{"id":20071,"date":"2022-09-20T07:00:23","date_gmt":"2022-09-20T11:00:23","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/introducing-kedr-optimum\/20071\/"},"modified":"2022-09-21T19:19:24","modified_gmt":"2022-09-21T15:19:24","slug":"introducing-kedr-optimum","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/introducing-kedr-optimum\/20071\/","title":{"rendered":"Introducing: Kaspersky EDR Optimum"},"content":{"rendered":"

Naming products and services \u2013 and also their many different functions and features \u2013 in the infosec domain is, in a word, tricky. Why? Complexity\u2026<\/p>\n

Cybersecurity: it\u2019s not a one-dimensional object like, say, a boat. There are different sized boats, but besides things like that, a boat is mostly always a boat. But in infosec, a modern system of enterprise cybersecurity does a great many technically complex things, and the question arises: how can it all be labeled simply and catchily (if that\u2019s at all possible) so as to be reasonably easy to understand? And how can you differentiate one security system from another? Often it\u2019s difficult explaining such differences in a long paragraph \u2013 while in the name of a product or service? Like I say: tricky<\/em>.<\/p>\n

Maybe that\u2019s why Kaspersky is still associated by some with \u201cantivirus software\u201d. But actually, detecting and neutralizing malware based on an antivirus database is today just one of our security technologies: over a quarter century we\u2019ve added to it a great many others. The word antivirus today is more of a metaphor: it\u2019s known, understood, and thus is a handy (if not too accurate or up-to-date) label.<\/p>\n

But what are we supposed to do if we need to tell folks about complex, multifunctional protection for enterprise IT infrastructure? This is when strange sets of words appear. Then there are all the abbreviations that come with them, whose original idea was simplification (of those strange sets of words) but which often just add to the confusion! And with every year the number of terms and abbreviations grows, and memorizing them all becomes increasingly\u2026 also tricky<\/em>. So let me attempt here to take you on a brief excursion of all this gobbledygook<\/span> these complex but necessary names, terms, descriptions and abbreviations \u2013 hopefully to do what the abbreviations struggle with: bring clarity.\n<\/p>\n

From EPP to XDR<\/h2>\n

\nOk. Back to the boat; rather \u2013 antivirus.<\/p>\n

The more accurate name of this class of products today is Endpoint Protection or Endpoint Security. After all, as stated above, it\u2019s not only antivirus that\u2019s protecting endpoints these days, but a collection of security measures. And sometimes the varied endpoint technologies are given an updated name \u2013 including the word \u201cplatform\u201d. Somehow that sounds more appropriate, and more accurately descriptive \u2013 it also seems fashionable, as is its abbreviation: EPP<\/a> (Endpoint Protection Platform).<\/p>\n

Endpoint Protection Platform is, in essence, a concept that dates back to the 1990s. It\u2019s still needed, but for quality protection of distributed infrastructure other methods are required. Data needs to be collected and analyzed from the whole network to detect not only singular incidents, but also whole chains of attacks, which aren\u2019t limited to a single endpoint. Threats need to be reacted to across the whole network \u2013 not just one computer.<\/p>\n

Fast-forward a decade or so, and in the early 2000s there appears a class of products called SIEM<\/a> \u2013 security information and event management. That is, a tool for the collection and analysis of all infosec telemetry from various devices and applications. And not only for today: a good SIEM can pull off retrospective analysis \u2013 comparing events from the past and uncovering attacks lasting many months or even years.<\/p>\n

So, by this stage (the early 2000s for those at the back not paying attention!) we\u2019re already working with the whole network. But there\u2019s no \u201cP\u201d for \u201cProtection\u201d in SIEM. So the protection was provided by the EPP (Endpoint Protection Platform; you at the back \u2013 detention after school!). However, EPP doesn\u2019t see network events; for example, it could easily miss an APT<\/a> (advanced persistent threat).<\/p>\n

Therefore, in the early 2010s, along comes another abbreviation to fill the gap and cover both security functions: EDR<\/a> (Endpoint Detection and Response). On the one hand, it provides centralized monitoring of the whole IT infrastructure \u2013 allowing, for example, to compile traces of attacks from all the hosts. On the other, an EDR-type product uses for detection not only EPP methods, but also more advanced technologies: correlational analysis<\/a> of events and the picking out anomalies on the basis of machine learning<\/a> and dynamic analysis of suspicious objects in a sandbox<\/a>, plus assorted other threat hunting<\/a> tools to assist investigation and response<\/a>.<\/p>\n

And when we do EDR ourselves here at K<\/em>, of course we need to put our stamp on it, to give us KEDR<\/a>.<\/p>\n

So far, so good<\/span> great. But\u2026 there\u2019s no limit to perfection!<\/p>\n

Fast-forwarding again, this time to the early 2020s, and a new abbreviation is introduced and quickly becomes all the rage in the cybersecurity industry: XDR<\/a> (eXtended detection and response<\/a>). This, to put it crudely, is EDR on steroids. Such a system analyses data not only from endpoints (workstations), but also from other sources \u2013 for example the mail gateways and cloud resources. Which totally makes sense, since attacks on infrastructure can come from any and all kinds of entry points.<\/p>\n

XDR can be even further enriched in terms of its expertise by further data from:\n<\/p>\n