Professional Documents
Culture Documents
Acronis Cloud Tech Associate Advanced Security EDR 2024 Handout
Acronis Cloud Tech Associate Advanced Security EDR 2024 Handout
Acronis Cloud Tech Associate Advanced Security EDR 2024 Handout
Acronis Academy
Hello and welcome to the Cloud Tech Associate – Advanced Security + EDR course so
let’s get started.
1
Learning Objectives
#CyberFit Academy
In this course You will learn to recognize the six essential security components
included in the standard security package. You'll understand their benefits and how
they form the foundation of an organization's cybersecurity defense.
You will gain insights into the advanced security features available in the Advanced
Security + EDR pack. This includes comprehending the functionalities and importance
of real‐time antimalware scanning, local signature‐based detection, URL filtering, and
exploit prevention, and how they fortify cybersecurity efforts.
You will establish a foundational understanding of Endpoint Detection and Response
(EDR). You'll explore why EDR is a critical component of cybersecurity, how it
complements prevention strategies, and its role in the wider context of cyberthreat
management.
You will engage with a case study to apply your knowledge of both standard and
advanced security components. This practical exercise will demonstrate the real‐
world application and effectiveness of cybersecurity measures.
You will master the initial steps of working with EDR within Acronis Cyber Protect
Cloud. By learning to provision and set up EDR, you'll lay the groundwork for future
learning in more advanced topics like incident management, investigation, and
remediation.
2
Course Modules
1. Case Study
2. High Level Overview and Benefits
3. Standard Security Components
4. Advanced Security Components
5. EDR Components
Acronis Academy
There are different sections within this course so let us see what is in store for you.
We still start out with a short case study . Then we will go over a high level overview
of what is in the standard security components included and then what is in the
advanced security plus EDR pack.
We will then continue our exploration with seven standard security components such
as Real‐Time Antimalware Scanning, Local Signature‐Based Detection, URL Filtering
and exploit prevention.
Since prevention and detection cover different parts of the cyberthreat landscape, we
will then continue with the EDR or Endpoint Detection and Response portion of our
solution. This is a foundational aspect needed to ensure success with the Advanced
Security plus EDR pack. More technical information will be provided in the tech
professional course.
3
Since prevention and detection cover different parts of the cyberthreat landscape, we
will then continue with the EDR or Endpoint Detection and Response portion of our
solution. More technical information will be provided in the professional course and
this is a foundational aspect needed to ensure success with the Advanced Security
plus EDR pack.
Specifically we will go over a technical use case scenario that will go over the reason
to have EDR in addition to prevention layers. We also need to think about how
attacks can happen and how to respond to them. As stated prevention and detection
cover different parts of the threat landscape and in this section covered next we will
go over that.
And finally within the solution, we want to show you how to provision, setup and
navigate at a higher level the EDR component within Acronis Cyber Protect Cloud. In
the professional course, we will dive more into alerts, how to walk through incident
management, investigation and remediation. But for now, we need to build on a
foundation and understand aspects of the overall cyberthreat landscape and then
progress into the professional course with managing incidents.
3
Acronis Education
Comprehensive Training for Every Scenario
Acronis Academy
Acronis has created an MSP Academy which is a vendor neutral training environment
in bite‐sized modules as well as various structured learning plans all designed to help
service providers run and manage their practice. Related to EDR, learners would gain
an understanding ranging from the historical evolution of the space, best practices
and integrating with various tools for a wholistic approach. As you can see on the
screen, the associate and professional course certifications show what would be
covered in those courses.
4
Cyber Protect Cloud
Case Study
Acronis Academy
I would like to present to you a specific case study which related to our safe recovery
feature which is combining cybersecurity related to malware with backup due to our
native integration and how this can improve overall operational efficiency.
5
Meet Emma
(IT Manager of a SMB Company)
Acronis Academy
6
The Disaster and the Opportunity
Acronis Academy
7
Signing up
Acronis Academy
Emma realized the time savings with the safe recovery feature and not knowing there
was an infected file. Knowing if they recovered that backup with an infected file, they
would have needed to run another process from the other security vendor to validate
that the backup is clean. Emma realized that one console and process for such an
action was worth switching all the endpoints. How that backup got infected and the
tracing of that will be a benefit from having EDR within the solution.
8
Cyber Protect Cloud
High Level Overview and Benefits
Acronis Academy
At this time, let’s talk discuss a high level overview of the security components and
Acronis data center benefits.
9
Integrated Platform
An integrated solution of cyber security, backup, disaster recovery,
management and automation built specifically for SPs
Security
Technicians
Owner
Acronis Academy
On the left you can see that we have in the standard security area various cyber
protection measures such as anti‐ransomware capability, a vulnerability assessment
scanner and device control (all prevention type solutions). With Advanced security
plus EDR, there is so much more for an overall cyber protection strategy. If you are
looking at replacing another solution, this is what you will need. From local signature‐
based detection, exploit prevention, URL filtering, we are covering the gamut. We
have a technical professional course the more sophisticated components for the
Advanced Security plus EDR so feel free to take that course to learn more on the
solution.
10
Ensure compliance and a local presence
Choose from over 50 data centers worldwide to store data – Acronis Hosted,
Google Cloud and Microsoft Azure
Over 50
DATA CENTERS
Strong presence in Asia-Pacific,
Singapore, Japan, Australia
Acronis Academy
Acronis has over 50 data centers and continues to grow globally. We have several
locations where we natively integrate with Google Cloud and Microsoft Azure.
Besides providing a local presence, it helps with compliance and data sovereignty
regulations.
11
Cyber Protect Cloud
Standard Security Components
Acronis Academy
Let us go over the standard security components we will cover in this associate
course.
12
Standard Security Components
1. Safe Recovery
2. #CyberFit Score
3. Vulnerability Assessment
4. Quarantine
5. Active Protection
6. Antimalware (without local signature-based engine)
Acronis Academy
We will start with safe recovery which was used in the case study earlier. We will
discuss the cyberfit score mechanism along with the vulnerability assessment
scanner. We will then discuss a few aspects related to quarantine and spend a good
amount of time on Acronis Active Protection. Then we will finish this section with our
antimalware components that are included in the standard security stack within
Acronis Cyber Protect Cloud at no additional charge.
13
Cyber Protect Cloud
Safe Recovery
Acronis Academy
Let’s dive a little more into the details for safe recovery.
14
Safe Recovery
Acronis Academy
As seen in the case study, a backup could be infected with malware. Recovering a
backup with malware and not having native integration between backup and security
components typically have extra steps involved in the process. The goal here is for a
backup when being recovered to ensure that if malware is present it would be
deleted in the process. This works on windows machines with the agent for windows
installed regardless if a physical or virtual machine. These backups need to be either
the entire machine or disks/volume types and in the NTFS format. CDP or continuous
data protection is a feature in the advanced backup pack and assists with certain
types of backups between regular backups so feel free to inquire about that pack for
more details. When recovering the machine can recover the latest regular backup
without CDP information. To recover the CDP data one can then start a files and
folders recovery. Let’s go to a very short video on how safe recovery works.
