EDR = Endpoint Detection and Response, EPP = Endpoint Protection Platform. The main difference, I gather from Wikipedia, is that EDR mainly alerts, and EPP actually stops the attack.
More precisely, EDR (somtimes EDTR -- endpoint detection and threat response) is one component of a robust endpoint protection platform.
EPPs will consist of threat detection and response (EDR), as well as proactive prevention, vulnerability management, threat intelligence, data-loss prevention, encryption management, etc.
I have never heard of EPP but the premium version of Microsoft Defender and things like SentinelOne bill themselves as EDR and do in fact have response features to be able to delete the virus files or disable network access of the compromised device, kill running services, etc.
Marketing for both of these companies now claims edr is obsolete and calls out the risk of using an edr product, with xdr being the cool acronym of the month to sell.
Great deep dive! Always wondered about the details around this topic.
Did a bit of red teaming around the topic of reverse shells and privilege escalation and was pleasantly surprised, how much Windows Defender catches. Our IT Department recently switched away from a paid McAfee service doing end point security, which failed to detect unauthorized access in many instances.
Also, I totally read the intro as "addressing the ERP use-case"
McAfee sold it's Entrerprise division in 2021. Ever since they have primarily focused on scaring boomers into subscription plans. They used to have an on-prem EDR platform called McAfee EPO but I think that was replaced with some cloud hosted subscription garbage. I won't use cloud based security products. On-prem security should have an on-prem solution. Anyone who says otherwise gets their paycheck by hawking servitization or hosting data. The reasons for outsourcing are weak.
To your point about reverse shells, last time I tried about 2 years ago, meterpreter was still sneaking past almost everything. There are some tools on Github for detecting it, but it is very good at evading detection in general.
Highly doubt that... to be certain about dates as these things move fast, I refer to the OSEP course from Offensive Security, which is mostly about evasion. Course released in 2021, and which became necessary after the infamous OSCP, since most payloads became detected by antivirus, which is basically the starting point of that course: a default MSF payload, even with various encoding, will trigger 50% or more of AVs on virustotal.
So you describe a 50% failure rate and you doubt me? I believe you have a false sense of confidence in your suppliers and their products. Have fun rebuilding your house of cards over and over again. Being dismissive about security is the lowest hanging fruit there is.
I wish that on a positive find Defender had a "for the nerds" section that says what exactly was found. Was there a URL Regex match, like this article gives an example for? Tell me that. I get enough false positives that I want to be able to vet them myself, but that's hard to do without just trusting the source if all get is a "This has been quarantined" without telling me why beyond a broad class of types of malware.
Nice big attack surface there. I wonder what's to stop someone modifying the vdx virus definition files to include something like Edge.exe or Explorer.exe?
MDE plan 2 had problems where MS was pushing out under-tested signatures. One time, they pushed out defs that deleted all menu shortcuts for some users, leading them to believe all of their software had been uninstalled.
A note to the author: if you are going to include “ EDR and EPP” in the intro, please spell them out on first use
Alternatively, <abbr> is a thing.
https://html.spec.whatwg.org/multipage/text-level-semantics....
EDR = Endpoint Detection and Response, EPP = Endpoint Protection Platform. The main difference, I gather from Wikipedia, is that EDR mainly alerts, and EPP actually stops the attack.
More precisely, EDR (somtimes EDTR -- endpoint detection and threat response) is one component of a robust endpoint protection platform.
EPPs will consist of threat detection and response (EDR), as well as proactive prevention, vulnerability management, threat intelligence, data-loss prevention, encryption management, etc.
I have never heard of EPP but the premium version of Microsoft Defender and things like SentinelOne bill themselves as EDR and do in fact have response features to be able to delete the virus files or disable network access of the compromised device, kill running services, etc.
The R stands for Response.
Marketing for both of these companies now claims edr is obsolete and calls out the risk of using an edr product, with xdr being the cool acronym of the month to sell.
I'm not the author, but I'll try to let them know :- )
Great deep dive! Always wondered about the details around this topic.
Did a bit of red teaming around the topic of reverse shells and privilege escalation and was pleasantly surprised, how much Windows Defender catches. Our IT Department recently switched away from a paid McAfee service doing end point security, which failed to detect unauthorized access in many instances.
Also, I totally read the intro as "addressing the ERP use-case"
ERP being "erotic roleplay"?
You mean all those finetunes on huggingface aren't SAP copilots?
McAfee sold it's Entrerprise division in 2021. Ever since they have primarily focused on scaring boomers into subscription plans. They used to have an on-prem EDR platform called McAfee EPO but I think that was replaced with some cloud hosted subscription garbage. I won't use cloud based security products. On-prem security should have an on-prem solution. Anyone who says otherwise gets their paycheck by hawking servitization or hosting data. The reasons for outsourcing are weak.
To your point about reverse shells, last time I tried about 2 years ago, meterpreter was still sneaking past almost everything. There are some tools on Github for detecting it, but it is very good at evading detection in general.
Highly doubt that... to be certain about dates as these things move fast, I refer to the OSEP course from Offensive Security, which is mostly about evasion. Course released in 2021, and which became necessary after the infamous OSCP, since most payloads became detected by antivirus, which is basically the starting point of that course: a default MSF payload, even with various encoding, will trigger 50% or more of AVs on virustotal.
So you describe a 50% failure rate and you doubt me? I believe you have a false sense of confidence in your suppliers and their products. Have fun rebuilding your house of cards over and over again. Being dismissive about security is the lowest hanging fruit there is.
I describe 50% of AV products detecting something you said was "sneaking past almost everything".
McAfee ePO is the product that became Trellix ePO after McAfee Enterprise was sold off.
> which failed to detect unauthorized access in many instances.
Did something else detect them in a timely manner, or did you find evidence later as part of some sort of audit?
(or was the inadequacy found via staged penetration testing?)
I wish that on a positive find Defender had a "for the nerds" section that says what exactly was found. Was there a URL Regex match, like this article gives an example for? Tell me that. I get enough false positives that I want to be able to vet them myself, but that's hard to do without just trusting the source if all get is a "This has been quarantined" without telling me why beyond a broad class of types of malware.
Nice big attack surface there. I wonder what's to stop someone modifying the vdx virus definition files to include something like Edge.exe or Explorer.exe?
MDE plan 2 had problems where MS was pushing out under-tested signatures. One time, they pushed out defs that deleted all menu shortcuts for some users, leading them to believe all of their software had been uninstalled.
Thaught it would mention at least the slow-down bug, that slows some systems to a crawl as soon as defender scans some folders.