Contact
Customer area
Linkedin-in
separator

Why does ANSSI recommend the use of an EDR?

EDR & ANSSI: recommendations

Why does ANSSI recommend the use of Endpoint Detection & Response (EDR) protection to neutralize advanced cyberthreats?

The cyber threat level has never been so high. The ANSSI (Agence nationale de la sécurité des systèmes d'information), in its latest available activity report (dated 2021), thus reveals that reports linked to ransomware (rançongiciels in French) have multiplied by 4 compared to 2019! And no sector has been spared: business, industry, local authorities, healthcare establishments...

The cyberthreat is polymorphous. From attacks that target human vulnerabilities (phishing in particular) to those that exploit port vulnerabilities. A software flaw can compromise the IS through the injection of malicious code(wiper). In the face of these advanced threats, which can target any link in the chain and any terminal connected to the IS, traditional defense tools such as antivirus software are showing their limitations. This is because they only detect malware previously identified in their database. They then act by deleting or quarantining files bearing the signature of known malware. As a result, it is estimated that less than half of all cyber-attacks are detected by traditional antivirus software.

An EDR solution is then recommended to raise alerts. This enables automatic actions to be taken to mitigate or even neutralize an attack. Once the preserve of the largest companies, EDR protection is now becoming more widely available. We explain what it's all about. And why Scalair has chosen the French solution HarfangLab (ANSSI certified) for its managed EDR offering.

Facing up to protean and sophisticated threats : the need for multi-level, multi-technology security

To detect the presence of a malicious program on a computer, an antivirus (also known as EPP: Endpoint Protection Platform) relies on a database of signatures, regularly updated by the publisher. This is the first level of protection, necessary to curb the most banal threats, those aimed at the masses.

However, while cybercriminals continue to exploit known malware or easily detectable variants, over the last few years we have seen the development of more sophisticated attacks, aimed precisely at going undetected, causing ever greater damage. Such is the case of Advanced Persistent Threat , a type of high-level, stealthy hacking capable of remaining in the IS for a long period of time and acting undetected.

What's more, an EPP cannot trace a hacker's actions, nor provide global visibility across an entire estate. This makes it impossible to identify the path of infection and/or the perimeter targeted, and the data compromised.

EDR protection combines several engines, some based on signature databases, others on artificial intelligence, to perform real-time behavioral analysis.

In other words, EDR protection can detect abnormal behavior and attacker movements on a workstation or server, with the aim of blocking the attack before it reaches its objective (exfiltration, modification, destruction, data encryption...). If necessary, EDR protection alerts you and reacts according to defined policies, for example by isolating the machine and stopping processes. If we refer to the intrusion kill chain model, which details the various phases of a cyber attack, the aim is to detect the attack as early as the recognition phase, to prevent the attacker from going any further: intrusion, arming via a virus or worm, setting up a back door, exploitation...

ANSSI recommendation: Remedy and improve

Unlike a traditional antivirus, which scans the system at regular intervals and isolates or deletes corrupted files without providing details of any damage resulting from the action of malicious programs before they are detected, an EDR provides precise information on the attack scenario, the movements of the malicious program and their consequences.

This makes it possible to trace the vector of infection, the program or programs affected, and the processes used to bounce onto another machine and corrupt it. This is invaluable information for taking the right remediation measures (triggered automatically and/or via human intervention), containing the attack, returning to the initial state as quickly as possible and drawing useful lessons for improving IS security: partitioning, management of privileged access, etc.

How does EDR protection work? What impact on performance?

In practical terms, an agent is installed on each machine, workstation and server. These agents embed the detection engines and enable attacks to be identified and blocked by acting as close as possible to the threat, within the terminal itself. The engines identify known attack scenarios and, thanks to artificial intelligence, are also capable of proactively detecting new forms of attack, using predictive models.

This advanced protection is not resource-hungry: deployed in 10 seconds, an agent generally consumes less than 1% of the CPU and less than 100 MB of RAM.

The EDR reports security events to a centralized console, where an analyst can qualify incidents by indicating whether they are the result of legitimate or malicious action. This console enables the fleet to be monitored in real time, and alert and remediation policies to be defined.

In principle, it's quite simple. The added value of SOC analysts lies in the analysis and interpretation of alerts and information brought back by the EDR: there is a process of learning by AI which behaviors are to be considered normal according to the practices of your organization and the authorizations of the users concerned, which over time reduces false positives and improves the effectiveness of protection. For example, it may be considered legitimate for a user to use PowerShell scripts, whereas in other contexts, this action could be considered suspicious behavior. A learning process that must also take place for the teams who will have to deal with security events.

