Elastic Defend EDR

ShenguiTurmi

Level 3
Thread author
Well-known
Feb 28, 2023
123
This post is reprinted from my own post in January 2023 on Kafan, I did not keep the original screenshots, so some of the screenshots were added to the Kafan watermark, herewith.

Elasticsearch B.V. is an Internet company registered in Mountain View, California, and their flagship product is ElasticSearch, an "open source software" with enterprise search as its main function. analysis and big data purposes.
In June 2019, they acquired another security startup, Endgame, for $234 million (they had attended AVC prior to the acquisition, and you can see the face of their product through AVC's Enterprise Annual Report at the time), officially entering the security industry, and in early 2021 they incorporated Endgame's product into their ElasticSearch framework, and launched ElasticAgent for rapid deployment, and then the name Endgame was as "End" as it gets.

Currently, there are basically only two options for security software "open source" solutions, one is ClamAV launched by Cisco, which only provides a pure command-line invocation of the engine, and the other is Elastic Defend, which provides a complete security solution (including NGAV and EDR).
One thing to note though, ClamAV is released using the GPLv2 open source agreement, so as an open source software it is used in various places without any objection. Elastic's product line, on the other hand, is released using the Elastic License 2 (which once also used the same SSPL protocol as MongoDB), and there is some disagreement as to whether this can be called an open source protocol.
The difference between Elastic License 2 and other mainstream open source protocols is that EL2 allows you to modify and redistribute its source code, both commercial and non-commercial, and does not require you to open source your modified code, but explicitly states that you cannot remove other copyright information such as Elastic's logo and cannot provide hosting services.
This can not provide hosting services, a simple understanding is that you can help other companies as MSP vendors to install and deploy Elastic software, but the other company must use ElasticSearch directly, not you directly provide a service for them to access and not at all to direct access the ElasticSearch product.
Many people in the industry believe that such an agreement does not count as "open source software" because it is "open source" but not "free".
Here I do not want to discuss too much about whether he is open source software, I care more about his current as a free security program is sufficient or not.

I've been following Elastic's development because their ElasticSearch and Kibana consoles are inherently well-suited for EDR use, something that no other security-focused company can offer. But unfortunately, as a commercial company and not an open source foundation, they are always looking for ways to make a profit rather than just doing "public good", so in 2022 they will start to include many new features in the paid version of the exclusive, no longer open source version = full version (previously there were also paid features like XPACK but there is no difference for security).
Currently, you need to purchase the Platinum version to use behavioral anti-ransom as well as memory threat detection (I'm not sure if the English version is called Platinum, the package name comes from their Simplified Chinese website).

I decided to use the paid version because I wanted to experience the full version and see how it works in my current environment.
Then I decided to use the paid version because it is difficult to purchase the paid version, and considering that my knowledge of ES is only that I can use it, and I am worried about the effect caused by the deployment error, I directly used the cloud pre-deployment EFK (Elastic+Fleet+Kibana, as a security use without Logstash) provided by AWS (Amazon Cloud) to conduct the evaluation.
The configuration used is as follows:
EC2.c6gd / 2 cores guaranteed, 8 cores burst (ARM) / 6GB RAM / 35GB SSD + 840GB cold storage
ElasticSearch Platinum Edition
In this configuration, the cost incurred without considering outgoing traffic is $33.408 / month, which I consider an acceptable level considering the current price of enterprise-class security software (as a comparison CrowdStrike full version is $200 / appliance / year). After all, it only charges according to the level of resources used, and as long as your configuration is high enough, you can theoretically deploy an unlimited number of endpoints.

First, go to the Elastic backend (or Kibana) and from the menu go to Integrations, then find Elastic Defend.
Click on the Add Elastic Defend button to add it to your Fleet.
QQ截图20230103041505.png

After adding it, besides giving it a name, you also need to choose which type of feature you need.
Here we take into account that the cloud server only has 35GB SSD, choose Essential EDR (Endpoint Detection & Response).
If you only need him as a basic antivirus, choose NGAV, which consumes negligible disk resources at this point.
QQ截图20230103041837.png

Once added, we can go back to Policy and see the Integrations (which I named Defend-EDR) we just added.
Here you can change some settings, such as anti-virus, anti-ransom, memory threat protection switch and trigger behavior.
If you set it to Detect, it will only detect and log but not intercept, if you set it to Prevent, it will automatically block the process when detected.
The Notify user at the bottom, if turned on, will display a message on the client to alert the user when triggered.
There is an important feature at the bottom, Elastic Defend will be registered as security software and Windows Defender will be turned off when it is turned on.
We turned it on during the review so that WD would not interfere with our later tests.
QQ截图20230103042938.png

QQ截图20230103043650.png

After completing all the settings, we are now ready to add the terminal.
Download ElasticAgent from Elastic's website and transfer it to your device, then open Fleet and click Add Agent.
You can see that Elastic automatically generates the commands that you need to execute, just cd to the Agent directory and enter the corresponding commands.
Once executed, wait a few minutes for it to synchronize its rules, and you will see that Elastic has replaced Windows Defender in your security center.
Yes, just like Crowdstrike which @Shadowra tested before, it has no UI. :LOL:
QQ截图20230103044849.png

QQ截图20230103044947.png
At this point, the client deployment is complete. Although the setup is a bit tedious, it is the easiest for client deployment in the enterprise, and because it is command line execution, it is ideal for bulk deployment of a large number of devices.

