Modern computer systems are almost universally connected, which creates wider attack surfaces well beyond code to users, hardware, and more. Securing systems is thus a fundamental skill for modern software engineers.

This course is a comprehensive introduction to cyber security best practices. You’ll start with an overview of common threats and vulnerabilities, as well as high-level concepts like privilege, integrity, logging, and mediation. With these concepts in mind, you’ll then learn common protection mechanisms and defense strategies from endpoint protection to firewalls, gateways, and proxy servers. Next, you’ll learn monitoring and detection techniques, alerts, and event management. Finally, when you detect a threat, you’ll know how to respond with support tickets, data preservation, and change management.

By the end of this course, you’ll have a better understanding of modern cyber security practices and a clear roadmap to implementing these as a developer.

Cyber Security Best Practices for Developers

## Overview

As part of a defense in depth strategy, it should be assumed that an attacker will make their way through the perimeter of network-based defenses and eventually reach an end user’s device (a desktop, laptop, or phone). As a result, the host needs endpoint security to fend off attacks. An **endpoint detection and response (EDR)** solution primarily does two things:
 

- It monitors the host by continually looking for malicious activity.

- It responds to attacks to protect the host, preserve evidence, and limit
further damage to the endpoint and organization.

## Capabilities

EDR can provide the following capabilities:

- **Detection**: It continuously monitors processes, alerts, and other resources for potentially malicious activity.


- **Integration**: It communicates with other tools to provide end-to-end contextual analysis and supports an organization-level response.


- **Remediation**:  It contains damage by putting the device into network isolation and restoring critical files from the last known good backup.


- **Evidence collection**: It obtains a snapshot of memory, preserves logs, and gathers other artifacts that can support an investigation.


An EDR agent is installed as a process that runs under elevated privileges to access the resources required to be effective.


## Detection

There are various behaviors and activities the EDR agent is constantly assessing, evaluating, and comparing against known threat signatures. Tuning is needed to reduce the number of false positives by filtering out benign events and adjusting event severity ratings. It’s also possible to set exclusions for which resources are monitored, such as files, folders, and processes. We set these to make detection efforts more focused and less likely to conflict with other software.

### Resources that can be monitored

Here are some resources that EDR can monitor:

- Processes

- Objects stored in memory

- File changes

- Network and DNS activity

- Account logins



# Overview

As part of a defense in depth strategy, it should be assumed that an attacker will make their way through the perimeter of network-based defenses and eventually reach an end user’s device (a desktop, laptop, or phone). As a result, the host needs endpoint security to fend off attacks. An **endpoint detection and response (EDR)** solution primarily does two things:
 

- It monitors the host by continually looking for malicious activity.

- It responds to attacks to protect the host, preserve evidence, and limit
further damage to the endpoint and organization.

# Capabilities

EDR can provide the following capabilities:

- **Detection**: It continuously monitors processes, alerts, and other resources for potentially malicious activity.


- **Integration**: It communicates with other tools to provide end-to-end contextual analysis and supports an organization-level response.


- **Remediation**:  It contains damage by putting the device into network isolation and restoring critical files from the last known good backup.


- **Evidence collection**: It obtains a snapshot of memory, preserves logs, and gathers other artifacts that can support an investigation.


An EDR agent is installed as a process that runs under elevated privileges to access the resources required to be effective.


# Detection

There are various behaviors and activities the EDR agent is constantly assessing, evaluating, and comparing against known threat signatures. Tuning is needed to reduce the number of false positives by filtering out benign events and adjusting event severity ratings. It’s also possible to set exclusions for which resources are monitored, such as files, folders, and processes. We set these to make detection efforts more focused and less likely to conflict with other software.

## Resources that can be monitored

Here are some resources that EDR can monitor:

- Processes

- Objects stored in memory

- File changes

- Network and DNS activity

- Account logins



Learn how EDR protects end user devices from being compromised.


Endpoint Detection and Response (EDR)

Learn how EDR protects end user devices from being compromised.

Introduction

Basics of Security

Detect

Protect

Respond

Conclusion

Endpoint Detection and Response

Overview

Capabilities

Detection

Resources that can be monitored