News & Blog

Handling a Large-scale Security Incident utilizing EDR




    With Digital Transfer (DX) promoted during the COVID era and remote work expanding, there have been an increasing number of cases where devices protected by network boundaries, such as corporate firewalls, are directly exposed to attacks from the internet. Those cases include occurrences where a server was fully opened to the internet due to misconfiguration of cloud services, and one where a user directly accessed the internet without going through a router in remote work.


    These devices carry the risk of being broken in whenever an attacker tries to do so; it could allow them to compromise and use the device to intrude the corporate network. Attackers try to collect information and infringe further by using OS standard commands that are not detected by anti-virus software and by using software that is generally known as a convenient utility. Many of these security breaches can lead to credential theft, lateral movement to other devices, and mass leakage of intellectual property and/or personal information without being discovered.


    Figure 1: Intrusion Incident Casefig1

    Forensic investigation is conducted when such infringement is detected, but traditional investigations have the limitation of human and physical resources, and prolonged investigation time. In this article, we will introduce an example of using EDR as one of the means to solve these problems.

    Challenges of Traditional Investigation

    The two main challenges in traditional forensics are “resource limitations” and “prolonged investigation time”.

    Resource Limitations

    Traditional forensics acquires a disk image of the compromised device and investigate it, so it can investigate deeper such as deleted areas on the disk. On the other hand, it is necessary to extract and analyze the data required for investigation from the disk image, causing a limit to the number of devices that can be processed at one time. Therefore, even if malware infections occur simultaneously on many devices, the scope of investigation tends to be limited.

    Prolonged Investigation Time

    In addition, traditional forensics tends to take a relatively long time to investigate. The standard way for acquiring a disk image from the target device is to take the device offline, remove the disk from the device, then make a copy. There are many cases where the process takes several. Even after these steps are completed, the device remains unavailable for use during the investigation since it is not confirmed to be safe. The more devices need to be investigated, the more difficult it becomes to prepare alternative devices, which would affect business operation.


    In traditional forensics, each device is scrutinized one by one to find out what happened. However, the time and cost of the investigation increases as the number of devices to increases, and this is not very cost-effective.

    Investigation with EDR

    Endpoint Detection and Response (EDR) is expected to be effective as a new forensic method. EDR is a security solution that collect various logs from agents installed on devices and analyze them to monitor, detect, prevent, and respond to cyber attacks.


    With the agent installed, the necessary logs on the target device can be collected, monitored, and analyzed at the same time, making it possible to elucidate the entire event and contain the risk in a relatively short period of time.


    Forensic investigation utilizing EDR achieves flexible incident response with many devices while relaxing resource restrictions that have been an issue in the past. Additionally, the investigation time is greatly reduced so that investigating hundreds-to-thousands of devices can be conducted quickly.


    Traditional Forensics

    EDR Forensics

    Disk Image


    Not Required

    File Content Inspection


    Not Required

    Investigation on Multiple Devices



    Investigation Period for Multiple Devices



    Expansion of Investigation Scope

    Determined for Each Case

    Handled Flexibly


    Suspension of Device Use

    Remote Isolation

    Table 1: Characteristics of Traditional Forensics and Investigation Using EDR

    Hybrid IR with Investigation, Protect and Response

    A further advantage of forensic investigation with EDR is that it can not only investigate an incident, but also deploy defenses and responding feature of EDR, which facilitates the identification of infringements that are not discovered at the start of the investigation and the defense against the threat as described below:


    Figure 2: Advantages of investigation with EDRfig2

    Protection with EDR

    There were cases where response to an attack was delayed since the investigation with traditional forensics was not advanced enough and the whole picture, such as lateral movement of the attack, would not be clear. EDR forensic investigation allows real-time tracking of behavior on the device, which makes it possible to detect and prevent intrusion from progressing.

    Incident Handling with EDR

    With traditional forensics, it was very difficult to avoid large business impact, such as network isolation of all devices, in many cases of incident handling. Since EDR collects the information necessary for the investigation while the device is running, it is possible to flexibly respond by isolating only the compromised device and conduct the entire investigation without interrupting overall business operation. The devices found to be compromised can be logically isolated from the network, minimizing business impact.


    It seems that the above-mentioned defense and incident handling have greater benefits as there are more complex incidents and more devices to be investigated. It can be said that the attacks of these days are even more advanced and occurring continuously, the need to conduct investigations and defense/IR in parallel is increasing.


    It has become possible to investigate a wider area more quickly and comprehensively by using EDR than with traditional forensics. However, the ability to investigate deeper areas, such as something deleted on a disc, is not perfect. Traditional forensic investigations may be appropriate when investigations that include traces erased by an attacker are required, so characteristics of both investigation methods must be used depending on the situation.


    We provide forensic investigation services using EDR. In light of recent threat trends, many cases tend to involve many devices to be investigated, and investigation using EDR is effective in containing incidents in a short period of time. In addition, we also provide managed EDR services with EDR solution, enabling seamless transition from investigation to implementation. Please feel free to contact us if you would like to hear more about security incident response and EDR solution/services.