AVLab - EDR-XDR solutions overview - visibility of attacks in telemetry based on offe

[harlan4096]

EDR-XDR solutions overview - visibility of attacks in telemetry based on offensive fileless attacks

We have published a report on checking products with EDR-XDR functionalities based on simulated files attacks. The matter is simple in the case of rather well-known attacks. However, more complex attacks may not be noticed by the product. It's not a big deal if there are some minimal traces of the attack, some telemetry - that was the purpose of this test.

Based on the data collected, we believe that the most important thing is that the product records traces of attacks in the administrator console. It does not matter if these events are processed automatically or manually by a team of qualified employees. The product must provide visibility into system events along with telemetry that allows to understand the context of the attack and capture the necessary technical details.

Testing solutions for business​The policy configuration for antivirus agents was usually default or included additional settings for more detailed telemetry. Importantly, we did not disable antivirus protection or any other features. Solutions that had to be assigned a predefined agent configuration after installation were configured with the most hardened settings possible to achieve detailed visibility into the attack chain and telemetry which was the goal of this test. At the request of the developers, we assigned the proposed settings.

1. Emsisoft Enterprise Security + EDR: default settings.
   
2. Eset Protect Elite + XDR: default settings + all rules for EDR enabled.
   
3. Microsoft Defender for Business + EDR: default settings.
   
4. Metras: default settings.
   
5. Xcitium Advanced + EDR: predefined policy 8.1.
   

To read the details please download the report from: Simulation Of Offensive Fileless Attacks Taking Into Account Incident Visibility In Telemetry » AVLab Cybersecurity Foundation