Implement Endpoint Detection and Response (EDR) Tools

Endpoint Detection and Response (EDR) tools continuously monitor servers and endpoints for suspicious activity, malware, and potential security breaches. These tools provide:

✅ Real-time threat detection and behavioral analysis.
✅ Automated response to security incidents (e.g., quarantine or isolate compromised endpoints).
✅ Detailed logging for forensic investigation and compliance reporting.
✅ Proactive mitigation of attacks before they escalate.

By deploying EDR solutions, you significantly enhance your server's security posture and improve incident response capabilities.

How to Implement EDR in Linux Servers

1. Choose an EDR Solution

Several EDR solutions offer robust monitoring, detection, and response capabilities:

🔹 Open-Source EDR:

• OSSEC – Intrusion detection and log analysis.

• Wazuh – SIEM and EDR functionality.

• Falco – Real-time runtime security for cloud workloads.

🔹 Commercial EDR:

• CrowdStrike Falcon – Cloud-native EDR with AI-driven threat detection.

• Microsoft Defender for Endpoint – Advanced threat protection.

• SentinelOne – Automated endpoint security and remediation.

2. Install and Configure an EDR Solution

Option 1: Install Wazuh (Open-Source EDR & SIEM)

Wazuh provides host-based intrusion detection (HIDS), log monitoring, and EDR capabilities.

Step 1: Install Wazuh Agent on Linux Server

curl -sO https://packages.wazuh.com/4.x/wazuh-install.sh
sudo bash wazuh-install.sh --agent

Step 2: Configure Wazuh Agent to Connect to Wazuh Manager

Edit the agent configuration:

sudo nano /var/ossec/etc/ossec.conf

Modify:

<server>
    <address>192.168.1.100</address>  # Wazuh Manager IP
    <port>1514</port>
</server>

Step 3: Start Wazuh Agent and Enable at Boot

sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Step 4: Verify Agent Status

sudo /var/ossec/bin/agent_control -l

🔹 Wazuh now collects security logs, detects threats, and integrates with SIEM solutions.

Option 2: Install OSSEC for Intrusion Detection and EDR

OSSEC is a lightweight HIDS tool that detects security threats and logs suspicious activities.

Step 1: Install OSSEC on Linux Server

sudo apt install ossec-hids -y   # Debian/Ubuntu
sudo yum install ossec-hids -y   # CentOS/RHEL

Step 2: Configure OSSEC to Monitor Security Events

Edit the OSSEC config file:

sudo nano /var/ossec/etc/ossec.conf

Add rules for SSH brute force detection:

<localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
</localfile>

Step 3: Enable Active Response for Automatic Threat Mitigation

Modify:

<active-response>
    <command>disable-account</command>
    <location>local</location>
    <level>6</level>
</active-response>

Step 4: Restart OSSEC Service

sudo systemctl restart ossec-hids

🔹 OSSEC now actively detects and responds to threats in real time.

3. Configure EDR Policies for Threat Detection

To enhance threat detection, define custom policies in your EDR tool.

Monitor SSH Login Attempts

Use OSSEC or Wazuh to track failed SSH logins:

<rule id="100001" level="7">
  <decoded_as>syslog</decoded_as>
  <match>Failed password</match>
  <description>Multiple failed SSH login attempts detected</description>
</rule>

Detect Malware Execution Using Falco

Falco monitors system calls for suspicious activity:

sudo apt install falco -y

Add a rule to detect execution of unexpected binaries:

- rule: Unexpected Binary Execution
  desc: Detect execution of non-whitelisted binaries
  condition: spawned_process and not proc.name in (bash, sh, python, systemd)
  output: "Unexpected binary execution detected (command=%proc.cmdline user=%user.name)"
  priority: WARNING

Restart Falco to apply changes:

sudo systemctl restart falco

🔹 Now, any unauthorized execution triggers an alert.

4. Isolate and Remediate Compromised Endpoints

If an endpoint is compromised, automatically isolate it using your EDR tool.

Option 1: Use OSSEC Active Response to Block IPs

Enable IP blocking for repeated failed SSH logins:

<active-response>
    <command>firewalld</command>
    <location>local</location>
    <level>6</level>
</active-response>

Restart OSSEC:

sudo systemctl restart ossec-hids

Option 2: Use CrowdStrike Falcon to Quarantine Infected Machines

1. Go to Falcon Console → Hosts → Select Infected Host.

2. Click "Contain Host" to prevent further network communication.

3. Run CrowdStrike RTR (Real-Time Response) to remove threats:

   cscli quarantine add /path/to/malware

🔹 Now, infected endpoints are automatically isolated to prevent lateral movement.

5. Regularly Review and Update EDR Policies

Security threats evolve constantly, so EDR policies should be updated regularly.

Review Security Alerts and Logs

Use Wazuh or OSSEC to generate security reports:

sudo cat /var/ossec/logs/alerts/alerts.log | grep "alert"

Perform Monthly EDR Policy Reviews

• Identify false positives and adjust detection rules.

• Update firewall and intrusion detection policies.

• Add new rules for emerging threats (e.g., ransomware, supply chain attacks).

Schedule Regular EDR Updates

For OSSEC/Wazuh:

sudo /var/ossec/bin/update_ruleset.sh

Best Practices for EDR Implementation

✅ Deploy an EDR solution like Wazuh, OSSEC, or CrowdStrike.
✅ Monitor system logs for unauthorized activity and anomaly detection.
✅ Define and update security policies to detect new attack patterns.
✅ Automate response mechanisms to quarantine compromised endpoints.
✅ Review security alerts weekly and adjust detection thresholds as needed.
✅ Integrate EDR logs into a SIEM (Splunk, Graylog, ELK) for centralized monitoring.

By implementing EDR tools, you enhance threat detection, automate security response, and proactively defend against cyber threats, ensuring your Linux environment remains secure and resilient.