15
Cyber Protect Cloud
#CyberFit Score
Acronis Academy
Acronis CyberFit Score, what is it, and what value does it bring to service providers.
17
Acronis #CyberFit Score
Increase Cybersecurity Posture
Backup enabled?
Antimalware installed?
Firewall in place?
HDDs encrypted?
VPN in use?
Acronis Academy
the CyberFit Score is a security assessment and scoring tool that assesses the security
posture and gaps in client’s environment based on evaluating security metrics and
configurations and provides recommendations for improvements.
18
#CyberFit Score for machines
Acronis Academy
CyberFit Score is available only for Windows machines and is recalculated whenever a
protection plan is applied or any module within a protection plan is run. There are
various scoring mechanisms for each of the items you see on the screen with
weighted numbers for points to a max of 850.
19
#CyberFit Score
0-579: Poor
580-669: Fair
670-739: Good
740-799: Very Good
800-850: Excellent
Acronis Academy
The overall score provides a rating on that machine. Let’s now go into the product
and get more information on how to look at this information and help and options.
20
Cyber Protect Cloud
Vulnerability Assessment
Acronis Academy
Let us now go over the vulnerability assessment scanner that is part of the standard
security components.
22
Vulnerability Assessment
Acronis Academy
The information is derived from the the NIST or National Institute of Standards and
Technology’s national vulnerability database which is maintained by MITRE.
The NIST NVD performs analysis on CVE’s (known as common vulnerability and
exposures) and publishes to a CVE dictionary
23
Vulnerability Assessment
CVE: Common Vulnerabilities and Exposures
CVSS Score (Common Vulnerability Scoring
System)
• Assigns severity scores: prioritize
responses/resources
• Low, Medium and High Severity Levels
a) Low: 0.1 – 3.9
b) Medium: 4.0 – 6.9
c) High: 7.0 – 10.0
d) None: 0
Search: https://nvd.nist.gov/vuln/search
Acronis Academy
The CVE is a glossary that classifies vulnerabilities and severity scores are assigned
which is the CVSS or Common Vulnerability Scoring System. This is to assist with
prioritized responses and resources.
Feel free to go to this URL you see on the screen to look at different vulnerabilities
and information on them. At this time, let’s go into the solution and see where to set
this up and how to view these vulnerabilities.
24
Cyber Protect Cloud
Quarantine
Acronis Academy
26
Quarantine
Locations:
• Windows: %ProgramData%\%product_name%\Quarantine
• Mac: /Library/Application Support/Acronis/Quarantine
• Linux: /opt/Acronis/Quarantine
To view, go to Protection > Anti-malware > Quarantine tab
Acronis Academy
Quarantine is called to action when a malicious file is detected by any of the anti‐
ransomware or anti‐malware engines: it is a special isolated folder on a machine's
hard drive where that suspicious file is placed, and this is done to prevent any further
spread of the threat. You can find here in the slide where the quarantine locations are
in the local drive for Windows, Mac and Linux machines. But the important thing to
know about the Cyber Protect Cloud Quarantine is that the web console will show
ALL the quarantined files detected by ALL the Agents in one single place. So the
quarantine tab in the console looks like a "Centralized Quarantine Management", and
I will show here shortly in a quick video.
27
Actions with Quarantined Files
Acronis Academy
When you go into the Quarantined Files section in the console, you will see that there
are three options available for each quarantined file: you can restore that file into its
original location, it means that this file can be detected once more in the future
because it's not in the quarantine area anymore; or it may happen that a file is
detected as malicious by mistake, for example because it is part of a home‐grown
application, and therefore it's the so called "false positive“. In this case you can add it
to a whitelist so that it won't be detected anymore in the future and then restore it to
its original location; or you can simply delete the file from the quarantine area. Please
note that by default quarantined files will be automatically deleted after 30 days, but
this time period can be defined in the anti‐malware module options. Finally, please
remember that all those actions are centralized, so it means that you can whitelist or
restore or delete files from the Quarantine area from multiple machines with a single
action, and this allows you to be more efficient in managing the quarantined files.
Now let's have a quick look at the Quarantine tab in the console.
28
Section Summary
Acronis Academy
Safe recovery, as part of a backup recovery process from a backup in the Acronis
Cloud, will scan and delete malware to help prevent reinfection. Our cyberfit score
assesses the level of different security protection mechanisms ranging from backup,
antimalware, is a VPN in place, firewalls present and are hard drives encrypted.
The vulnerability assessment scanner will scan systems for known vulnerabilities
based on the NVD or national vulnerability database and provides an opportunity for
offering patch management as a service lead in or after scanning and patching with
another product, help validate in fact are systems properly patched. And finally when
an item is quarantined, there are several options from deleting, restoring or adding
the file to an allow list.
30
Cyber Protect Cloud
Active Protection
Acronis Academy
31
Active Protection
Acronis Academy
Before we dive into the benefits of Active Protection, why is this feature important to
your overall cybersecurity posture?
In the past, ransomware gangs used to encrypt data and ask for ransom only (and
hopefully get the decryption key). But with backups and restoring, disaster recovery
and even reverse engineering allowed folks to avoid paying the ransom and recover
encrypted data. So, they switched to a double‐extortion method: they would encrypt
and steal data, then they provide proof that they have such data and ask for money
not to publish all the data. A promise not to release public if you will and keep in
mind that privacy issues and fines might happen if such confidential or personal data
was stolen. Even after all this, they would threaten with a distributed denial of service
attack to flood the network to take down the network unless another fee is paid.
Moving into 2024, we not have a fourth attempt where there is the threat to contact
customers, employees, business partners and even media to inform them of the
compromise.
There are various ways of ransomware getting into the network from one opening an
attachment, utilizing exploits or other vulnerabilities to gain access say from remote
desktop logins or Internet facing servers. And once in, they could hunt the network
for a while until they control as much as possible before encrypting.
32
Active Protection
Protects against:
Acronis Academy
Active Protection functionality has been around since 2018 and since then it’s been an
integral part of all Acronis Cyber Protection solutions.
Active Protection protects against ransomware as we discussed on the last slide to protect
local files and local backups, from unauthorized modification or encryption. Further it helps
protect Acronis processes, registry settings, configuration files and executables. This artificial
intelligence and behavior‐based engine recognizes that local files are getting encrypted and it
blocks the malicious process. There's also an option to instantly recover files from local
service cache that have been encrypted . For example, imagine that ransomware hits and
encrypts one file; the engine says not too sure yet since certain encrypting of one file can be
a legitimate reason as you will see in a few slides from now. Then it encrypts another file and
the agent detects that something wrong is happening. Then at the third file the agent says
no, this is a ransomware, I am going to stop you!
So now the threat has been blocked, but what about those three files? With this option
enabled (revert from cache), those three files were proactively copied into a cache and then,
as soon as the threat is detected, they will be restored from that cache, so that no files are
lost.