Managed EDR: delegate the analysis of your security alerts to experts

The challenge, especially in small companies, is that IS administrators can't be both focused on the business and trained in cybersecurity, which requires daily involvement. This is why Scalair offers a managed EDR, based on the French EDR software HarfangLab (see box below). In other words, Scalair's SOC team monitors all your security events and provides you with the initial remediation elements. In this way, you avoid having to mobilize in-house resources, and benefit from the know-how of experts trained in threat detection.

On request, Scalair's SOC team can also carry out more in-depth investigations, known as forensic analysis. This analysis enables us to understand in detail the mechanics of an attack, to better protect ourselves, but also to reassure ourselves and possibly our customers and partners after an attack. If personal data has been stolen, the incident must be reported to the CNIL.

Harfang, a tool made in France recommended by ANSSI

HarfangLab is a tool developed by a French team, based in Paris. It is the 1st (and only) EDR certified by ANSSI, which praises its robustness and efficiency. In addition to the pride of working with a French player internationally recognized in its field of expertise, it also follows an ANSSI recommendation to adopt a strategy of diversifying cybersecurity solutions. It is not advisable to "put all your eggs in one basket". By adopting "bundled" solutions, we run the risk that a compromise by the vendor in question will bring down all the security barriers protecting us.

HarfangLab, which is now compatible with Windows and Linux, claims to protect over 500,000 endpoints by 2022. Last but not least, the tool obviously complies with French and European data protection regulations. Customers retain ownership of their data, and can adjust their architecture to the levels of confidentiality required by their business.

HarfangLab integrates easily with other cybersecurity solutions you may have, and is a member of the OpenXDR consortium (see below).

https://www.youtube.com/watch?v=QsO1QpJ6Uwo
HarfangLab integrates easily with other cybersecurity solutions you may have, and is a member of the OpenXDR consortium (see below).

 

HarfangLab EDR managed by Scalair: what services does it provide?

Today, Scalair is one of the few HarfangLab MSSPs in France, authorized to resell this solution in SaaS mode (hosted in the Cloud) and to manage it on behalf of its customers. This is known as Managed Detection & Response (MDR).

Invoicing is based on the number of machines to be protected. It includes the license for the tool and the man-time of our SOC team of ten cybersecurity specialists. So you benefit from proactive protection against advanced cyberthreats. And it's based on both the artificial intelligence of the HarfangLab tool and the expertise of our cybersecurity engineers. There's no time commitment. Give it a try!

 

XDR: the future of cybersecurity lies in cooperation

While the combination of an EPP and an EDR constitutes an effective barrier against a large number of cyberattacks, complementary tools can be deployed to deal with more specific threats, such as those targeting smartphones (with a solution such as Pradeo) or email.(Vade, which is the leader in Office 365 protection).

These different building blocks can be combined to adapt the level of security to the criticality of your activities and the budget you have available. Finally, they can be interconnected and orchestrated by SIEM and SOAR-type tools (such as sekoia.io). These tools are useful for avoiding the multiplication of silos and management interfaces, and for improving security supervision.

The French publishers cited as examples have joined forces in the European Open XDR Platform project to improve cooperation.

SIEM: Security Information Management System

SOAR: Security Orchestration Automation and Response

Together we secure your data

In the same category
separator

MSSP: Strengthen your cybersecurity  

Understanding the essential role of a MSSP (Managed Security Service Provider) to strengthen your cybersecurity! In a constantly changing digital world

separator

Scalair & Cato Netwokrs offers a Managed SASE offer!

Scalair & Cato Netwokrs offers a Managed SASE offer!
separator

Scalair's Managed EDR solution wins the label!

Scalair was recently awarded the Label France Cybersecurity 2023 for its Managed EDR (Endpoint Detection and Response) solution. This solution
separator

10 best practices in cybersecurity

10 cybersecurity best practices to protect your data effectively! In an increasingly digitalized world

separator

EPP and EDR: what are the differences? 

Understanding the crucial difference between an EPP (Antivirus) and an EDR for optimal cybersecurity In today's digital world,

separator

Vade-Hornetsecurity, Scalair strengthens its cybersecurity offering! 

Vade-Hornetsecurity Scalair strengthens its cybersecurity offering! Hem, France, July 18, 2024 Vade recently joined the group

round-footer-shape
Pastilles

Scalair
2 bis avenue Antoine Pinay
Parc d’activité des 4 vents
59510 Hem - France

03 20 68 21 21

contact@scalair.fr

Solutions

Resources

Linkedin-in
Twitter

A COCOA communication! lagencecocoa.com

Legal notices

Confidentiality

Cookies

Scalair

Infrastructure Protection

Network Protection

Backup Protection

Email Protection

User Protection

Administrator Protection

Career

Blog

Contact
Customer area
Linkedin-in