MaxPatrol EDR

Main article: Security Information and Event Management (SIEM)

2025: MaxPatrol EDR 7.2 with support for 25 operating systems

Positive Technologies has introduced an updated version of the product to identify and respond to cyber threats on end devices - MaxPatrol EDR 7.2. Now the solution supports three times more operating systems common in Russia: companies can protect end devices based on the latest versions of Windows, Debian, Astra Linux, Alt, Red OS and others.

Positive Technologies experts regularly monitor the market and monitor the emergence of new versions of Russian and foreign operating systems, as well as collect statistics on requests for pilot projects and analyze the popularity of various operating systems among users. This allows you to quickly implement device coverage in MaxPatrol EDR based on the most popular software.

MaxPatrol EDR 7.2 users can detect threats on end devices running more than 25 operating systems, including Windows 11 and Debian 12. In addition, support for Ubuntu 22.04 LTS and 24.04 LTS was implemented. According to the Stack Overflow study, Ubuntu operating systems are the third most popular among developers from around the world.

The product now works with the latest versions of domestic systems: RED OS Workstation 8.0, Astra Linux Special Edition 1.8, Alt Workstation 10.2 and Alt Server 9. The expansion of OS support in MaxPatrol EDR will help ensure reliable protection of end devices for state-owned companies that have been instructed to switch to Russian OS since the beginning of 2025.

MaxPatrol EDR plays a large role in the implementation of comprehensive infrastructure protection projects. It is important for Positive Technologies that the product can protect as many end devices as possible in organizations. That is why we have tripled support for operating systems common on the Russian market, and we plan to continue to quickly add fresh versions of the OS, - said Sergey Lebedev, head of the department for the development of means of protecting workstations and servers, Positive Technologies. - We want EDR agents to develop and be able to integrate into the infrastructure of any complexity, so, in addition to antivirus technologies, this year we will pay special attention to improving the level of fault tolerance, manageability and installation quality.

MaxPatrol EDR also expanded its feature set. For example, a node isolation module for Linux systems appeared, blocking network traffic, as well as an event tracing module for Windows (ETW). It provides enhanced information about operating systems activity and improves the quality of threat detection. Positive Technologies specialists increase the capabilities of MaxPatrol EDR by integrating with other products. Information security employees can now add exceptions to correlation rules using tabular lists from MaxPatrol SIEM. This will further reduce the number of false rule positives.

Also, the product continues to improve in terms of incident response. A module has appeared in the system that remotely turns off the workstations protected by the product. This allows you to block suspicious or potentially dangerous activity and stop the development of an attack if other methods do not help. In addition, information security specialists will be able to independently reboot target devices if they need to install updates to fix vulnerabilities.

2024

MaxPatrol EDR 7.0 with Windows operating systems Audit Configuration Module

Positive Technologies has released an updated version of the product to identify and respond to cyber threats on end devices - MaxPatrol EDR 7.0. The company announced this on November 13, 2024. The update is aimed primarily at large organizations with a distributed infrastructure. The system allows you to respond to incidents from external systems using APIs, perform actions on many agents, add your own detection rules, create and replicate custom security policy templates. Support for failover clustered installation of management servers has also been added. All these features will allow users to speed up the processes of response to detected incidents tenfold, and organizations to reduce operating costs for the implementation of the system and its scaling.

MaxPatrol EDR is already used in large geographically distributed ones. IT infrastructures Given the needs of such customers, their experience of reflecting the real attacks and peculiarities of the implementation of tools, Positive INFORMATION SECURITY Technologies experts have improved the product so that its use is easy and convenient. More efficient predefined discovery policies have been added, as well as the ability to create templates based on your own policies and replicate them between branches and branches of the organization. The module for configuring audit parameters appeared. operating systems Windows These updates will reduce the cost of implementing the system in the largest infrastructures and provide a centralized process for identifying attackers, which is especially important for customers who have long used monitoring capabilities with. MaxPatrol SIEM

We released MaxPatrol EDR as a standalone product in October 2023, but the technologies behind it proved effective long before then. Considering that end devices are one of the most popular points of penetration of cybercriminals into the infrastructure, our team continues to improve the system, increasing its effectiveness with each update, "said Sergey Lebedev, head of the department for the development of means of protecting workstations and servers of Positive Technologies. - For example, adding cluster installation support was one of the most frequent client requests. According to our observations, today dozens of major companies are building failover cluster systems that process millions of events per second in total. Our product now provides seamless endpoint protection in these infrastructures.