Active protection also helps with process injection, cryptomining (which is using a victim's
CPU and GPU to mine crypto values and earn money), external drive, network folder and
server‐side attacks.
33
Active Protection
Process Injection
Acronis Academy
Related to process injection on the last slide, a process injection is where one attaches a
process to another process and works along with it. Please note that process injection is not a
malicious technique by itself, it can also be used for legitimate uses: for example, debugger
software can hook to applications to catch bugs or code flaws. Some anti‐virus solutions
inject their processes into browsers to investigate browser behavior, website content and
Internet traffic.
The problem is when process injection is used for malicious purposes: usually the idea is to
hide the true nature of actions behind legitimate processes, to look like is it okay. Would you
stop the notepad process if you found it open? Maybe it's not only notepad, but a crafted
version of notepad which is also running some malicious activity! There are several other
types of process injection: for example the DLL (or dynamic link library) injection, that is
injecting malicious code into a legitimate DLL, is becoming more common; or also portable
execution injection, process hollowing and registry modification.
So adversaries may inject code into processes in order to evade process‐based defenses as
well as possibly elevate privileges. Process injection is a method of executing arbitrary code in
the address space of a separate live process. Running code in the context of another process
may allow access to the memory space of that process, system or network resources, and
possibly elevated privileges. Execution via process injection may also evade detection from
security products since the execution is masked under a legitimate process.
34
Active Protection
Acronis Academy
With Active Protection you can also trust or block processes and folders depending
on your needs. You can specify that certain processes must never be considered as
malware, for example in case of a home‐grown application which heavily works on
files like a file‐based database which opens and works and add files to archives, and it
may happen that such operations are considered as malicious when they are not. On
the other side you can also specify that certain process must always be blocked for
any reasons .
35
Active Protection
Protects collaboration and communications
applications (self-protection selection):
Acronis Academy
36
Active Protection
Things to help
Acronis Academy
So what are some things one can do to help against such threats related to the
discussion we have had here with Active Protection? Well you want to make sure you
stop a ransomware attack as early as possible (preferably at the desktop before it can
infect the network and other users).
Well first applying active protection to a protection plan. Also one should manage
access control and privileges to users.
Apply at the very least the concept of least privilege which is granting the least
amount of privileges to users to access resources needed in order to do their job. For
example one should not allow elevation pf privileges without administrators consent.
If a process gets launched by a standard, they should inherit permissions and be
limited to any system level changes.
There is the concept of zero trust and this is another avenue if feasible. This is a
framework that requires all users, whether they are inside or outside the company
network to be authenticated, authorized and continuously validated for their security
configuration and posture before being granted or keeping access to applications and
data. NIST or the National Institute of Standards and Technology has a publication
38
called SP 800‐207 for more information on this topic. As NIST puts it, zero trust
assumes there is no implicit trust granted or assets or user accounts based solely on
their physical or network location or based on asset ownership.
And finally have some form of allow listing to help prevent unvetted software from
running. This is allowing only trusted files, applications and processes to be run and
anything else (unless added) is denied. NIST recommends this related to their
publication SP 800‐167. As you will see the Advanced Security Plus EDR pack has the
ability to perform whitelisting based on backup scanning capabilities with data stored
in Acronis Data Centers.
38
Cyber Protect Cloud
Antimalware
(Standard Security Components)
Acronis Academy
At this time let’s go over some features related to antimalware in the standard
security components
42
Antimalware – Standard Components
Acronis Academy
With the Cloud‐based signature detection, we utilize File Reputation Services. This
works with specific hash‐based small signatures so when a file is scanned, the hash of
that file is taken and compared with hashes in the database to determine if malicious.
If it matches, then it means that the file is infected. File reputation services
determines if a file is good or bad.
Cloud based detection can help with on‐demand scanning and not something
executed. So why? Because if something is executed and its hash is looked up in the
cloud, then it may be detected but it is too late as the malware might have already
started: unless it was in the database already. We are not using any sandbox analysis
so no files are sent off: only the hashes.
We are using our own File Reputation Service along with Virus Total.
43
Antimalware – Standard Components
Acronis Academy
So say there is a file in the system which is scanned by the antimalware engine. The
hash is sent to the File Reputation Services. In this case, Virus Total says that 10 other
Antivirus vendors detected it as infected. So we add the hash of that specific file to
our list. Now in this example, we said 10 and this is not a fixed number. Some vendors
as an example Symantec or McAfee, can have higher weights on this. So we are
taking a weighted statistical guess on VirusTotal to decide if that file should be put on
our list or not.
The is a concern about this method. It may take a while until the first "victim" uploads
a file and then it becomes part of the reputation database in Virus Total. Therefore
the Cloud‐based detection alone might NOT be enough to be protected. This is where
the Advanced Pack plus EDR helps.
44
Antimalware – Standard Components
3rd party antivirus • Full scan: checks all • Trust certain files,
present when applying files on machine folders and
Protection Plan real- • Quick scan: checks processes
time component: alert only machine system • Block specific
generated and on- files processes
access protection • Detected threats
stopped to prevent quarantined and
conflicts automatically deleted
after 30 days
(default)
Acronis Academy
Our antimalware capabilities are supported for Windows, Linux and macOS systems.
The Antimalware engine has both on‐access and on‐demand capabilities so files will
be scanned for infections as they are opened or upon a scheduled scanning process.
Later in this course you will understand why when applying the real‐time component
when another solution is running a real‐time component is highly not recommended.
Our solution will prevent this to stop conflicts.
Related to scanning we have a full scan which checks all files on the machine or a
Quick Scan, which only checks system files. All files detected as infected are moved
into the Quarantine area and deleted by default after 30 days and can be modified
on the days in each protection plan. And finally specific files, folders and processes
can be trusted and not scanned, or some processes can be put into a blacklist so that
they will always be stopped.
45
Section Summary
Acronis Academy
Acronis Active Protection is a feature that helps prevent ransomware attacks. It works
by blocking ransomware from encrypting your files and holding you hostage.
Additionally, there's a self‐protection feature that helps secure the Acronis software,
registries, executables, configuration files and also the agent. It also provides
protection against certain exploits against communication and collaboration tools as
mentioned in this course.
File reputation services utilizes small, unique signatures based on hashes. These hash
signatures are sent to a cloud database for a quick check, which is really helpful with
on demand scanning.
You can choose between quick or full scans, depending on how thorough you want
the scan to be. Additionally, you have the ability to set certain files, folders, or
processes as trusted (meaning they're considered safe) or blocked (meaning they're
not allowed) based on your preferences.
46
Cyber Protect Cloud
Advanced Security Components
Acronis Academy
Let us go over the advanced security components we will cover in this associate
course.
47
Advanced Security Components
Acronis Academy
Within the Advanced Security plus EDR pack, the following items from an Advanced
Security prevention perspective you see here on the screen will be presented. As
stated, in the professional course, other items not covered within this portion of the
advanced security prevention components will be covered there.
