What Is Endpoint Detection and Response (EDR)?
EDR is traditionally defined as a cybersecurity technology that monitors endpoint activity, alerts administrators to threats, and automatically deploys risk-mitigating responses. EDR’s ability to isolate threats and speed up response times makes it a valuable asset to today’s security teams.
Why Is IBM i Not Associated with EDR?
In general, those who work with and are familiar with IBM i find it difficult to associate endpoint detection and response (EDR) with the IBM Power platform.
I believe the main reason is that EDR is traditionally associated with what we consider typical endpoints, such as mobile phones, desktops, or laptops. As a result, few people think of a Power system as an endpoint. But should they? In my opinion, they should.
Why IBM i Needs EDR Protection
A Power server is much more than a simple endpoint; it is an asset within a large organizational infrastructure that must be regarded as a whole. In today’s complex cyberthreat landscape, the IBM i server can be the target of an attack, the entry point for one, or even a pivot point. For this reason, it is essential to regard it as an “endpoint” within the organization’s EDR driven security strategy.
IBM defines EDR as software that protects end users, endpoint devices, and IT assets in real time and with automation. Other vendors adopt a narrower definition and focus exclusively on endpoint devices in the conventional sense.
I prefer IBM’s comprehensive and holistic definition because it is highly consistent with the operational reality of modern IBM i environments, as it explicitly incorporates IT assets as part of the endpoint security domain.
Fortra shares in this assessment, and considers EDR a protective cover for the entire IT infrastructure, including servers and more complex assets.
How to Implement EDR on IBM i
If we accept the premise that EDR includes IBM I servers, how do we integrate IBM i into the corporate EDR strategy? How do we turn that integration into a practical, operational reality?
I would venture to say that most IBM i systems today are already somehow incorporated in EDR strategies, often without their administrators realizing it.
According to IBM's website, EDR works by utilizing five core functionalities. Below is an explanation of each, and how Fortra contributes to achieving them:
- Continous endpoint data collection: The IBM i platform has unparalleled capabilities when it comes to information gathering. The audit journal, exit points, data journals, collection services, and much more are comprehensive sources of security and operational information embedded in the operating system that can feed any EDR ecosystem. This information simply needs to be made available. Powertech SIEM Agent for IBM i, Powertech Exit Point Manager for IBM i, and Powertech Compliance Monitor for IBM i all work to make these insights available in a consumable, leverageable format.
- Real-time analysis and threat detection: Activity on the IBM i can be reviewed in real time, covering native job execution, service-based actions, malware-related behaviors, and activity patterns indicative of ransomware. Powertech Exit Point Manager for IBM i functions as a transactional firewall while Powertech Antivirus uses advanced behavioral threat detection to block malware attacks.
- Automated threat response: Responding to threats quickly is essential, regardless of whether they were detected directly on the IBM i or identified by external security tools that correlate events across all platforms (including the IBM i). Threat response time can be shortened by applying predefined rules to identify risky situations in real time or by using automation tools to block or interrupt the attack vector. Powertech Antivirus for IBM i stops ransomware dead in its tracks by blocking malicious sequences in real-time while Robot Console can be triggered to deploy predefined remediation sequences. Additionally, Powertech SIEM Agent can operationalize detection and response by integrating IBM i with an enterprise SIEM solution.
- Investigation and remediation: Once the attack has been contained, a post-incident analysis begins to determine the scope of the compromise, the changes introduced into the system, the actions executed by the attacker and any additional impact. With Powertech Policy Minder for IBM i, you can perform file integrity monitoring (FIM) on IBM i by tracking system value configurations. Powertech Database Monitor for IBM i can also provide this function for critical application files that should not be altered. With Powertech Compliance Monitor for IBM i, you can perform audit forensics on changes to your IBM i, providing you with a clear picture of the scope and details of any unauthorized activity.
- Support for threat hunting: And finally, conduct proactive security exercises to find security gaps, misconfigurations, vulnerabilities, and other weaknesses before they are exploited by malicious actors. With Fortra’s SecureCare for IBM i, our highly experienced security specialists will walk you through these proactive exercises and help you identify and monitor the configurations on your system that are most consequential towards your security and compliance efforts.
Ready to Deploy EDR for your IBM i?
If attackers can reach it, they will. And if the IBM i plays a critical role in your business, it deserves the same level of depth that modern EDR brings to every other part of your infrastructure.
If you’re ready to strengthen your IBM i security posture with EDR capabilities, our team can walk you through exactly how our solutions can help you achieve comprehensive, integrated protection for your IBM i and across your entire environment.
