How the Brest University Hospital Leveraged EDR for Incident Response and Security Management
In March 2023, during a cybersecurity incident at the Brest University Hospital (CHRU de Brest), the organization demonstrated the importance of Endpoint Detection and Response (EDR) capabilities in managing security threats. The team was able to swiftly utilize the EDR’s incident response features to investigate, contain, and analyze the breach. This included active Threat Hunting based on indicators of compromise, a fundamental function of any robust EDR solution.
Background and Context of EDR Deployment
The hospital previously relied on traditional antivirus solutions, but circumstances prompted a strategic shift. Originally, their security setup included the Kaspersky antivirus suite. However, the outbreak of the conflict in Ukraine prompted reassessment due to geopolitical risks. The French National Cybersecurity Agency (ANSSI) flagged potential threats that hostile actors might target Kaspersky servers, possibly leading to compromised updates or disruption in antivirus functionality. In light of these concerns, the hospital decided to replace their existing antivirus with Microsoft Defender, integrated with HarfangLab’s EDR platform.
Enhanced Visibility and Asset Management
Beyond safeguarding endpoints, the hospital leverages the EDR for comprehensive digital asset management and security monitoring. The healthcare ecosystem typically manages numerous devices via central directories like Active Directory and Microsoft management tools. However, some critical devices, especially biomedical equipment, cannot be managed centrally. The EDR bridges this visibility gap by providing a unified view of these devices and consolidating event data within a central console. This approach offers near-complete visibility across all digital assets, enabling proactive security measures and better asset management.
Remote Querying and Asset Monitoring
One of the key features appreciated by the hospital staff is the ability to conduct remote queries across a wide range of endpoints. Through the EDR’s querying capabilities, security teams can identify specific registry entries, software installations, or other system characteristics on individual machines. This allows suspicionless monitoring for unauthorized software installations or policy violations—particularly useful when users install applications without proper authorization or administrative rights. Consequently, the EDR becomes an invaluable tool not only for cybersecurity but also for asset and compliance management.
Addressing False Positives and Detection Strategies
It is well known that EDR solutions can generate numerous false positives during initial deployment. The HarfangLab platform employs six distinct detection engines to enhance accuracy. These include engines based on YARA rules and Sigma rules, which are highly reliable—alerts from these engines typically indicate true positives. Conversely, the machine learning-based AI engine tends to produce more false positives, as it requires training to refine its detection capabilities.
During deployment, the hospital configured five of these engines to block suspicious activities automatically, while the AI engine was set to detection mode only. Despite some false alarms, these alerts have proven extremely valuable. They often reveal non-compliant behaviors or poorly designed applications, prompting the security team to contact vendors. For example, they might flag unsigned binaries or applications that perform unauthorized system calls, leading to collaboration with vendors for rectification.
Conclusion and Reflections
The Brest University Hospital’s experience underscores the strategic value of deploying an advanced EDR solution. Its deployment not only enhances threat detection and incident response but also provides comprehensive asset visibility and management capabilities. The operational insights gained from false positive analyses serve as feedback loops for improving vendor security practices and overall system integrity. As cybersecurity threats evolve, having a flexible, multilayered detection approach such as HarfangLab’s EDR platform is becoming indispensable for healthcare providers committed to safeguarding sensitive patient and institutional data.
