Profile Applicability:
 • Level 2

Description:

Endpoint Detection and Response (EDR) tools are essential for monitoring and securing endpoint devices within an organization’s network. EDR solutions continuously monitor endpoint activity to detect suspicious behavior, vulnerabilities, or potential security incidents. Ensuring that the EDR tool is properly working involves verifying that the endpoint agents are active, data is being collected properly, and the EDR system is detecting and responding to threats effectively.

Rationale:

EDR tools help protect endpoints by providing real-time monitoring, detection, and response capabilities for any malicious or suspicious activity. Ensuring the functionality of EDR allows organizations to promptly identify, investigate, and mitigate threats, minimizing the risk of data breaches or system compromises. Regular checks on the EDR system ensure that security events are properly logged, analyzed, and remediated, supporting a proactive security posture.

Impact:

Pros:

  • Provides real-time monitoring and alerting of suspicious activity on endpoints

  • Enhances the ability to detect advanced threats, such as malware and ransomware, that traditional antivirus solutions may miss

  • Enables automated response and remediation to contain threats before they escalate

  • Integrates with other security tools (e.g., SIEM, SOC) to provide a comprehensive threat detection and response strategy

Cons:

  • Requires regular monitoring to ensure the EDR system is functioning correctly and detecting all relevant threats

  • Potential performance impact on endpoints due to constant monitoring and data collection

  • False positives may occur, requiring manual intervention to verify and analyze alerts

  • Configuration and fine-tuning of EDR policies can be complex, requiring skilled personnel

Default Value:

EDR tools may not be enabled by default on all endpoints. It requires manual installation, configuration, and activation to ensure that it is actively monitoring and protecting endpoint devices.

Pre-requisites:

  • IAM permissions to manage and configure EDR tools and endpoint security agents

  • EDR software deployed on all critical endpoints (e.g., workstations, servers, and mobile devices)

  • Access to the EDR dashboard for real-time monitoring and alerting

  • Defined policies for what constitutes suspicious or malicious behavior on endpoints

  • Integration with SIEM or other security monitoring tools for alerting and reporting

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to Amazon GuardDuty or any integrated EDR tool

  3. Verify that the EDR service is enabled and collecting data from endpoints

  4. Check for any active findings or alerts indicating suspicious or malicious activity

  5. Review the configuration to ensure that the EDR tool is monitoring all endpoints in the environment, including EC2 instances, workstations, and servers

  6. Ensure that the EDR service is integrated with other tools (e.g., AWS CloudWatch, AWS Security Hub) to provide consolidated alerts

  7. Test the system by simulating a benign security incident (e.g., an unsuccessful login attempt or file modification) and ensure it is detected and logged

Using AWS CLI:

List all findings from Amazon GuardDuty (if used for endpoint monitoring):

aws guardduty list-findings --detector-id <detector-id>

Describe a specific finding to review the detection details:

aws guardduty get-findings --detector-id <detector-id> --finding-ids <finding-id>

Verify the status of endpoint agents (if using AWS Systems Manager for agent management):

aws ssm describe-instance-information

Check for active EDR-related alerts in CloudWatch Logs or Security Hub:

aws logs describe-log-groups --log-group-name <log-group-name>

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to Amazon GuardDuty or your integrated EDR tool

  3. Enable the service by selecting Get Started or Enable GuardDuty

  4. Configure the service to monitor the necessary VPCs, EC2 instances, or on-premises endpoints

  5. Ensure that all endpoints, including EC2 instances and workstations, are covered by the EDR tool

  6. Integrate GuardDuty with AWS CloudWatch, Security Hub, or any other SIEM solution to centralize alerts and incident reporting

  7. Set up alerts for suspicious or malicious behavior and configure automated responses for detected incidents

  8. Perform a test detection (e.g., simulate an attempted attack or unauthorized access) to ensure the system functions as expected

  9. Review alert configurations and modify them based on your organization's risk profile to minimize false positives and maximize relevant threat detection

Using AWS CLI:

Enable Amazon GuardDuty (if using as an EDR solution):

aws guardduty create-detector --enable

Configure GuardDuty to monitor specific AWS accounts, VPCs, or endpoints:

aws guardduty update-detector --detector-id <detector-id> --finding-publishing-frequency <frequency>

Check the status of GuardDuty and its findings:

aws guardduty list-findings --detector-id <detector-id>

Configure integration with AWS Security Hub for centralized incident management:

aws securityhub enable-security-hub

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to Amazon GuardDuty or your integrated EDR tool

  3. Disable the EDR service by selecting Disable GuardDuty or Disable service

  4. Revert any changes made to the VPC or EC2 instances, such as removing agent installations or restoring previous configurations

  5. Test the system by re-enabling GuardDuty or the EDR solution and verifying that it resumes monitoring and detection

Using AWS CLI :

Disable Amazon GuardDuty:

aws guardduty update-detector --detector-id <detector-id> --status "INACTIVE"

Revert any agent configurations or manual monitoring settings:

aws ssm deregister-managed-instance --instance-id <instance-id>

References: