What are the components of EDR technology?
Like any cybersecurity approach, EDR’s purpose is multi-faceted, but its primary objective is to provide an in-depth view into endpoint activities for the purposes of monitoring, analysis, and threat mitigation. To provide security teams with that level of visibility, most Endpoint Detection and Response solutions will include some version of these features:
- Real-time monitoring and threat detection. EDR will deploy software components, known as agents, to continuously monitor all activity occurring on the endpoint, which collect telemetry for analysis and pattern matching. Detection capabilities include signature-based and anomaly-based behavioral analysis to detect known, persistent threats as well as novel attack methods.
- Incident and threat response. Automated alerting systems elevate the most serious threats to the security team, enabling a rapid response. The response may include isolation and containment measures to prevent lateral movement and remediation procedures, or the removal of corrupted or malicious files.
- Proactive threat hunting. The data collected by EDR should create in-depth visibility into the endpoint, and typically include data or file modifications, user activity, process executions, network connections, and more. Endpoint Detection and Response solutions have access to databases that maintain a current list of attack signatures, malicious domains and IP addresses, and other information that can help security teams discover indicators of attack (IOA) before attackers are able to execute. With EDR, security teams can create queries that allow them to parse large volumes of data efficiently.
- Forensic analysis. EDR’s data collection and behavioral analytics are useful in expediting incident response and also enrich post-incident analysis. It enables security teams to learn from cyber incidents while recovering from the incident and bolstering defenses to defend against repeat attacks.
- Filtering and triaging alerts. EDR’s automated functions filter alerts and surface those with the most likely to signify malicious activity. The solution helps the security operations center prioritize alert responses and avoid the common problem of chasing alerts generated by anomalous, but normal, activity on the endpoint.
What are the benefits of Endpoint Detection and Response?
Aside from providing a layer of defense that can address attacks missed by perimeter defenses, EDR technology can facilitate a number of common objectives of security teams, including:
- Improved threat detection and response times. No security solution is foolproof, which makes mean-time-to-respond (MTTR) an important metric of effectiveness. With continuous, real-time monitoring of endpoints, EDR provides a measurable improvement in response times while generating information that can be used to predict and defend against future attacks. It also helps security teams anticipate threats and find weaknesses in endpoints before attackers can exploit them.
- Visibility that supports security policies. In addition to responding to threats and attacks, Endpoint Detection and Response helps the enterprise keep track of software installations, prohibited user behavior, or violations of operations policies. Visibility into endpoints can also help security teams detect insider threats, such as improper access to files and systems or attempts to exfiltrate proprietary data.
- Improved forensic capabilities. Information collected during investigations and attack remediations can help security or forensic analysts create a more accurate picture of an incident and its scope. By providing a detailed record of endpoint activity, the enterprise can create detailed post-incident reports for regulatory or compliance purposes, as well as inform future monitoring and response strategies the security team can implement.
- Support for a comprehensive security approach. EDR solutions work in conjunction with other parts of the security toolkit, such as NDR, SIEM and XDR, and provide the SOC with a holistic view of the enterprise attack surface.
What factors should be considered when choosing an EDR solution?
Every organization has specific security requirements, so there is no one-size-fits-all EDR solution. That said, there are some fundamental questions that, when answered, can help a security team determine which solution will be the best fit.
- Does the solution cover the endpoints and operating systems you need to protect, and can it scale to protect the full complement of endpoints in the enterprise? The security team should ensure the EDR solution can cover a sufficient number of devices, and the right device types, in their organization.
- Does it provide sufficiently modernized threat detection? The most effective Endpoint Detection and Response Solution will leverage machine learning, advanced behavioral analysis, and real-time monitoring capability.
- Is the solution compatible with the existing security stack? To prevent siloing and complicated workflows, the EDR solution should integrate well with SIEM, NDR, next-generation firewalls (NGFW), or other established security tools.
- Does the solution aid analysis through connection to regularly updated databases, or sandbox environments in which files can be executed for the purposes of threat detection or forensics? EDR databases and applications should be updated regularly, and include protected areas, or sandboxes, where files can be inspected for any signs of malicious code.
- How challenging is it to implement and configure the EDR solution? In large organizations that already use many other security tools, an EDR solution can add significant complexity. The security team should determine if they have sufficient expertise to configure and monitor the EDR.
What are some limitations of Endpoint Detection and Response?
At a time when attackers are well-funded, patient, and use multiple attack approaches, even the best EDR solution is not a stand-alone defense of the enterprise. And while EDR has evolved considerably since it was first introduced, security teams should be aware of some common limitations in the technology.
The primary challenge is that Endpoint Detection and Response focuses only on endpoints, and does not extend to networks, cloud deployments, and other attack surfaces. What’s more, many are not designed to cover embedded devices or systems, IoT devices, Industrial Control Systems (ICS), Operational Technology (OT), and other components that have become legitimate targets for cyber attacks.
Like any other alerting technology, without regular retuning and calibration, EDR can generate a deluge of alerts that can overwhelm the security team, including false positives that consume valuable time via manual analysis and verification. EDR solutions that deploy signature-based detection can miss many legitimate threats (false negatives), although even solutions that deploy behavior-based analysis can miss the stealthiest attacks. Also, since attackers are constantly adapting their attack patterns or creating new ones, it can be challenging for EDR to maintain a cadence of updates that keeps security teams current.
How can EDR and NDR complement each other?
Incident response that harnesses Endpoint Detection and Response and Network Detection and Response is more likely to respond quickly and effectively to threats that elude endpoint defenses alone. NDR’s passive monitoring of network traffic allows security teams to trace a threat’s lateral movement, identify systems involved beyond the initial point of compromise, and accelerate response and remediation.
While EDR’s coverage of endpoints is considered to be narrow and deep, NDR’s coverage of network traffic and behavior is broader, and based on packets and behavior that are considered to be the gold standard of evidence in enterprise security.
An immediate benefit of using EDR in conjunction with NDR is correlation of evidence. By harnessing two different data streams, security teams can use endpoint activity to validate evidence gleaned from network traffic patterns, or vice-versa.