48
Cyber Protect Cloud
Real-time Antimalware Scanning
Acronis Academy
49
Real-time Antimalware Scanning
Acronis Academy
The Antimalware engine has both on‐access which is set to default and on‐execution
capabilities so files will be scanned for infections as they are opened or upon an
executable being launched.
It may happen that a third‐party antivirus solution is running on the system with their
real‐time feature enabled. When a Protection Plan with antimalware module enabled
and one tries to apply to that machine real‐time protection and the third‐party
solution is detected, an alert is generated and the settings are stopped to avoid
conflicts. Having two different engines with real‐time protection running is strongly
NOT recommended. The first is performance since running two at the same time can
consume quite a bit of resources. Keep in mind that one of the products will have first
right of refusal to analyze anyway. It can also produce more false positives since one
engine is detection the activity of the other engine on a file as a suspicious one. And
finally, while rare, if you have two real‐time protections running for a while, there is
the possibility of file corruption since working at a low level the deal with the same
file at the same time. So if one desires to enable the full functionality you need to
disable or uninstall the third‐party solution (preferably uninstall at some point).
50
Behavior Engine
Behavioral Heuristics
Acronis Academy
51
Stacktrace AI Analyzer
ML based malware detection
technology
Recognize legitimate/malicious
injections
Analysis of 25B+ processes
100M+ unique stacktrace
database
Advantages:
• Trusted processes monitoring
• Lightweight GBM ML model
• Fast response time: ~10 ms
Acronis Academy
Let's dig a little bit more into details about our Machine Learning based anti‐malware
detection technology, that we call Stacktrace Artificial Intelligence Analyzer. We have
analyzed more than 25 billion execution stacks which are chain of events of important
calls that an application does of running processes, both good and bad, we classified
them and we have created a database of more than 100 Million unique stacktraces.
So the stacktrace is a database of all the apps and processes we have tested. We
don't only detect processes as they are, but we can also predict injections of
malicious modules into different types of processes.
But how to provide a response in a timely manner upon a process running into the
system? Here is where the Artificial Intelligence comes in action: we are using the
GBM, or Gradient Boosting Machine, Machine Learning model. Sometimes GBM is
referred to as MART which is multiple additive regression trees or GBRT which is
gradient boosted regression trees.
This combines the predictions from multiple decision trees to generate the final
predictions. We are using a light weight version of the GBM model, which based on a
histogram‐based method for selecting the best split between the decision trees, and
this allows to have a fast response time of about 10 milliseconds! Now let's jump into
our Lab to see all the antimalware options right in the web console
52
Cyber Protect Cloud
Local Signature-Based Detection
Antimalware
Acronis Academy
53
Local Signature Based Detection
Acronis Academy
In a protection plan under the antivirus and antimalware area you will see advanced
antimalware which is the local signature‐based detection engine. By default the
solution utilizes our own local signature‐based detection engine.
Signature‐based detection is one of the most direct and well‐established methods for
identifying malicious activity based on known signatures. Think of a fingerprint. Each
is unique and thus known signatures are unique. This is an approach of identifying
based on a unique identifier which is normally a specific string of code or the hash of
a known piece of malicious code. Remember this is based on a database of known
malicious patterns. If a match is found, then it is considered to be malicious. If
someone has a slow internet connection, this can be of benefit also as opposed to
the cloud file reputation services we discussed earlier.
54
Cyber Protect Cloud
URL Filtering
Acronis Academy
Acronis also provides URL Filtering so let us see how this works and is applied.
55
URL Filtering
1 URLhaus database https://urlhaus.abuse.ch/browse/ includes submissions from Google Safe Browsing (GSB),
Spamhaus DBL and SURBL
Acronis Academy
The most common method to infect machines through websites is via the drive‐by‐
download. URL Filtering avoids going to malicious websites or domain by checking
HTTP or HTTPS connections against a huge URL Filtering database. We are using
URLHaus and you can see the link down below. If the URL the browser is trying to
connect to is listed in that database and definitions are updated, then the user will be
prevented to access that website or a warning alert will be displayed, with the option
to continue or drop the connection. Now this is true for HTTP connections, whereas
with HTTPS connections the connection will be prevented only, so no warning alert in
this case.
You can also add particular URLs to a list of trusted or blocked sites manually. You can
also block or allow Internet surfing for your end users through 44 website categories:
so, when a user is trying to connect to a particular website, for example let's say
Facebook, and your client does want their users to waste time with social networks,
56
you simply have to set the Social Network category as denied. You can also mix
categories and trusted URLs. As an example, you can deny all social network websites
through the category option, but set Instagram as a trusted website. This way users
will be allowed to navigate to Instagram and no other social media websites that are
based on the categories. When you want to add a trusted or blocked location, one
only needs to put the domain and no prefix to it. For example if one put abc.com.
This will include both http and https site along with subdomains associated with this.
There is also no need to put www or other items in front.
At this time, let us go through several examples in the product on how this all works.
56
Video
URL Filtering
Acronis Academy
57
Section Summary
Acronis Academy
Real‐time scanning is a feature that quietly runs in the background of your computer.
It can work in two ways: by continuously checking files as you access them (which is
the default setting) or when you actually run a program or open a file. This scanning
process runs all the time your computer is turned on, unless you stop it yourself.
Additionally, Acronis offers a feature called behavioral heuristics. This feature helps
identify potentially harmful processes by looking at a sequence of actions they take
and comparing them to a database of known malicious patterns. In simpler terms, it
watches how programs behave and can flag them as suspicious if they exhibit
behavior commonly seen in malware.
URL filtering checks websites accessed through both HTTP and HTTPS connections
against a database. This database includes websites gathered from a source called
URLHaus. You also have the ability to manually add websites to your trusted or
58
blocked list. Plus, you can set rules to either allow or deny access to certain
categories of websites.
As a reminder, if a website uses HTTPS, only the prevention option will work.
58
Cyber Protect Cloud
Backup Scanning
Acronis Academy
Ok so let’s continue with advanced security components and hit on backup scanning.
59
Backup Scanning
• Windows OS:
• Only Entire machine or disks/volumes backups
• NTFS file system with GPT or MBR partitioning volumes
• Acronis Cloud Backups only
• After backup scanning plan created, placed in queue for execution
• May take time for scan to start/complete depending on queue; will
show “Not Scanned” status until scanning complete
Acronis Academy
Sometimes it happens when we take a backup of our machines, we are not aware
that some files are infected or the backups were compromised directly. So one when
needs to restore a backup to a machine, those infected files can be restored. So now
you have a reinfection. Scanning backups for malware can prevent restoring infected
files to the system. Keep in mind that this works with Windows operating systems
and the file system must be ntfs (NT file system or sometimes referred to as the New
Technology File System) with either GPT (GUID partition table)or MBR (master boot
record) partitions. Entire machine or disk volume backups can be scanned. Keep in
mind this works with Acronis cloud backups only. The reason is there are special
components responsilbe for this scanning process and run in our data centers only.
