How Symantec EDR fits into your cybersecurity framework
Symantec EDRfits into your cybersecurity framework
In February 2014, the Commerce Department's National Institute of Standards and Technology (NIST) created the
Framework for Improving Critical Infrastructure Cybersecurity 1.0(the "Framework"). The Framework was designed to help organizations plan for and address cybersecurity threats.
Cybersecurity core functions describes how
Symantec Endpoint Detection and Responsecan help your organization with cybersecurity preparedness, detection, and response.
Perform an internal assessment of your organization to identify your potential risks and security goals. Develop a risk management strategy based on your business needs.
Symantec EDR's network control point analyzes incoming data streams while they travel through the network.
Symantec EDRuses this information to create events and generate incidents to help you find potential threats in your environment. When you configure
Symantec EDRto use the inline block operation mode,
Symantec EDRblocks access to the files and external computers that it detects are malicious. You can further control the files and websites that
Symantec EDRblocks or doesn't block through Blacklist and Whitelist policies.
Symantec EDRmay be unable to block 100% of malicious detections, such FTP file downloads.
When you integrate
SEP, you can also perform remediation tasks through the
EDR appliance console(such as deleting infected files).
When you integrate the
Symantec EDRnetwork control point with
Email Security.cloud, the
Synapsecloud service can correlate events from each product to give you a comprehensive picture of threats to your network, endpoints, and email system.
Symantec EDRshows the threats that it detects on the Dashboard and in the Incident Manager. You can also view all the events that have occurred in your organization chronically.
Symantec EDRto search for indicators of compromise (IOC) and to find artifacts.
Symantec EDRcan search for these items in the
Symantec EDRdatabase and on your endpoints. If you enable the endpoint activity recorder, it can also search within the endpoint's activity recorder.
Symantec EDRcan automatically send you notifications when incidents are created. It can also log events to syslog so that you can import them into your security information and event management (SIEM) system.
Symantec EDRprovides the one-click containment and remediation capability that works across endpoints, network, and email control points. For example, you can delete a malicious file from an endpoint or isolate a breached endpoint.
After a threat has been contained, follow these best practices to analyze how the breach occurred and to prevent similar breaches in the future.
You can also run reports, which are useful for analyzing the number and types of attacks that occurred in your environment.