How EDR Solutions are Bolstering Cybersecurity Defenses
Endpoint Detection and Response (EDR), also referred to as endpoint detection and threat response (EDTR), is an endpoint security solution that continuously monitors end-user devices to detect and respond to cyber threats like ransomware and malware.
Coined by the ex-Gartner Analyst and current Security Advisor at Office of the CISO, Google Cloud, Anton Chuvakin, who we follow closely and have the greatest respect for; EDR is defined as a solution that “records and stores endpoint-system-level behaviors, uses various data analytics techniques to detect suspicious system behavior, provides contextual information, blocks malicious activity, and provides remediation suggestions to restore affected systems.”
To quote Crowdstrike, “EDR acts like a DVR on the endpoint, recording relevant activity to catch incidents that evaded prevention. Customers are given comprehensive visibility into everything that is happening on their endpoints from a security perspective as CrowdStrike tracks hundreds of different security-related events, such as process creation, drivers loading, registry modifications, disk access, memory access or network connections.”
Thus, when evaluating or budgeting to improve an organization’s security posture, IT security leaders are moving to Endpoint Detection and Response (EDR) solutions for many reasons. Outside of EDR being the new and improved Anti-Virus replacement, you can also expect cool features like network isolation, enhanced endpoint visibility, and threat intelligence integrations. In this article, we will compare EDR against a traditional AV solution. We will also look at some of the advanced features included with most EDRs and review some of the more popular options in the industry.
Comparing AV to EDR
Anti-Virus, or AV for short, has been around for a long time. It is primarily based on specific signature detections, meaning that an AV solution is only as good as how often it is updated with new signatures as they arise. A signature is a behavior or trait that is excited when a malicious file is launched. Since the scope of the industry has changed so rapidly in the past 10-15 years, AV could not keep up with the total amount of signatures required to make an AV tool effective as we discussed in a previous blog post when we said “According to a this year’s survey on Endpoint Protection and Response, conducted by the SANS Institute, less than half of cyberattacks today are detected by antivirus software.
We also said in the post that more than four years ago, Symantec, the company that dominated the antivirus market suggested that “antivirus is dead.” Zero-day threats, social engineering, attackers changing malware signatures more frequently, and other more advanced tactics have replaced many of the attacks antivirus systems used to detect and quarantine.
Now comes the next generation EDR solution, whose approach is changing the industry dramatically. In this post, we will cover a lot of the advanced features of EDR in the following sections. The EDR solution does a combined approach of looking at both signatures and how they interact with processes on a host. Most EDR solutions focus on cyber kill chains and attack trees like the MITRE ATTACK framework. MITRE does a great job of listing out different tactics, techniques, and procedures to help paint a better picture of what an attack could look like.
Instead of just matching signatures straight up, EDRs look for patterns in processes that are occurring on a host to determine if an attack is in progress. Based on this new approach, EDRs became widely famous for their ability to pick up on new threats that do not have signatures yet and enable companies to have earlier detections than they would normally.
Primary Benefits of an EDR solution
Now that we have a solid understanding of the basic operations of an EDR let’s dive into some of the cool features and why it is essential to have in your security arsenal.
Next-Gen AV (process vs. signatures)
As we discussed in the previous section, since EDR solutions focus on monitoring specific processes instead of searching for exact matching signatures, they can effectively detect possible intrusions early on and allow the security team the ability to control the narrative.
Network Isolation Capabilities
One of the best features is their ability to network contain or isolate a host. Within the management console on most EDRs, they allow the ability to virtually segment and isolate a host with the click of a button. The only communication it will have is back to the management portal of the EDR. Network isolation allows teams to slow the spread of infection and gives the team time to investigate the issue further. Lastly, while a host is isolated, the EDR administrators can interact with the host to collect forensics data, run virus scanners, and even attempt to remove or remedy the situation.
Since EDR closely monitors and collects process data, it provides users with an in-depth look into a system’s operations. Some even compare it to system event logs with how verbose they can be. This data can be used for troubleshooting or even brought into a SIEM solution for more alerting capabilities.
Threat Intelligence Enrichment
Most EDR solutions come prepackaged with their threat intelligence service or vendors to gather intel about adversaries to ensure its process detection rules are continually updated. Most include this service for free and allow users to explore the data and even pull from it via an API.
Can EDR integrate with my other security tools?
Another critical question to consider when evaluating EDR tools is how well they integrate with your current security tool stack. As stated above, EDR solutions collect valuable data that can be used within your other tools to help enrich and empower your toolsets to get the best bang for your buck. Examples of integrations to consider are as follows:
- SIEM (pull in host process data or threat intelligence)
- Vulnerability scanners
- Network discovery tools or NDR
- Penetration testing toolsets
- Patch management tools
- Email gateway DLP
- CASB solutions
- Communications and Alerting (Slack)
You want to ensure that you can get multiple perspectives from each tool if you plan to integrate them to provide a unified vision of what could occur within your network.
What are some examples of popular EDR solutions?
Now that we know what an EDR does and some of the cool features, let’s explore some of the most popular solutions in the industry that may work best for you. The following EDRs all have competitive pricing models that are unique to their features and tailored to the size of your organization.
- TrendMicro XDR
- Microsoft Defender for Endpoint
- VMWare Carbon Black
- Palo Alto Cortex XDR
- Malwarebytes EDR
Of the solutions listed above, Crowdstrike, SentinelOne, and Cyberreason are the most popular options for most enterprises. They offer packaged pricing and allow users to purchase its different features as they are needed. The offerings labeled as XDR (Extended Detection and Response) as we discussed in a previous blog post, Extended Detection and Response (XDR) is Changing SecOps provide additional features outside the scope of a traditional EDR. We said, “the basic premise or the solution is a simple one: XDR is a category of threat detection, investigation, and response solutions that work across all threat vectors in a company’s infrastructure, such as network, endpoint, and cloud, rather than just one piece. By increasing the integration of security tools, XDR tools increase visibility and insight for both the machine-learning models powering them and the security analysts using them.”
Most would agree the overall Crowdstrike tends to provide the best bang for your buck at the enterprise level. They offer top-of-market tools like vulnerability scanning, FIM, and firewall management for additional fees.
For an individual user, the Microsoft Defender suite that is baked into Windows operating systems have come a long way with its built-in next-gen signature detection engine to help protect windows hosts with no need for additional AV.
Whether you are in the market for a new EDR solution or maybe evaluating one for a future purchase, it is vital to consider the above topics when making this decision. Updating cycles, support options, and even feature improvements are valid offerings for future proofing your EDR investment.
Of course, every EDR platform has its unique set of capabilities. However, as we suggested, critical capabilities include the monitoring of endpoints in both the online and offline mode, responding to threats in real-time, increasing visibility and transparency of user data, detecting stored endpoint events and malware injections, creating blacklists and whitelists, and integration with other technologies. Some vendors of EDR technologies leverage the free Mitre Att&ck classification and framework for threats which we suggest is vital to a comprehensive EDR solution.
Organizations often manage protection with a layered security solution, however, we are finding that an optimal solution is an integrated system that records and analyzes activity automatically. A quality EDR platform gives a security team a picture of what’s happening to systems under attack, which is invaluable for effective event escalation and incident response.