Think of agent in the cloud. To enable this, a backup scanning plan needs to be
created. You would select which backup archives should be scanned for malware. The
scheduling is once per day and they go into a queue to run. Once it is complete the
status of those scanned backups are displayed as no malware or malware detections.
If it still needs to run it will say not scanned. At this time let me show you how to
setup a backup scanning plan and the options.
60
Cyber Protect Cloud
Corporate Allowlist
Acronis Academy
Corporate allow list goes hand and hand with backup scanning so let us go over the
benefits of a corporate allow list.
62
Corporate Allowlist
• Applications detected as false positive
• Need to add manually as trusted application (avoid
unwanted errors and disruptions)
• Automated by scanning cloud backups:
• Backup scans: two or more machines required and enable
Automatic generation of whitelist
• Level of heuristic detection configurable:
Default | Low | High
• Automatic generation of allowlist enabled, manual adding
of applications will be available (allow seven days to run)
• Allowlist used by all agents during antimalware scanning
Acronis Academy
Doing this manually for every machine and item to be added can be a time‐
consuming process. With the corporate allow list, that is a whitelist of all trusted
applications for all the machines, in an automatic way. How does it work. If you
enable the automatic generation of whitelist option, then backups in the Acronis
cloud data center of at least two machines are scanned (so backup scanning is
needed here) and all applications, libraries and other relevant items found in
common and were never caught as malicious will be automatically added to the
corporate whitelist. This scanning process will have to run for seven days for the list
to appear. After this, it is possible to add items manually. You can also set the level of
the heuristic detection of applications to three different values. The corporate allow
list will be used by all Agents registered in that tenant during their antimalware
scanning process. Now let’s go to a quick video on how this is all setup.
63
Cyber Protect Cloud
Remote Wipe
Acronis Academy
At this time let’s discuss the remote wipe capabilities in the Advanced Security Pack
plus EDR.
65
Remote Wipe
• Windows 10 and 11
• Select machine, click on Details > Wipe data1
• Remote wipe initiated when machine is turned on and connected to
Internet (no undo)
• All data deleted and machine returned to factory default state
Acronis Academy
With the Remote Wipe feature it is possible to remotely initiate a deletion of all data
in case a machine has been lost or stolen. With this functionality a Windows API (or
application programming interface) named Remote Wipe CSP is called. This API will
return the Operating System to the factory default state, thus deleting all data in the
machine. For the process to start, the machine must be turned on and the Agent
must be connected to the Internet. You can also enable it when the machine is still
turned off, so that as soon as the Agent is back online, it will receive the command
from the Cloud and the Remote Wipe process will start. Be careful as there is no undo
option, so once started the process cannot be stopped. This functionality is available
for Windows 10 and Windows 11 only. Let’s go into the product with a quick video
and see how this is accomplished.
66
Cyber Protect Cloud
Exploit Prevention
Acronis Academy
An important protection mechanism is exploit prevention and let us go over the four
types of exploit prevention items we cover.
68
Exploit Prevention
• Memory protection
• Code injection
• Privilege escalation
• ROP protection (return-oriented programming)
Acronis Academy
The four types of exploits that are prevented can be checked or unchecked
individually. It is recommended to leave them all enabled, unless specifically
instructed by the Support Team (or knowing what you are doing). For example if
some specific application seems not working properly
69
Exploits
Acronis Academy
Memory protection will stop attacks based on the modification of execution rights of
memory pages that look suspicious. I mention stacks and heaps here so like to
describe what these are. Stacks store temp variables created by a function and has a
linear data structure. Stacks use static memory allocation so when a task is complete
the memory is erased. Heaps are used by a programming language to store global
variables and have an hierarchical data structure. Stacks are not fragmented and are
in contiguous blocks and heaps can be fragments as blocks are first allocated and
then freed up.
Code injection is malicious code into remote processes to hide malicious intent of an
application behind some clean process. This could be exploitation of a bug processing
invalid data or an attacker introduces code to a vulnerable program and changes the
course of the execution. It is popular in system hacking or cracking to get information.
SQL injection and cross‐site scripting (XSS) are popular. There are others ways like
token manipulation, process hollowing, reflective DLL, stack pivots and early bird type
of exploits). For those not familiar with this, process hallowing will remove code from
an executable file and replace with bad code (mostly through phishing emails). There
is a pause during the process. The hacker removes code and then puts their stuff in
there and then the launch continues. Token manipulation is granting a malicious
70
process with the same rights and or permissions and legitimize the user. This
pretends to be some process started then by that user. So this is to change
permissions of an application by associating with some token of another users. A
hacker needs the token of a target account, login as the person or token stealing.
Stack pivots run things creating a fake stack using certain values. An attacker tricks
the computer using a fake stack and can control program execution like function
arguments or return addresses. A reflective DLL loads a DLL into process memory not
using the windows loader. This does require writing the DLL into memory and then
resolving or relocating the DLL and need to know the custom loader. AN example
would be reflectively loading a DLL will not require the DLL to be on the disk. The
attacker exploits a process, then maps the DLL to memory then reflectively loads the
DLL without putting on the disk. Since not on the disk the library loaded may not be
visible. And finally early bird puts bad code into legitimate process and then runs
before the entry point of the process. Since it started before the entry point a typical
malware scan only performs on a legitimate process.
A cross site script is an injection flaw of user input into a web script that is placed into
the output of HTML and not being checked for HTML code or scripting and SQL
injections take advantage of syntax in SQL to inject commands that can read or
modify a database or compromise meaning of the original query. Another way to say
that is it takes malicious SQL statements and inserts into an entry field for execution.
This needs to exploit a security vulnerability in the application software.
70
Exploits
Acronis Academy
71
Section Summary
Acronis Academy
Backup Scanning is a feature that works with your backups stored in the Acronis
cloud. It scans these backups for malware. If any threats are found, it lets you know
about them. When you have multiple backup scans, you can create what's called an
allow list. This list includes items that you trust and want to allow. This helps you
ensure that these trusted items are considered safe during future scanning of such
items. You also have the option to manually add trusted items to this list, giving you
even more control over what is considered safe.
The Acronis remote wipe feature works with Windows 10 and 11 computers. It allows
you to remotely erase everything on the computer and return it to its original, factory
default state.
The exploit prevention options help safeguard your computer from various types of
cyberattacks. It protects against things like unauthorized code injection, memory
protection, attempts to gain higher privileges on the system, and attacks that
manipulate program code for malicious purposes.
73
Cyber Protect Cloud
EDR Component
Acronis Academy
Welcome back. At this time I would like to focus on the EDR component specifically
within the Advanced Security plus EDR pack. So let’s get started here.
74
EDR Component
Acronis Academy
In this section let us talk about exactly what is EDR and a technical use case. In order
to start researching attacks, let’s understand how attacks happen. We will then cover
prevention versus detection since they cover different parts of the threat landscape.
And then we will demonstrate how to provision for your client and setup within a
protection plan.
