having behavioural-based Endpoint Detection and Response (EDR) platforms.
EDR solutions uses behavioural-based detection rather than specific virus signatures to identify anomalous behaviour that may indicate a threat. EDR platform vendors had been monitoring the 3CX application and automatically quarantined it on March 22, 2023, due to a spike in behavioural detections. Meanwhile most traditional Antivirus platforms were only able to detect this breach on March 30, 2023, emphasizing the critical time difference between detections.
Felix Nduaguba – Key Account Manager
Time to detection is a critical metric when dealing with security incidents because the faster an incident is detected, the faster it can be contained, mitigated, and remediated. The longer it takes to detect, the more time the attacker has to move laterally within the network, steal sensitive data, or cause damage to the system.
As a result, CodeBlue’s security team strongly recommends all New Zealand SMBs to consider upgrading their endpoint protection to a EDR platform where feasible.
What is Endpoint Detection and Response (EDR)?
Endpoint Detection and Response (EDR) is a modern replacement for traditional antivirus solutions that primarily detect and protect endpoints from known signature-based viruses in their database. Unlike traditional antivirus solutions, EDR leverages artificial intelligence and behaviour analysis to protect endpoints. It collects data from endpoints and examines it for malicious or anomalous patterns in real-time.
An EDR system detects infection and initiates a response – providing security teams with an extra layer of security and visibility against unknown (zero-day) vulnerabilities.
CodeBlue’s Managed Endpoint Detection and Response (MDR)
CodeBlue’s Managed Endpoint Detection and Response (MDR) utilises a next-generation endpoint agent powered by SentinelOne. It incorporates Machine Learning (ML) and Artificial Intelligence (AI) to stream relevant data back to our Security Operations Centre (SOC). Our SOC enriches the data with threat intelligence, to correlate trends and pinpoint artifacts of interest. Our SOC analysts then investigate these artifacts. If an actionable alert is identified, it’s relayed to our client via an easy-to-understand response plan, along with supporting information.
Agents are deployed on client workstations and servers across traditional or cloud workloads. These agents record system activity and compare it against an internal knowledge base of rulesets and work patterns.
The results of this analysis, along with the necessary metadata, are sent to CodeBlue’s SOC for enrichment against our threat database and global AI analysis engine. Furthermore, since EDR agents ingest logs from the endpoints, our SOC can obtain and query valuable information which is not available in traditional antivirus products  in scenarios such as supply chain attacks.
We hope this information explains the importance of upgrading your endpoint protection beyond traditional antivirus. CodeBlue recommends a Managed Endpoint Detection and Response platform.
If you have any concerns on your current security set-up, reach out via info@codeblue.co.nz.