+34 900 840 407
support@cytomic.ai

Advanced EPDR/EDR Getting Started Best Practices

Related Products_
  • Advanced EPDR
  • Advanced EDR
Introduction

Follow the steps indicated in the Advanced EPDR/EDR Getting started best practices and learn to install and configure your product to make the most of it.

STEP 1 – Access the administration console

Create your Advanced EPDR/EDR Account by following the steps in the email you received when you purchased the product and access the administration console. If you already have a Advanced EPDR/EDR Account, click here and enter your email address and login password.

STEP 2 – Pre-configure settings

The installation process consists of a series of steps that vary depending on the status of the network at the time of deploying the software and the number of computers to protect.
Before you deploy the endpoint agent, it is necessary to plan the process carefully bearing the following aspects in mind:

Identify Computers & Devices to Protect

Identify the physical and virtual macOS, Android, Windows, or Linux computers and devices you want to protect with Cytomic.

Verify Minimum Requirements for Target Devices

  • Make sure that the computers and devices you want to protect meet the minimum installation requirements. For information on requirements, see Installation Requirements.
  • Advanced EPDR/EDR require access to multiple Internet-hosted resources. You need to ensure that these URLs and ports are open to allow communication with the Advanced EPDR/EDR servers.

Determine Computer Default Settings

  • You cannot modify default settings.
  • You can copy default settings and modify them or create new ones to suit your specific needs.
  • Settings are inherited to all devices within a group, but you can also set up exceptions for specific devices or sub-groups.
    More information here.
  • Settings vary for Advanced EPDR, Advanced EDR EDR. If you do not see a setting in the web UI, it is not supported by your product.

We recommend that you configure the group organization and define settings before you deploy the client software.

  1. Groups
    Define the group structure of your network, for example, by department or location, configure the policies required, and establish if you want to use the Active Directory tree or if you prefer to have static groups. For more information about the different types of groups, and specific instructions, see Group Computers and Devices.
  2. Network settings
    Configure the network settings required to specify the language of Advanced EPDR/EDR software installed on computers and devices or to define the type of connection to Cytomic Cloud with proxies and add cache computers that act as repositories for signature files and other components. For more information, see how to configure network proxy and cache settings.
  3. Per-computer settings
    • Updates
      We recommend that you leave automatic updates enabled. You can also configure the updates in time intervals and set the restart.
      Advanced EPDR/EDR deploys the latest version available to customers and partners in phases, but you can contact your Sales Representative to request a version update.NOTE 1: From the Advanced EPDR/EDR web console, select the cog icon and open the Cytomic Release Notes to find the latest version available. There are different version numbers: Advanced EPDR/EDR product version, Protection version by platform and Agent version by platform.
      NOTE 2: To find out which Advanced EPDR/EDR version you have installed, from the Advanced EPDR/EDR web console, select the cog icon, and select About. You can see the version installed on each computer from the Computers tab.
      NOTE 3: Contact your Sales Representative to request a version update.However, if you prefer, you can plan and execute the update process gradually in your network.
      Here are a few guidelines:

      • Create a new Per-computer profile with the Automatically update Advanced EPDR/EDR on computers enabled and assign it to a group containing computers representative of your environment.
      • Monitor the upgrade for a couple of weeks to ensure the process has been successful and the applications work as expected.
      • Split the deployment of the client software updates of your network progressively. The process can be done in 2 or 3 phases, depending on your network characteristics.
        For more information, see how to configure Best Practices regarding Updates & Upgrades.
    • Tampering
      Configure security against tampering to ensure that only authorized users can uninstall, disable, or uninstall Advanced EPDR/EDR. For more information, see Tampering settings.
  4. Workstations and servers’ settings
      • Automatic Knowledge Updates
        Configure automatic signature file updates. Advanced EPDR/EDR uses signature files to identify threats. The Advanced EPDR/EDR client agent downloads signature files (knowledge updates) to help identify the newest security threats.We recommend that you do not disable automatic updates. A computer with out-of-date signatures becomes more vulnerable to malware and advanced threats over time. For more information, see Configure knowledge updates.
      • Uninstall other security products
        If you want to install Advanced EPDR/EDR on a computer that already has an antivirus solution from another vendor, you can remove the current solution and install Advanced EPDR/EDR.
        You can also choose to not remove the current solution, so that Advanced EPDR/EDR and third-party products coexist on the computer. When you uninstall a third-party antivirus product, you might have to restart the computer.
        For a list of the third-party security products that Advanced EPDR/EDR uninstalls automatically, see Programs Automatically Uninstalled by Cytomic.
      • Advanced Protection
        In the Advanced Protection settings of a workstations and servers settings profile, you can configure Advanced EPDR/EDR to detect and block malicious programs. There are three available operating modes: Audit, Hardening and Lock.For maximum security and efficiency, we recommend a combination of the Advanced Protection in Lock mode together with authorised software rules (see further on). Initially, you can configure the Advanced Protection in Hardening mode to kick start the Zero-Trust Application Service learning and classification process. After a couple of few weeks, you can change the mode to Lock mode. In Lock mode, all software that is in the process of classification or is already classified as malware is prevented from running.
      • Authorized software
        Configure settings to authorize software or a family of software that you want to allow to run before it is classified. If the program represents a threat, Advanced EPDR/EDR blocks it regardless of whether it was authorized in these settings. For more information, see Authorized software.
      • Anti-exploit
        Enable Anti-exploit protection to automatically block attempts to exploit vulnerabilities found in the active processes on user computers. For more information, see Anti-exploit settings.
  • Indicators of Attack
    Configure the Advanced settings to Report and Block RDP or Report only according to your needs.

