Endpoint Detection and Response (EDR) Solutions for IT and OT/ICS

Endpoint Detection and Response (EDR) Solutions for IT and OT/ICS
Endpoint Detection and Response (EDR) Solutions for IT and OT/ICS

Endpoint Detection and Response (EDR) solution, in addition to an essential security controls within an enterprise/IT on endpoints (servers, laptops, desktops), are now becoming also a critical need for securing endpoints within the critical infrastructure Operational Technology (OT) / industrial Control systems ICS environments. This provides adequate protection against growing and sophisticated cyberthreats like Ransomware and other forms of malware or malware-less attacks on the IT, OT/ICS or factory or automation or production control networks (all these terms are used).

However, implementing such EDR solution requires careful planning and execution to avoid any downtime or disruptions both to enterprise applications environment (in IT) and to production operations (in OT/ICS).

Note: EDR solutions are not like Endpoint protection solutions which uses antivirus features, inspection of files for corruption or analyze for suspicious behavior, against known signatures database, detect and prevent mostly known attacks. EDR solutions uses (typically cloud based) Machine Learning (ML), Artificial intelligence (AI), behavior analytics and threat intelligence (TI) to detect threats and take the additional step of acting to eradicate threats and neutralize existing attacks by actively blocking and or isolating endpoints.   


Threat landscape and business needs

Ransomware attacks have surged since last few years and 2023 is no exceptions, rather seen a rise in such attacks. We've all seen some significant supply chain disruptions due to global ransomware attacks on small to large enterprise organizations. One (of the many) very recent example is highlighted below:

Businesses wants to minimize the number of endpoint security control solutions deployed for ease of management and for minimizing the impact on performance (especially the number of agents running on any given endpoint) and ultimately the production environment. The typical control requirements from such solutions are (but not limited to):

Note: cloud native/containers and other special purpose endpoint detection and response controls may exists (/need to have) as well - (not included here).

A critical telemetry source
EDR solutions are at the heart of, and one of the main, telemetry / log source (critical) as part of any broader XDR/MDR cybersecurity monitoring strategy.


EDR solution selection:

Feature comparison
Mapping your business requirements both in IT and OT ensures that required telemetry is provided by your selected EDR tool is a required activity. This can be achieved using feature comparison and requirements analysis and or running a Proof of Concept exercise. Industry analyst reports could be another source for understanding products capabilities, strengths/weaknesses and company direction.


IT/OT EDR project execution strategy

For details on executing such complex deployment or implementation projects, both in IT & OT/ICS environments please refer to #SecuringThings whitepaper by M. Yousuf Faisal here.

Documentation
Documentation of such implementation is critical, both in terms of guidance for IT users and Plant Users as well as guidance for implementation, back-end operations and maintenance teams (e.g, or plant project engineering team).


Relying on EDRs only

EDR solutions are one part of an IT and OT/ICS environments defense-in-depth layered model and not an all protection/detection solutions for all your cybersecurity needs. Solely relying on EDRs will expose your IT and OT environments for potential bypass/tampers and related attacks of such EDR solutions. Few reference examples below:

This feature originally appeared on the ISA Global Cybersecurity Alliance blog.

About The Author


M. Yousuf Faisal (EMBA, GICSP, ISO 27001 LA, CISSP, CISM, CISA) has more than two decades of industry experience in technology and cybersecurity, helping organization across multiple industry sectors worldwide, secure their digital transformation journey. As founder of “Securing Things," currently offering Cybersecurity Advisory and Consulting services, training and solutions, both IT & OT/ICS/IOT environments. He holds a B.E. Electrical and an Executive MBA degree.

Reach out or get in touch at [email protected] for any business needs, project support, discussions and or simply information sharing. Follow or connect with me for future posts, interest, simply discussions:


Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..

Subscribe