Other features of MaxPatrol EDR will help improve the user experience. So, the updated version allows you to respond to information security incidents on many agents. For example, if two dozen devices are attacked, specialists will be able to perform the necessary actions at once on the entire group of protected devices. In this case, the console will allow you to visually monitor the status of this activity on each device and continue to perform actions with the selected group, without interrupting the re-selection of agents. This will help to repeatedly reduce the response time (for example, from tens to a few minutes). In addition, you can now perform actions on agents from third-party systems, for this a response API is provided.

Compliance with the requirements for the fourth level of trust and technical specifications of FSTEC of Russia

The product for detecting cyber threats on end devices and responding to them MaxPatrol EDR has confirmed compliance with the requirements for the fourth level of trust and the technical specifications of the FSTEC of Russia. The developer of the solution announced this on May 13, 2024. The document officially testifies that the product can be used to protect the endpoints of state information systems and significant critical information infrastructure (CII) facilities of the highest security class.

Certification information protection assigns trust levels to the tools. They define the scope and types of tests that must be completed to confirm compliance with FSTEC requirements. Russia This parameter determines the list of information systems in which products can be used. MaxPatrol EDR is certified according to the fourth level of trust, which allows it to be implemented in the infrastructure of organizations,, public sectors financial industrial transport companies and other entities. CUES

MaxPatrol EDR was also checked for compliance with specifications that determine which protection functions are implemented in the software.

According to global information security incidents, in 2023, attackers often implemented unacceptable events at critical infrastructure facilities: 15% of successful attacks occurred in government agencies, 8% each in companies from finance, industry and IT, said Iouri Berezhnoy, head of endpoint protection development at Positive Technologies. - The use of malware and exploitation of vulnerabilities remain the main methods of hackers. Often, attackers choose the end devices as the entry point: they are extremely vulnerable, since they depend on users and allow different attack vectors to be used. Now MaxPatrol EDR will help even more companies identify and respond quickly to threats in the early stages before attackers have time to inflict unacceptable damage.

MaxPatrol EDR is installed on personal computers and laptops of employees, virtual desktops and servers. Offline agents protect remote employee devices, as well as those that are out of domain or not on the network. The software supports popular operating systems, including certified Russian ones. Thanks to the rules from the Positive Technologies security expert center, the product identifies modern threats, identifies the top 50 popular tactics and techniques of cybercriminals for Windows systems and the top 20 for Linux systems using the MITRE ATT&CK matrix. MaxPatrol EDR allows you to flexibly configure threat response rules to meet your company's needs and prevent attacks both manually and automatically.

Inclusion in the unified register of Russian software

The product for detecting cyber threats at endpoints and responding to them MaxPatrol EDR, developed by Positive Technologies, is included in the unified register of Russian software. The developer announced this on January 18, 2024.

According to the results of the first three quarters of 2023, public sector organizations accounted for the largest number of information security incidents - 15% of all successful attacks. The number of targeted attacks is growing from year to year and, according to forecasts of Positive Technologies, 2024 will not be an exception. The most vulnerable may be organizations that actively exchange data. In different supply chains, the company can have both counterparties with a secure infrastructure and built cybersecurity, and with poorly developed information security. In such an environment, organizations need to have strong endpoint protection with state-of-the-art attack detection mechanisms and eliminate threats before workflow is disrupted.

MaxPatrol EDR detects complex and targeted attacks that develop on devices in the early stages, as well as collects data for organizing investigations. The system performs behavioral analysis directly on devices, uses the expertise of the PT Expert Security Center and has flexible settings for detection and response mechanisms. Thanks to this, the product quickly finds cyber threats, even if the actions of the attackers are disguised as legitimate. The set of diverse response methods provided to the choice of information security operators covers most of the company's protection measures. MaxPatrol EDR supports domestic, operating systems including Russian certified operating systems, both systems and Windows. macOS Linux The product can be adapted to different types of infrastructures, thereby facilitating the work of information security specialists.

Endpoints are still convenient targets for intruders to infiltrate infrastructure. As an attack method hackers , they are often used:, malicious software viruses encoders steelers, vipers, HPE, modified for specific OS, - said Egor Nazarov, head of the development of the business of protection against complex attacks, Positive Technologies. - Attackers are continuously improving their tools, so traditional defenses are no longer able to accurately identify threats. They are replaced by more efficient solutions belonging to the endpoint detection and response (EDR) class. With them, you can get a complete idea of ​ ​ what is happening on the endpoints and detect and eliminate threats in time, both within the framework of internal and with SOC providers the participation of security services.