Review Known Issues

Review the Cytomic Knowledge Base Articles to find known issues and their solutions or workarounds before you deploy the client software.

STEP 3 – Deploy the client software

Deploy the Advanced EPDR/EDR Agent to computers and devices in your organization with the correct network settings.
The deployment strategy depends on the number of computers to protect, the workstations and servers with a Advanced EPDR/EDR client agent already installed, and the company network architecture.
For more information, see the appropriate installation procedure for your scenario and platform:

STEP 4 – Post-deployment Checklist

Cytomic provide network administrators with a set of tools and features to reduce the attack surface, to monitor and prevent threats, and to strengthen the security of the network after you have deployed the client software.

Monitor Threats

Check the security status of the network for a specific period through dashboards and detailed lists. You can use this information to monitor threats to the computers and devices on your network.

  • Check Dashboards
    The Cytomic dashboard shows an overview of the security status of the network for a specific period. Several tiles show important information and provide links to more details.
  • Use Lists
    Cybercriminals take advantage of a single vulnerable endpoint to carry out lateral movements that can compromise the security of the whole network, so it is critical to ensure every endpoint is protected. The My Lists section of the Status page provides quick links to detailed lists filtered for specific information that help you monitor the health and security of your network. Most dashboard tiles have an associated list, so you can quickly see information graphically in the tile and then get more detail from the list. We recommend that you use pre-defined or new lists to monitor unprotected or outdated protection endpoints to prevent attacks. Here are a few list examples:

    • Outdated Protection
    • Offline Computers
    • Pending Critical Patches
    • Installation Errors
    • Outdated software

Settings

You can also configure settings to reduce the attack surface, for example:

  • Restrict access to specific website categories
    Configure the categories of websites accessible to users to reduce the number of dubious sites, ad ridden pages, and innocent-looking but dangerous download portals (ebooks, pirate software, etc.) that may infect users’ computers.
    More information here.
  • Lock access to pen drives and other external devices
    Another commonly used infection vector is the USB drives and modems that users bring from home. Limiting or totally blocking access to these devices will block malware infections through these means.
    For more information, click here.
  • Restrict communications (firewall and IDS)
    A firewall is a tool designed to minimize exposure to threats by preventing communications to and from programs that are not malicious in nature but may leave the door open to malware. If malware is detected that has infected the network via a chat or P2P application, configuring the firewall rules correctly can prevent those programs from communicating with the outside world.

Security

Strengthen the security of your network by following these recommendations:

  • Reinforce Authentication Methods
    Apply Two-Factor authentication methods and enforce the use of robust passwords across your network.
    More information here.
  • Patch up vulnerable systems and update out-of-date applications
    Update vulnerable systems and out-of-date applications with Cytomic Patch to prevent attacks looking to exploit security holes. More information here.
  • Uninstall or update the programs in EOL (End-Of-Life) stage
    EOL software is more likely to have unpatched vulnerabilities that could be exploited by malware. Use lists to view the computers in EOL or near EOL and plan to remove or update the software. Select the Status tab, and from the My lists left menu, click Add and select the End-of-Life programs lists to help you manage the update process.
  • Encrypt information on the internal storage devices of computers
    Use Cytomic Encryption to minimize the exposure of the data stored on the company’s computers in the event of loss or theft and prevent access to confidential data with recovery tools for retrieving files from removed drives. More information, here.
    Additionally, we recommend that you use the TPM module included on computer motherboards or update their hardware to support this tool. The TPM lets you prevent hard disks from being used on computers other than those used to encrypt them and detect changes to a computer’s boot sequence.
  • Isolate at-risk computers and devices
    You can isolate an at-risk computer to block communication to and from the computer. When you isolate a computer, Cytomic blocks all communications, except for those required. From the Status tab, select Cytomic Patch from the left menu, click View all available patches, select a specific computer, for example, and select the Install or Isolate computer option.
  • Limit RDP connections
    Identify computers that require RDP connection and restrict its use to the bare minimum.
  • Schedule scans
    You can configure tasks to run immediately or later. Tasks can run once or repeatedly through specified time intervals. Select the Tasks tab, click the Add task button and select the Scheduled scan option.

Stay Tuned

Configure alerts, reports, and charts to stay tuned about the security status of your network.

  • Enable Alerts
    Configure alerts to send to the network administrator by email. You define alerts for each web UI user. The content of an alert email varies with the managed computers that are visible to the recipient. Select the Settings tab and click on My Alerts, on the left menu.
  • Schedule Reports
    You can email a report of security information from the computers protected by Cytomic. You can schedule reports to send daily, weekly, or monthly on specific days and at specific times. This option allows you to closely monitor the security status without the need for administrators to access the web UI. Select the Status tab and click the Scheduled reports on the left menu.
  • Audit User Actions
    You can see log information for user sessions and actions, as well as system events. Select the Settings tab, select Users from the left menu, and click the Activity tab.