Endpoint Detection and Response

WHAT IS ENDPOINT DETECTION AND RESPONSE AND WHY IS IT IMPORTANT?

Endpoint Detection and Response (EDR) refers to security software installed on devices, such as servers and end-user devices like laptops and desktops, to safeguard them from potential threats, including malicious software.

DataBee compares information compiled for Asset Management against the list of devices that have EDR installed, and which are reporting back to the EDR console. Your EDR tool reports where it is running, but it does not report on other devices in your network where you intend for it to be installed but it is missing. By checking the list of assets where EDR is installed and reporting to its console against the inventory of assets that DataBee has compiled, DataBee can report on assets where you expect EDR to be running, but it isn’t.

Endpoint Protection and Response helps to prevent or control the installation, spread, and execution of malicious code, and to assist with the response.

CONTROLS THIS DASHBOARD REPORTS ON

The Endpoint Detection and Response dashboard reports on your organization’s level of compliance with these controls:

NIST CSF v2.0: Subcategory DE.CM-09 - Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

PCI-DSS v4.0.1: Requirement 5.3 Anti-malware mechanisms and processes are active, maintained, and monitored.

CIS CSC v8.1: Safegurar 10.1 Deploy and Maintain Anti-Malware Software

PRIMARY KEY PERFORMANCE INDICATOR (KPI)

The dashboard reports on this Primary KPI:

Numerator: Assets where EDR is installed, and has reported to the EDR console in the last 7 (customer configurable) days

Denominator: All assets where EDR is expected to be installed and executing (also customer configurable)

COLUMNS DISPLAYED ON THE DETAIL DASHBOARD

• Compliance Status – Does the device have EDR installed, and has it reported to the EDR console in the last 7 days? 
• EDR Hostname, EDR Source, EDR IP, EDR MAC, EDR Device Type – Device identifiers per the EDR solution
• EDR First Seen Date, EDR Last Seen Date – First and last dates when EDR was reported on the device by the EDR console
• Is EDR Scanned – Whether the EDR solution has reported scanning in the last 7 days
• Hostname, MAC, IP – Asset identifiers from the asset inventory
• OS Name, OS Version – Asset Operating System from the asset inventory
• Device Name, Device Type
• Authorization Status - Is the asset authorized to connect to the organization’s network?
• Asset First Seen Date, Asset Last Seen Date
• PCI Context – Is the asset documented in the CMDB as in scope for PCI DSS? 
• Inventory Source - CMDB or other source 
• Owner Full Name, Owner Email Address, Owner Employee ID, Owner Job Title - Asset Owner information
• Manager Employee ID, Manager Email Address, Manager Full Name - Asset owner's manager
• Executive VP, Senior VP, VP / Executive Director - Management chain for the Asset Owner
• Level 5, Level 6 - Additional levels of management for the Asset Owner

OCSF TABLES USED BY THE DASHBOARD

Device Inventory Info [5001]

User Inventory Info [5003]