What is Active EDR?
With so many activities happening on every device, sending all this information to the cloud for analysis might offer visibility, but it is still far from solving the main problem: the flood of alerts facing understaffed security teams. What if you could put the equivalent of a skilled SOC analyst on each of your devices? An agent that can contextualize all the device’s activities and identify and mitigate threat attempts in real time?
​
ActiveEDR has some similarities to other EDR solutions, but unlike those, it does not rely on cloud connectivity to make a detection. This effectively reduces dwell time to run time. The agent uses AI to take a decision without depending on cloud connectivity. The ActiveEDR constantly draws stories of what is happening on the endpoint. Once it detects harm, it is capable of mitigating not only malicious files and operations but the entire ‘storyline’.
​
Consider this typical scenario: A user opens a tab in Google Chrome and downloads a file he believes to be safe. He then executes the file. This program is malicious, initiating PowerShell to delete the local backups and then start encrypting all data on the disk. ActiveEDR knows the full story, so it will mitigate this at run time, before encryption begins.
When the story is mitigated, all the elements in that story will be taken care of, all the way to the Chrome tab the user opened in the browser. It works by giving each of the elements in the story the same TrueContext ID. These stories are then sent to the management console, allowing visibility and easy threat hunting for security analysts and IT administrators.