2023: MaxPatrol ED Presentation

Positive Technologies on October 9, 2023 introduced a product for detecting and responding to cyber threats at endpoints - MaxPatrol EDR. Thanks to static and behavioral analysis, PT Expert Security Center (Security Expert Center) expert rules, and flexible configuration of detection and response rules, the system detects complex and targeted attacks over time. This is important when attackers disguise their activity in the system as legitimate. In addition, MaxPatrol EDR allows you to instantly stop malicious actions both manually and automatically.

You can install the system on employees' personal computers, laptops, virtual desktops, or servers. It supports many operating systems (Windows, Linux, macOS), including Russian certified operating systems. Through PT Expert Security Center expertise, MaxPatrol EDR detects various types of attacks, identifies the top 50 popular tactics and techniques of attackers for Windows and the top 20 for Linux systems using the MITRE ATT&CK matrix. Among them are attacks using current malware, including Agent Tesla, RedLine, njRAT, FormBook.

According to to data research by Positive Technologies, the number of complex and targeted attacks in the world is constantly growing. In particular, in the second quarter of 2023, four out of five cyber attacks were targeted. Endpoints are still a convenient target for intruders to penetrate the infrastructure of companies: in 90% of successful attacks, the objects were laptops, stationary computers of employees,. servers Cybercriminals use them as "gateways" to connect to a corporate network or business systems. Increasingly, in such attacks, Positive Technologies experts note the use of new hacker techniques and malware (wipers, encoders as well as a specially created HVE modified for certain operating systems), which are able to bypass the traditional tools INFORMATION SECURITY installed on computers: antiviruses endpoint protection platform, node intrusion detection systems (HIDS)).

One tool for countering complex attacks is EDR class systems. They allow you to identify the actions of attackers, even if legitimate built-in OS components (PowerShell, WMI, CMD, Bash) were used, and traces of presence are hidden. According to a survey conducted by Positive Technologies, 14% of Russian companies already use EDR- or XDR-solutions, 26% plan such a project and choose between systems of several manufacturers, and 30% understand the need to acquire them, but so far they lack funds.

Among the difficulties in using endpoint protection products on the market, respondents noted the lack of the ability to flexibly adjust the depth of analysis so as not to overload nodes, a large number of false positives, weak support for operating systems, and a low level of malware detection.

{{quote 'According to the Positive Technologies security expert center, APT groups from different countries use similar tools, but the use of various combinations of tactics and techniques in constantly changing conditions complicates their detection. Establishing new trade routes and economic ties with other states opens the door to previously unknown malware and groupings from other continents in our region. Antivirus programs and other traditional endpoint protection tools are not ready for such threats and are unlikely to be able to quickly adapt, "said Egor Nazarov, head of development for protection against complex attacks at Positive Technologies. - MaxPatrol EDR allows companies of all sizes to continuously protect endpoints on different operating systems. Unlike classic EDR solutions, which are often operator-controlled and do not imply a backlash when detecting malicious actions, our system has great capabilities for timely response at nodes, including in automatic mode. }}

MaxPatrol EDR can now be purchased as a standalone product. It is also still part of PT XDR, a comprehensive solution for advanced threat detection and response that Positive Technologies released in 2021.

The system supports joint installation with other security features. Its agents can work autonomously, that is, analyze and counter threats on endpoints, even in isolated networks, without contacting the server. By automating routine tasks and response processes, the efficiency of cyber threat prevention centers is increased, and information security specialists are able to save resources and time on initial analysis, investigation, data collection and stopping attacks. They can devote their free time to more complex tasks, for example, proactive search for threats, detection and analysis of vulnerabilities and hardening of infrastructure.

For more than 20 years, we have been creating our own technologies and focusing on making it convenient for information security specialists to use them. Through flexible configuration of discovery modules and policies, MaxPatrol EDR adapts well to different types of infrastructures and provides a good balance between node load and SOC tasks, - said Dmitry Nagibin, head of the department for the development of security tools for stations and servers at Positive Technologies. - It is based on a set of proven technologies that have proven their effectiveness in our other solutions. For example, from the MaxPatrol SIEM information security event monitoring system, we borrowed telemetry storage technology and a mechanism for correlating and normalizing events at network endpoints, from PT Sandbox - analyzing files using static and dynamic methods, from the MaxPatrol VM vulnerability management system - a mechanism for scanning the environment to vulnerabilities.