Open Source and Free EDR
by John Strand - Black Hills Information Security (BHIS)
https://www.blackhillsinfosec.com/wp-content/uploads/2021/03/SLIDES_OpenandFreeEDR.pdf
This is a slide deck highlighting open source EDR software.
| Notes |
|---|
| EDR can mean a lot of things. A lot of things claim to be EDR but are just ED. |
| Commercial offerings are often “black box” |
| SOAR |
| eXtended Detection and Response (XDR) |
| Vendors: Cynet, Cylance, FireEye, Carbon Black, CrowdStrike, Symantec, Cisco AMP Threat Grid, SentinelOne, McAfee, cybereason, Cortex XDR, … |
| MITRE Evaluations: Bitdefender, CrowdStrike, cybereason, cycraft, BlackBerry Cylance, elastic, F-Secure, FireEye, GoSecure, HanSight, Kaspersky, Malwarebytes, McAfee, Microsoft, Palo Alto Networks, REAQTA, Secureworks, SentinelOne |
| Incident Response is a nightmare without EDR. |
| EDR allows you to get information from multiple sources quickly. |
| EDR allows you to correlate attack data with threat intelligence. |
| EDR logs are often easier to work with than standard logs such as syslog or Event Logs on Windows. |
| Commercial products are hard to test without involving sales, doing a trial, etc. NDAs, EULA prohibit reverse engineering, they are “blackbox”, … “Sure! Take my money without trying your product!” |
| Commercial products can be oppressively expensive. |
| OSSEC |
| Wazuh |
| ELK stack |
| Velociraptor |
| Rekall |
| Endgame EDR |
| Amazon |
| OpenEDR from Comodo |