How
Symantec EDR
fits into your cybersecurity framework

In February 2014, the Commerce Department's National Institute of Standards and Technology (NIST) created the
Framework for Improving Critical Infrastructure Cybersecurity 1.0
(the "Framework"). The Framework was designed to help organizations plan for and address cybersecurity threats.
Cybersecurity core functions describes how
Symantec Endpoint Detection and Response
can help your organization with cybersecurity preparedness, detection, and response.
Cybersecurity core functions
Function
Description
Identify
Perform an internal assessment of your organization to identify your potential risks and security goals. Develop a risk management strategy based on your business needs.
Protect
Symantec EDR
's network control point analyzes incoming data streams while they travel through the network.
Symantec EDR
uses this information to create events and generate incidents to help you find potential threats in your environment. When you configure
Symantec EDR
to use the inline block operation mode,
Symantec EDR
blocks access to the files and external computers that it detects are malicious. You can further control the files and websites that
Symantec EDR
blocks or doesn't block through Blacklist and Whitelist policies.
Symantec EDR
may be unable to block 100% of malicious detections, such FTP file downloads.
When you integrate
Symantec EDR
with
SEP
, you can also perform remediation tasks through the
EDR appliance console
(such as deleting infected files).
Detect
When you integrate the
Symantec EDR
network control point with
SEP
and
Email Security.cloud
, the
Synapse
cloud service can correlate events from each product to give you a comprehensive picture of threats to your network, endpoints, and email system.
Symantec EDR
shows the threats that it detects on the Dashboard and in the Incident Manager. You can also view all the events that have occurred in your organization chronically.
Use
Symantec EDR
to search for indicators of compromise (IOC) and to find artifacts.
Symantec EDR
can search for these items in the
Symantec EDR
database and on your endpoints. If you enable the endpoint activity recorder, it can also search within the endpoint's activity recorder.
Symantec EDR
can automatically send you notifications when incidents are created. It can also log events to syslog so that you can import them into your security information and event management (SIEM) system.
Respond
Symantec EDR
provides the one-click containment and remediation capability that works across endpoints, network, and email control points. For example, you can delete a malicious file from an endpoint or isolate a breached endpoint.
Recover
After a threat has been contained, follow these best practices to analyze how the breach occurred and to prevent similar breaches in the future.
You can also run reports, which are useful for analyzing the number and types of attacks that occurred in your environment.
Additional resources