Kandji explains its new Endpoint Detection and Response tools

The Apple-focused enterprise solutions provider ecosystem is growing apace to match the rapidly expanding need of enterprise IT. Jamf recently introduced a new anti-spyware solution for high-value targets. Today, competitor Kandji officially introduced its Endpoint Detection & Response (EDR)) solution, which aims to fight malware on the Mac.

I caught up with Weldon Dodd, Kandji’s senior vice president for community, to find more.

As Apple gains ground in the enterprise, threat actors get more interested

“Apple’s footprint in the enterprise has grown rapidly,” Dodd said. “With this growth, attention from threat actors has mounted for the Mac ecosystem. While Apple computers are secure, they are not impervious to threats. There are thousands of malware variants that can exploit vulnerabilities of apps running on a Mac, or bypass native security systems.”

Kandji

The torrent of attacks is unlikely to slow as Apple’s place in these markets continues to grow. Cisco says 59% of new hires choose a Mac and 65% of existing workers switch to Apple’s platform when they get the chance. Add a touch of mobile and the nature of business tech has transformed, with digital device penetration still only at the beginning of full realization of potential.

“Apple is the platform of choice for more and more workers today. Especially as larger enterprises adopt them, it becomes a bigger focus for bad actors,” said Dodd.

In that context, IT is being asked to deploy and maintain more and more tools to achieve compliance and protection.

“The solution is a way for IT to roll endpoint protection tooling in with their device management tooling,” said Dodd. “They can handle the management and protection of their Apple devices without having to maintain multiple agents. It is not a standalone endpoint detection and response system. It has been built natively into Kandji’s Device Management offering.”

What is Endpoint Detection and Response?

Kandji’s protection is deployed via the company’s existing Device Management tools, including its eponymously named Agent and Web app tools. The company says the protection analyzes incoming files for malware signals and enforces custom allow/block lists, which works to automatically identify and kill malicious files.

Dodd said the software leverages Apple’s technologies to the furthest extent possible. “We are using nearly every security API provided by Apple,” he said.

The primary API used is Apple’s Endpoint Security Framework (ESF). This kernel-based solution helps the system spot and respond to threats in real time and is similar to Windows ETW (Event Tracing for Windows). Its existence was enabled by Apple’s decision to deprecate Kernel Extensions from its systems with the introduction of macOS Catalina.

Kandji uses these APIs to, “collect system data and events [that] are the foundation for Device Harmony, and we use APIs for resource management — always prioritizing user work over the Kandji Agent’s, and to gather contextual information on system events to enhance threat detection,” Dodd said.

How Endpoint Detection and Response works

Dodd claims fast threat detection with little impact on Mac system resources.

It works like this: devices managed by the company already rely on Kandji Agent, which is notified by the ESF of each file system event as it takes place in a process that poses “almost no CPU overhead,” Dodd said.

“We leverage Apple’s methodologies, so our agent uses system resources as efficiently as possible. For example, the Kandji Agent takes advantage of Apple’s asymmetric multi-processing, so it dynamically uses performance or efficiency cores in Apple Silicon Macs, making sure the user always has the compute power they need.”

Security is informed by millions of malware definitions, data from the world’s leading threat feeds, and the company’s nine-strong team of threat researchers who curate detection methods and prevention strategies on current and future Mac malware variants. Dobbs told me the system can detect known variants from multiple Advanced Persistent Threat (APT) groups (such as NSO Group) on a Mac. The system also has rules in place to identify some unknown variants based on identifying points in the malware.

Education matters, but prepare for rain

Of course, protection of any kind is only part of the solution. Educating employees around good security practices is always the first line of defense. And even the most security-savvy user can be misled. “Attackers are constantly coming up with innovative ways to breach systems,” Dodd said. “Eventually someone will accidentally click that link or do something to allow malware onto their computer.

“A well-designed campaign can trick anyone, especially if it happens to come at the right place and right time. And in some cases, malware is spread to systems through compromised software that does not require any user intervention. It is on the company to build the protections so it’s ready for any possibility.”

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.