75
Cyber Protect Cloud
Advanced Security + EDR
What is EDR
Acronis Academy
Welcome back. What exactly is EDR and how does it fit within Acronis Cyber Protect
Cloud?
76
What is EDR
Acronis Academy
What is EDR (endpoint detection and response) and why have it? EDR is an event
correlation security platform. It is continuously monitoring and collecting endpoint
events to detect and respond to cyberthreats like ransomware and overall malware. It
is recording activities and events and storing endpoint system level behavior and
utilizing data analytic techniques. The goal is to detect suspicious system behavior,
provide contextual information, block malicious activity and provide remediation
suggestions to restore affected systems.
There are two main advantages: Incident investigation and incident response
(containment and remediation).
77
What is EDR
Acronis Academy
With Acronis Endpoint Detection and Response (EDR) capabilities you as a service
provider can DETECT, and RESPOND to advanced attacks that sneak past other
endpoint defenses with minimal investigation efforts, with pre‐integrated IDENTIFY,
PROTECT, and RECOVER capabilities.
The Advanced Security + EDR pack provides business resilience and continuity with a
more holistic protection across the NIST framework. Acronis has pre‐integrated
recovery capabilities to remediate with a single‐click response. This is the power of
backup, disaster recovery, patch management along with security inside one agent
and console.
78
What is EDR
Acronis Academy
This enables incident investigation to be done in minutes rather than hours without
requiring rigorous training or resource‐intensive operations. It also enables your team
to focus efforts on what matters with prioritized visibility of suspicious activities
across endpoints and emerging threat intelligence feeds.
With Acronis EDR component, you can monitor the threat landscape and search for
Indicators of Compromise and take automatic remediation actions.
I want to take a minute to discuss the Indicators of Compromise reference and what
are they.
79
IoC’s serve as forensic evidence of potential intrusions on a host system or network.
They help to detect intrusion attempts (or other malicious types of activities). An
example of this would be unknown files, applications and processes in a system,
suspicious activity in administrative or privileged type accounts or maybe even
suspicious registry changes.
IOC’s: would be like “breadcrumbs” that let a service provider detect malicious
activity early in an attack sequence. Unusual activities are red flags that indicate
potential (or in‐progress) attacks that could lead to a data breach or system
compromise. IOC’s are not always easy to detect. Identifying various IOCs to look for,
correlating, and piecing them together to analyze a potential threat or incident is of
great value. And finally IOC’s are evidence that a cyber‐attack has taken place and
gives valuable information on not just what happened but serves to prepare for the
future and prevent similar attacks.
79
What is EDR
Select actions to take: respond with single click.
Acronis Academy
Currently at the time of recording this, NIST cybersecurity framework has five pillars.
There will be a sixth related to governance but let us look at the five pillars and how
we work within this framework.
Identify
You need to know what you have to fully protect it, and investigate into it. Our
platform includes both inventory and data classification tools to better understand
attack surfaces.
Protect
We help close security vulnerabilities by using our threat feed, forensic insights, and
natively integrated tools across the broader Acronis platform like patch management
and blocking analyzed attacks
Detect
It is nice to have the ability for continuous monitoring using automated behavioral‐
and signature‐based engines, URL filtering, an emerging threat intelligence feed, and
event correlation
80
Respond
You want to investigate threats and conduct follow‐up audits using a secure, remote
connection into workloads or reviewing automatically saved forensic data in backups.
Then you need to remediate say via isolation, killing processes, quarantining, and
attack‐specific rollbacks.
And finally
Recover
You want to ensure systems, data and the client business is up and running using our
fully integrated, backup and disaster recovery products and solutions.
80
Section Summary
Acronis Academy
When a security incident happens, you have the option to choose what actions to
take. You can respond quickly by doing things like isolating a specific task or fixing the
problem by undoing changes made to files and registry settings. Further one can
utilize our integrated backup, disaster recovery, and patch management features, as
long as you have the right licenses in place.
81
Cyber Protect Cloud
EDR Use Case – Missed Patch /
Forgot To Patch
Acronis Academy
I want to get your mind thinking on one scenario as an example of why Advanced
Security plus EDR is something to highly consider. This use case will specifically focus
on reasons to have EDR in additional to preventative technologies.
82
Use Case EDR – Missed Patch/Forgot To Patch
Acronis Academy
Say you missed a patch or forgot to patch a system. This could be a bad bug in the
software. Well an attacker starts by performing reconnaissance (which I will explain
later the different stages of an attack) – or another way to say at this point is
exploring the targeted systems. In this example they send an http request with
malicious code that is tucked away in a content‐type header. Various queries are run
to give the attacker a better sense of some of the database structure and how many
records are in there.
Then some SQL command is generated to identify general details of data tables and
then select a sample of records from the database (a small amount).
SO let’s say the CWE (common weakness enumeration) is being exploited. Now a
CWE (which is maintained by MITRE, provides a common language for discussing,
finding and dealing with causes of software security vulnerabilities when they are
found in code, design or system architecture). When a CWE is mentioned it is a single
vulnerability type. If interested one can go to the MITRE website for the list and
provides detailed definitions for each individual CWE.
In our example we are using CWE‐20 (Improper Input Validation) where the product
receives input of data, but it does not validate or incorrectly validates that the input
has the properties that are required to process the data safely and correctly.
83
Use Case EDR – Missed Patch/Forgot To Patch
Acronis Academy
Now CWE‐20 is exploited so the attacker uploads “web shells” to gain access to a web
server. For reference a web shells are malicious scripts that will enable a threat actor
to compromise web servers and then launch additional attacks. The attackers first
penetrate a system (or network) and then install a web shell. After this they use it as
a backdoor into the web applications targeted and any connected systems.
So after uploading “web shells”, the attacker is now positioned to collect the
credentials and have access to back‐end databases. The analogy is that it is easier to
break into a building if some resident leaves a first‐floor window unlocked and you
happen to have employee IDs.
84
Use Case EDR – Missed Patch/Forgot To Patch
Acronis Academy
So web shells are uploaded, the attacker runs a series of SQL commands to find
valuable data. Now getting the data is one thing: the key for the attacker is to get this
data undetected. So stolen data goes into temporary files…and if a large file, it most
likely would be compressed and/or broken down into smaller sizes manageable to
help being undetected. The attacker wants the transmissions to be small.
Now they exfiltrated the data, they then delete the compressed files (want to hide
their tracks). If the attacker is deep enough within the systems, they could use
existing encrypted communication channels to send queries and commands (so it
looks like normal activity).
85
Use Case EDR – Missed Patch/Forgot To Patch
Acronis Academy
So this attacker has setup many servers in various countries and utilizes encrypted
login protocols to mask the involvement and on the server log files, they are deleting
them consistently and could be every day.
So as an example: they access the system via a Swiss IP address and utilize the stolen
username/password for the service account to get into a database. They query the
database for specific information and store in output files and they are compressed
(or broken down smaller) and copy to a different directory and download. Once in
the hands of the attacker, the archive is deleted. Since smaller amounts and
undetected, they perform this over many weeks and get more and more information
to extort the customer (double of triple extortion).