For the first test we got a security lab to borrow a fake Telegram that hadn't been widely distributed yet.
Elastic intercepted the dll released by the sample and then the sample exited with an error.
Also, Elastic is the only security software that detected this sample as of my testing on VT.
QQ截图20230103045532.png

QQ图片20230103045928.png

From the timeline we can see all the things the sample did, including the files released. Although Elastic only killed the derivative DLL to block the sample, it can still clean the rest of the derivatives through this timeline, which is an ability that many "specialized" security software does not have.
Following the timeline we easily found the rest of the derivatives and were able to clean them up along the way.
QQ截图20230103050328.png

QQ截图20230103050507.png

Then we tested samples from the
of AVG white exe + black dll remote control.
The sample successfully released an exe derivative of AVG, which was then detected by Memory Protection as a shellcode and intercepted when the black dll was loaded.
QQ截图20230103050953.png

QQ截图20230103051237.png
From the Elastic backend, we can see that although EDR detected the Shellcode injection, it was a little slow.
However, everything turned out to be fine, as the in-memory threat protection detected the Metasploit feature and closed the sample before it could.

Finally, let's summarize, Elastic Defend's strength is generally sufficient, as to whether this result is worth buying the Platinum Edition, it is a matter of opinion.
From the process of testing just now, this configuration of ES with a terminal to do EDR is seriously overkill, if there are a large number of devices then the cost performance will be significantly improved.
Of course, as NGAV when a supplemental protection + installed on the local machine free to use the open source version is also a good choice.
QQ截图20230103054933.png
 

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801
It is unfortunate that Endgame was really the end of it. I had already tried it, and that was thanks to Elastic, which acquired it. It is an effective protection solution and outperforms carbon black.
As for the detection speed, it is slow compared to Cylance
I do not know the reason for this, but it is effective in protection.
You brought up a good topic. I enjoy reading your posts, especially those related to next generation software
I hope you touch on ReaQta and Deep Instinct :):emoji_beer:
 

ShenguiTurmi

Level 3
Thread author
Well-known
Feb 28, 2023
123
It is unfortunate that Endgame was really the end of it. I had already tried it, and that was thanks to Elastic, which acquired it. It is an effective protection solution and outperforms carbon black.
As for the detection speed, it is slow compared to Cylance
I do not know the reason for this, but it is effective in protection.
You brought up a good topic. I enjoy reading your posts, especially those related to next generation software
I hope you touch on ReaQta and Deep Instinct :):emoji_beer:
Deepinstinct I have lent to shadowra, he will do the test.
ReaQta I don't know what to say, I know an IBM employee in Japan who told me that their company is using CrowdStrike and did not recommend me to buy ReaQta because of the average efficiency of IBM.
 

NormanF

Level 7
Verified
Jan 11, 2018
343
Not so good for individual users. BD XDR has a GUI desktop console so you can view the modules running and what's happening on the endpoint.

Open source doesn't necessarily mean free. The Elastic EDR package needs to be purchased to protect the endpoint.
 

ShenguiTurmi

Level 3
Thread author
Well-known
Feb 28, 2023
123
Not so good for individual users. BD XDR has a GUI desktop console so you can view the modules running and what's happening on the endpoint.

Open source doesn't necessarily mean free. The Elastic EDR package needs to be purchased to protect the endpoint.
Endpoint protection is included in Elastic Free.
The Paid version will plus memory shellcode protection and behavior ransomware protection.
 

ShenguiTurmi

Level 3
Thread author
Well-known
Feb 28, 2023
123
@ShenguiTurmi do you have download links for the free endpoint protection version?
For free use, you need install elastic stack by your self.
Elastic search (server):https://www.elastic.co/downloads/elasticsearch
Kibana (web ui):Download Kibana Free | Get Started Now
Elastic Agent (on ur computer):Download Elastic Agent Free
During this process, you may need to modify some configurations, such as installing Elasticsearch on the public network. In this case, you need to enable the free version of XPACK to set the login password, and you may search the complete installation tutorial.
 

ShenguiTurmi

Level 3
Thread author
Well-known
Feb 28, 2023
123
All of that's included in my BitDefender endpoint security product. How many endpoints are you protecting with $33.00 a month? I pay $8.00 a month for the endpoint that's my mobile workstation.
That's the cost of the cloud servers, Elastic doesn't bill by the number of devices, and their main business isn't security software.
The simple understanding is that Elastic can get a lower price from AWS/Azure/GCP by having a larger quota and then sell it to you at the original price. This way you get the software and they make the difference.
If you don't care about the additional features of the Gold Edition, you can deploy the open source version of Elastic yourself, which is free and includes EDR.
 
  • Like
Reactions: [correlate]

NormanF

Level 7
Verified
Jan 11, 2018
343
That's the cost of the cloud servers, Elastic doesn't bill by the number of devices, and their main business isn't security software.
The simple understanding is that Elastic can get a lower price from AWS/Azure/GCP by having a larger quota and then sell it to you at the original price. This way you get the software and they make the difference.
If you don't care about the additional features of the Gold Edition, you can deploy the open source version of Elastic yourself, which is free and includes EDR.
Thanks for the clarification! Ransomware mitigation in included on my endpoint. I did add Patch Management, which will keep Windows up to date and patch vulnerabilities.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top