MaxPatrol EDR

Main article: Security Information and Event Management (SIEM)

2024

Compliance with the requirements to the fourth level of trust and technical specifications of FSTEC of Russia

The product for detecting cyber threats on end devices and responding to them MaxPatrol EDR has confirmed compliance with the requirements for the fourth level of trust and the technical specifications of the FSTEC of Russia. The developer of the solution announced this on May 13, 2024. The document officially testifies that the product can be used to protect the endpoints of state information systems and significant critical information infrastructure (CII) facilities of the highest security class.

Certification information protection assigns trust levels to the tools. They define the scope and types of tests that must be completed to confirm compliance with FSTEC requirements. Russia This parameter determines the list of information systems in which products can be used. MaxPatrol EDR is certified according to the fourth level of trust, which allows it to be implemented in the infrastructure of organizations,, public sectors financial industrial transport companies and other entities. CUES

MaxPatrol EDR was also checked for compliance with specifications that determine which protection functions are implemented in the software.

According to global information security incidents, in 2023, attackers often implemented unacceptable events at critical infrastructure facilities: 15% of successful attacks occurred in government agencies, 8% each in companies from finance, industry and IT, said Iouri Berezhnoy, head of endpoint protection development at Positive Technologies. - The use of malware and exploitation of vulnerabilities remain the main methods of hackers. Often, attackers choose the end devices as the entry point: they are extremely vulnerable, since they depend on users and allow different attack vectors to be used. Now MaxPatrol EDR will help even more companies identify and respond quickly to threats in the early stages before attackers have time to inflict unacceptable damage.

MaxPatrol EDR is installed on personal computers and laptops of employees, virtual desktops and servers. Offline agents protect remote employee devices, as well as those that are out of domain or not on the network. The software supports popular operating systems, including certified Russian ones. Thanks to the rules from the Positive Technologies security expert center, the product identifies modern threats, identifies the top 50 popular tactics and techniques of cybercriminals for Windows systems and the top 20 for Linux systems using the MITRE ATT&CK matrix. MaxPatrol EDR allows you to flexibly configure threat response rules to meet your company's needs and prevent attacks both manually and automatically.

Inclusion in the unified register of Russian software

The product for detecting cyber threats at endpoints and responding to them MaxPatrol EDR, developed by Positive Technologies, is included in the unified register of Russian software. The developer announced this on January 18, 2024.

According to the results of the first three quarters of 2023, public sector organizations accounted for the largest number of information security incidents - 15% of all successful attacks. The number of targeted attacks is growing from year to year and, according to forecasts of Positive Technologies, 2024 will not be an exception. The most vulnerable may be organizations that actively exchange data. In different supply chains, the company can have both counterparties with a secure infrastructure and built cybersecurity, and with poorly developed information security. In such an environment, organizations need to have strong endpoint protection with state-of-the-art attack detection mechanisms and eliminate threats before workflow is disrupted.

MaxPatrol EDR detects complex and targeted attacks that develop on devices in the early stages, as well as collects data for organizing investigations. The system performs behavioral analysis directly on devices, uses the expertise of the PT Expert Security Center and has flexible settings for detection and response mechanisms. Thanks to this, the product quickly finds cyber threats, even if the actions of the attackers are disguised as legitimate. The set of diverse response methods provided to the choice of information security operators covers most of the company's protection measures. MaxPatrol EDR supports domestic, operating systems including Russian certified operating systems, both systems and Windows. macOS Linux The product can be adapted to different types of infrastructures, thereby facilitating the work of information security specialists.

Endpoints are still convenient targets for intruders to infiltrate infrastructure. As an attack method hackers , they are often used:, malicious software viruses encoders steelers, vipers, HPE, modified for specific OS, - said Egor Nazarov, head of the development of the business of protection against complex attacks, Positive Technologies. - Attackers are continuously improving their tools, so traditional defenses are no longer able to accurately identify threats. They are replaced by more efficient solutions belonging to the endpoint detection and response (EDR) class. With them, you can get a complete idea of ​ ​ what is happening on the endpoints and detect and eliminate threats in time, both within the framework of internal and with SOC providers the participation of security services.