86
Use Case EDR – Missed Patch/Forgot To Patch
• Imagine patch not available (zero day) in this scenario: CVE could be in
NIST NVD (attackers aware of issue)
• Items to ponder?
• Sensitive fields plaintext stored or encrypted?
• Databases segmented?
• File integrity monitoring?
• Using long-expired security certificates?
Acronis Academy
So let’s say this was a zero‐day type vulnerability where a patch was NOT available
(not forgetting or missing a patch)….the CVE (Common Vulnerability and Exposures)
could also be published in the NIST NVD (National Vulnerability Database) so
attackers also know what the issue is.
87
Use Case EDR – Missed Patch/Forgot To Patch
• Imagine client data has high profile targets (CXX) and intelligence
gathering (PII is leverage)
Acronis Academy
Now in the database: imagine data exfiltrated with high profile targets or PII (which is
personally identifiable information that when used alone or with other data relevant
can identify an individual). Sensitive PII can be things like a drivers license, medical
records or social security number (here in the US relating that to). There is non‐
sensitive PII that one can get from public sources like date of birth and zip code.
As we go into the course, one will see that attackers can lurk within a system without
knowledge due to bypassing protection layers and this is where EDR provides value.
88
Cyber Protect Cloud
Advanced Security + EDR
How Attacks Happen
Acronis Academy
Before going into prevention and detection, one should understand how a typical
attack happens.
89
Before getting into the solution, we need to re‐emphasize that attackers run their
attacks in certain steps in order to achieve their objective. You might have heard of
the Lockheed Martin Cyber Kill Chain Model…if not, let’s discuss this process to
understand with prevention and detection layers together are of benefit.
RECONNAISANCE (which is the first stage in the cyber security kill chain):
Before they attack, they need to understand their target. What security solutions are
in place, what software is installed, what ports are open (like automated scanners),
gathering public email addresses, who might be victim 0 (mostly done via social
engineering). They need to scope out vulnerabilities and potential entry points. (and
this can be done both online and offline (active and passive phases). The more
intelligence an attacker gets at this stage, the more successful the attack is likely to
be. All this information is important to prepare for the next step of an attack which is
Delivery is where they work to infiltrate the network or security system (they
are putting plans into action). This could be deploying malware into a system
via say a phishing email and other social engineering tools (USB stick on the
ground AKA USB Drop Attack). Imagine some USB stick laying in the hallway
that says “HR Payroll Data” on it. Many would be curious so they take the stick
and put it in their laptop as an example and a malicious payload starts. Could
also be like hacking into the network and exploiting vulnerabilities on
hardware or software.
Then we have exploitation where the attack is formally launched where that
user clicks the email or plugs in that infected USB drive. So now they are
successful in delivery via malware or say other forms of hacking on the
system. now the attacker would like to exploit this weakness uncovered and
further infiltrate the network and learn of more vulnerabilities the attacker
was unaware of prior during the reconnaissance stage. Attackers are now
getting the opportunity to exploit systems by installing tools/running scripts
and even modifying security certificates as examples. Usually an application or
operating systems’ vulnerabilities are a target.
Installation (or the privilege escalation phase). Now an attacker tries to install
malware (or other cyber weapons if you will) within the network to gain
additional control of systems, data and accounts. This could be with
backdoors, remote access trojans, access token manipulation as examples.
The tactics at this point intensify and the attacker is not forcefully infiltrating
the network and looking for unprotected security credentials and changing
permission on compromised accounts as an example. This is a turning point in
the attack cycle as they have now entered the system and working on
assuming control.
Command and Control (or known as the C2 phase). This phrase comes from
the military here involving a solder (or a low‐level actor) talking to
commanders about next steps. If the hacker is hired by a larger group, that
hacker may need to prove access to the system and then that attacker may
need to hear about what should happen next (could be brief or last awhile).
Once an attacker has gained control of part of the target systems or accounts,
the attacker can now track, monitor and guide their deployed weapons and
tool stacks remotely. Now they have gained access to privileged accounts.
90
They might even attempt brute force attacks, search for credentials or even
change permissions to take over the control. This is where they work on trying
to move laterally on the network. There are two methods this stage can be
broken down. Obfuscation: this is where an attacker makes it look like no
threat is present (covering their tracks). This could be file deletions, binary
padding and code signing as examples. They could leave a hidden backdoor to
return and attack again. By eliminating their tracks it becomes a challenge for
service providers to understand how they got in and close the security gaps.
The other is Denial of Service. This is when an attacker causes problems in
other systems/areas to distract the security teams from uncovering the core
objective of the attack. Often this involves a network denial of service or
endpoint denial of service and other techniques like resource hijacking and
shutting down systems.
Then there is action and monetization (technically monetization is like the 8th
step but lumping together here). Related to action the attackers execute the
objective of the attack. After all: hackers know that simple entry has no value
and must do something to make worthwhile. Now this process can take
several weeks or months depending on the success of all the previous steps.
There are common goals here of a strategic cyberattack like: supply chain
attacks, data exfiltration or encryption. So their objective is gathering,
encrypting and extracting information. When monetizing is they initiate some
ransom request (demand funds by threating to release or sell sensitive data
(personal information or say trade secrets). This is where you hear the term
double extortion. And triple extortion is another avenue for monetization
after all the previous threats, now there is a threat to perform a DDOS (or
distributed denial service attack) unless they are paid. Of course the earlier
one can intercept and stop an attack, the easier the remediation would be.
When stopping an attack during the C2 phase, this takes more time‐
consuming and advanced efforts. EDR with our alerts, isolation and restoring
from a backup to patching to other methods, helps streamline the process
when advanced attacks occur.
90
Cyber Protect Cloud
Advanced Security + EDR
Prevention VS Detection
Acronis Academy
Welcome back. At this time let’s go over prevention versus detection covering
different parts of the threat landscape.
91
Prevention VS Detection
Acronis Academy
92
Prevention VS Detection
Acronis Academy
You can begin by focusing on prevention and gradually incorporate other security
measures. Take the time to understand EDR to determine if it's something you can
handle as a service provider and remember there is no additional cost to determine
this since built into the Advanced Security plus EDR pack. Take time to learn about
indicators of compromise), MITRE attack techniques, and the sequence of events in in
the "cyber kill chain.“ Please note that Acronis will offer a managed detection and
response service slated for the second quarter of 2024 if providing a 24 by 7 service
clients desire.
