Endpoint detection and response (EDR) is a protection approach that monitors endpoint devices across a network and blocking threats as these are identified. Like any other cybersecurity products, it can only protect a network if set up appropriately and tested. Based on my decade’s experience as a security and red team consultant, here are five things CISOs should know about EDR platforms.
1. EDR can be evaded
The first, and arguably the most important, thing to understand about EDR is that it isn’t a drop-in solution that will solve all your endpoint security problems. Despite what the marketing departments and the various market research firms would have you believe, EDR can be defeated, and rather trivially at times. There are countless diverse ways in which an EDR can be evaded, whether it be from an interruption of the sensors, an implementation of a technique that subverts the detection logic of the EDR, blending in with normal system behavior, or breaking the communication chain between the endpoint and the central collection server.
EDR has a difficult job. We expect it be able to detect every tool that an adversary can use against our endpoints, both known and unknown, all while being perfectly correct as to not introduce too many false positives, leading to alert fatigue in the security operations center (SOC). Mind you, they need to balance all of that on top of being easy to use and deploy, performant, secure, and competitively priced so that the vendor can sell their product. If we simply temper our expectations of EDR and understand that, while it is the best tool for monitoring endpoint activity now, it can’t catch everything out of the box, we can begin improving our usage of it and extract more value.
2. EDR is not antivirus
The endpoint protection market and how products are named can be confusing. Despite the ever-growing list of names and acronyms, there are really only two families of detection products: antivirus and EDR. Antivirus is generally focused on catching artifacts (usually file-based malware). EDR, on the other hand, focuses on detecting behaviors. While most EDR solutions today implement some form of antivirus, they’re primarily concerned with catching the things that happen after malware is detonated – such as post-exploitation activity.
EDR’s focus on behavior is what makes it so powerful. Many modern threats have evolved to not require introducing artifacts to the system which would be detected by antivirus — such as fileless malware. In these situations, we need to be able to investigate behaviors on the system for patterns indicative of a malicious actor’s presence. This is the true value of EDR: being able to query and correlate behaviors across systems, whether it be to hunt active compromises or build proactive detections. Treating our EDR solely as a tool for catching malware dropped to disk prevents us from extracting much of its value.
3. Fleet coverage matters
I can’t begin to tell you how many times, in my time as a red team operator, I compromised a workstation and immediately jumped to a server solely because EDR was not deployed there. In discussing the issue of limited fleet coverage with those customers, I’ve found no shortage of reasons as to why it is the case. Regardless of those reasons, however, the recommendation is the same: You need as full coverage as you can possibly get when it comes to your EDR deployment. There will certainly be exceptions, such as unsupported operating systems, constrained system resources, critical business function, but the default should be to install the EDR agent and exceptions should be made on a system-by-system basis.