2023: MaxPatrol ED Presentation

Positive Technologies on October 9, 2023 introduced a product for detecting and responding to cyber threats at endpoints - MaxPatrol EDR. Thanks to static and behavioral analysis, PT Expert Security Center (Security Expert Center) expert rules, and flexible configuration of detection and response rules, the system detects complex and targeted attacks over time. This is important when attackers disguise their activity in the system as legitimate. In addition, MaxPatrol EDR allows you to instantly stop malicious actions both manually and automatically.

You can install the system on employees' personal computers, laptops, virtual desktops, or servers. It supports many operating systems (Windows, Linux, macOS), including Russian certified operating systems. Through PT Expert Security Center expertise, MaxPatrol EDR detects various types of attacks, identifies the top 50 popular tactics and techniques of attackers for Windows and the top 20 for Linux systems using the MITRE ATT&CK matrix. Among them are attacks using current malware, including Agent Tesla, RedLine, njRAT, FormBook.

According to to data research by Positive Technologies, the number of complex and targeted attacks in the world is constantly growing. In particular, in the second quarter of 2023, four out of five cyber attacks were targeted. Endpoints are still a convenient target for intruders to penetrate the infrastructure of companies: in 90% of successful attacks, the objects were laptops, stationary computers of employees,. servers Cybercriminals use them as "gateways" to connect to a corporate network or business systems. Increasingly, in such attacks, Positive Technologies experts note the use of new hacker techniques and malware (wipers, encoders as well as a specially created HVE modified for certain operating systems), which are able to bypass the traditional tools INFORMATION SECURITY installed on computers: antiviruses endpoint protection platform, node intrusion detection systems (HIDS)).

One tool for countering complex attacks is EDR class systems. They allow you to identify the actions of attackers, even if legitimate built-in OS components (PowerShell, WMI, CMD, Bash) were used, and traces of presence are hidden. According to a survey conducted by Positive Technologies, 14% of Russian companies already use EDR- or XDR-solutions, 26% plan such a project and choose between systems of several manufacturers, and 30% understand the need to acquire them, but so far they lack funds.

Among the difficulties in using endpoint protection products on the market, respondents noted the lack of the ability to flexibly adjust the depth of analysis so as not to overload nodes, a large number of false positives, weak support for operating systems, and a low level of malware detection.

{{quote 'According to the Positive Technologies security expert center, APT groups from different countries use similar tools, but the use of various combinations of tactics and techniques in constantly changing conditions complicates their detection. Establishing new trade routes and economic ties with other states opens the door to previously unknown malware and groupings from other continents in our region. Antivirus programs and other traditional endpoint protection tools are not ready for such threats and are unlikely to be able to quickly adapt, "said Egor Nazarov, head of development for protection against complex attacks at Positive Technologies. - MaxPatrol EDR allows companies of all sizes to continuously protect endpoints on different operating systems. Unlike classic EDR solutions, which are often operator-controlled and do not imply a backlash when detecting malicious actions, our system has great capabilities for timely response at nodes, including in automatic mode. }}

MaxPatrol EDR can now be purchased as a standalone product. It is also still part of PT XDR, a comprehensive solution for advanced threat detection and response that Positive Technologies released in 2021.

The system supports joint installation with other security features. Its agents can work autonomously, that is, analyze and counter threats on endpoints, even in isolated networks, without contacting the server. By automating routine tasks and response processes, the efficiency of cyber threat prevention centers is increased, and information security specialists are able to save resources and time on initial analysis, investigation, data collection and stopping attacks. They can devote their free time to more complex tasks, for example, proactive search for threats, detection and analysis of vulnerabilities and hardening of infrastructure.

For more than 20 years, we have been creating our own technologies and focusing on making it convenient for information security specialists to use them. Through flexible configuration of discovery modules and policies, MaxPatrol EDR adapts well to different types of infrastructures and provides a good balance between node load and SOC tasks, - said Dmitry Nagibin, head of the department for the development of security tools for stations and servers at Positive Technologies. - It is based on a set of proven technologies that have proven their effectiveness in our other solutions. For example, from the MaxPatrol SIEM information security event monitoring system, we borrowed telemetry storage technology and a mechanism for correlating and normalizing events at network endpoints, from PT Sandbox - analyzing files using static and dynamic methods, from the MaxPatrol VM vulnerability management system - a mechanism for scanning the environment to vulnerabilities.