93
Short EDR story – a bank robbery
Bank Security Detection & Response
Surveillance
Security
•• •Security team
teamguard unaware
and of
couldn’t
analyzes any maintenance
identify
validates the
the breach.
on robber
surveillance cameras
•Suspect
••• Camera is taken
Technician
shouldn’tdown;
due has
to his team fixesvault
noimpersonation
be job near
disabled gaps in camera
unless prior
High number process
maintenance of suspicious activities
e.g. known technicians only
• permission obtainedto Security team
1 Nextbackground
with step: Escalation
checks only
5
5. 1.Begin event
4. Response
2.Suspicious
3.Suspicious
Potential action
event
breach
Robber disguised
Security team
as technician takes suspect
EDRsuspicious
•• incident
•• Another
An records
Investigate the
further,
is created benign
Contain
activity:
and MSPEDR event
threats
can tries tothe
review
enters the bank down
•• Remediate
chain Note:
of related
correlate and
AVactivityRecover
solution
events. fails to detect the
• this
EDR records withtheother related
events
• Prevent
Each
• ones, step
threat
which threats
of(no
the from
attack
match
might lead reoccurring
isinexplained
to by showing
itsadatabase)
breach
what the attacker did and how
2 AdvancedSecurity
Avanced Security+ +EDR
EDR
3 4
Moves towards
Vault Surveillance team
escalates to Security
Disables team
Cameras
Acronis Academy
Let’s talk an analogy of a bank robbery (since we talked about criminal databases
earlier) and how EDR might play in a physical security incident?
As you can see here there are multiple events at play.
A “technician” enters the bank (now it is unclear at this step that this is a robber in
disguised). They move towards the vault. Now cameras are disabled
Some of these events, if individually analyzed, are benign and don’t really show
anything malicious (Many people enter a bank and move around right?)
But as soon as events are combined and corelated together, it increases the chance of
becoming a breach.
EDR understands a possible bad intent and unveils attack visibility (in our case
interpreting all steps of the attack based on the MITRE ATT&CK framework) to the
security team to take proper measures and stop the attack from finalizing
Then with the Advanced Security + EDR pack, service providers are not only able to
stop the breach but do so much more with a single‐click response, including
94
capabilities to:
94
Prevention VS Detection
Acronis Advanced Security + EDR
Known malware Common exploit kits Exploits (recent Elusive threats: zero-days,
Phishing kits vulnerabilities) hacking tools, fileless, living
Polymorphic malware off the land malware, APTs
Variants of known malware
Obfuscation techniques
Samples vs
Number of attacks
Complexity: First 3
columns
Prevention technologies: prevention layers
Realtime protection, Acronis Active Protection, anti-exploit, Detection EDR: cost
URL filtering, signature based scanning, AI/ML, technologies –EDR increases for
behavior analysis, patch management attackers and
techniques more
complex
Acronis Academy
So how does prevention and detection work together and cover different parts of the
threat landscape?
The graph you see here shows volume samples vs complexity of each attack. The first
three columns in the graph show a high volume of samples. For attackers it is cheap
to create variants of malware from exiting malware. As a side note, you can actually
get your own ransomware sample for say $5 or more or heck even free by compiling
an opensource code of an existing malware. So the prevention layers block the first
three categories of malware successfully. The last part of the spectrum, is where the
cost for attackers is increased and their techniques become more complex (thus the
prevention layers are blind). EDR solutions unveil such complex attacks. Why are such
attacks complex? Because some of them are actually using software from the
workload so no malware sample is needed and some are using zero‐day
vulnerabilities that nobody knows about (and for which attacker might have paid
money on the dark web).
95
Section Summary
Acronis Academy
Attacks follow a specific sequence of steps. It begins with the attacker gathering
information about their target, a stage known as 'reconnaissance.' Then, they move
on to taking action, which can involve actions like stealing data, encrypting data,
launching supply chain attacks, or demanding money from the victim. This is how
attackers turn their threats into financial gain.“
96
Cyber Protect Cloud
Advanced Security + EDR
Provision and Setup
Acronis Academy
Welcome back. At this time let’s go how to provision and setup the Acronis Security +
EDR pack for a tenant.
97
Provision in One Click
Enabled at tenant level
Pick configuration at
tenant level
Acronis Academy
When setting up a tenant you will under clients configure the ability to turn on the
Advanced Security plus EDR pack by hitting the check box. Please remember that
Advance Security plus EDR is now one pack.
98
Enable features in 1-2 clicks
Enable EDR in protection plan (only workloads you want)
Acronis Academy
Once in a protection plan you turn on Endpoint Detection and Response you will be
notified that the rest of the pack will be turned on. Remember that detection and
prevention cover different parts of the threat landscape. You pay for the workloads
that you want protected based on protection plans.
99
A security analyst user role for EDR was released in September 2023. The Security
Analyst role allows partners to assign specific permissions and access rights to users
with the necessary skills to operate Advanced Security with EDR. Partners can provide
access to a larger number of users for managing EDR incidents, without worrying
about granting unnecessary access to other areas of Acronis Cyber Protect Cloud.
Generic SIEM Connector
Acronis Academy
The Acronis generic SIEM (Security Information and Event Management) connector released in
June 2023 enables connection between Acronis Cyber Protect Cloud and any SIEM that supports
the CEF (Common event format) over SYSLOG. SIEM support is crucial for enabling the integration
of Acronis Advanced Security and EDR with external services. As a Partner administrator, you can:
Enable an integration by providing credentials for the SIEM, select the tenants that should send
data to SIEM and review a list of Acronis alerts and select which alerts should be pushed to a
SIEM.
SIEMs empower MSP security specialists to identify attack routes across the network and get
visibility into compromised files. Now with the Acronis Generic SIEM connector, MSPs will gain
extra visibility into customers networks, will be able to search for threats across all managed
workloads, and correlate events from both security and data protection applications, and run
response actions based on collected telemetry, that is now enriched with Acronis data. SIEM
platforms are used by many MSPs for security incident investigation and remediation, threat
hunting, and compliance. Integration allows service providers to select which customer tenants in
Acronis should send alerts to their SIEM. Since alerts are sent to the same SIEM instance, it's
possible to run correlation, threat hunting and perform investigation for all customers in the
same console. It also empowers MSPs to search for threats, that were discovered on one
workload in one customer tenant, in other customers environments. We do have specific
integrations with Microsoft Sentinel, Logsign, Fluency and IBM Qradar. We are consistently
adding integrations within Acronis Cyber Protect Cloud so keep looking at the integrations area
for all updates.
101
Cyber Protect Cloud
What`s Next
Acronis Academy
103
Review the Materials
Acronis Academy
Feel free to come back to watch sections of this video as often as needed. Please be
sure to download the PDF’s attached to this course for reference material and to
assist with the exam.
104
Take your test
Assessment:
20 MCQ Quiz
60 Min Working
Time
70% Passing
Grade
2 Attempts,
Open Book
Acronis Academy
As a reminder, there will be 20 questions for the exam: some are coming from the full
course PDF and others are coming from this PDF. Both are included in the download
area of this course to use. You will have one hour, need a 70% passing grade and
remember two attempts and open book. The PDF’s are searchable so Control “F” is
your best friend.
105
Thank you for watching!
Acronis Academy
And with that I like to thank you for attending the Cloud Tech Associate Course for
Advanced Security plus EDR. I hope this helped and wish you great success with
Acronis Cyber Protect Cloud.
106
Cyber Foundation
Building a More Knowledgeable Future
Acronis Academy
109