What is EDR?
October 17, 2022
Endpoint Threat Detection and Response, usually shortened to fit the “EDR” abbreviation, is a new look at anti-malware software. However, it is not about fitting all possible needs like “classic” anti-malware apps pretend to do. EDR, as you can understand from the abbreviation, is a system that must protect endpoints rather than individual computers. The biggest weaknesses of separated security systems for each computer in the company were lack of joint action for each attacked device, lack of control on all possible attack surfaces, and absence of journaling. But let’s check each thing step-by-step.
What is Endpoint Detection and Response?
It is great to define the difference between the products. However, that still does not clear out, what is the main idea of EDR solutions, and how does that work. Endpoint security solutions are usually made to perform continuous scanning of the endpoint and all other elements of the network (domain controller and users’ computers that connect to the endpoint) to detect the possible threat and create a competitive response. Constant monitoring of events requires many additional modules to the “classic” anti-malware engine and persistent control of a security specialist. Some vendors even offer their EDR products in the form of software-as-a-service.
EDR solutions detect the threat presented by its behavior. Besides the basic heuristic rules, the program also relies on neural networks. The sources, however, may be different from usual "current processes" - endpoint protection solution suppose multiple other ways to get the information about events. Then, it checks the detected item with a “classic” database-backed method. If it finds a matching signature - it instantly removes the threat, considering it is a virus. If not, it just blocks it, giving a human the right to manage the removal. Such a dome over all elements of a corporate system allows it to deal even with human-related threats - such as insiders or even advanced persistent threats.
To make security management more effective, most solutions divide the protected network into small pieces called nodes. That makes it possible to apply individual security restrictions/privileges to a certain machine or even the chosen application. Moreover, having the entire network divided into such parts makes it much easier to analyze the event logs - it is much easier to figure out what was the attack surface and how the attacker acted.
Antivirus vs EDR.
In the previous paragraph, you could see three major problems of “classic” anti-malware software that make them not so useful when protecting corporations. They’re true. However, a much more serious problem makes them even harder to compare. Endpoint detection and response solutions are supposed to be an engrossing thing that protects the whole corporate network. Finding and setting up a solution equal to coverage and based on the regular antivirus is feasible, but its efficiency will likely be questionable. As practice shows, teaching the old dog some new tricks is pretty hard. That’s why those tricks must be done by something originally designed for that purpose.
Why is EDR better than regular antivirus?
Antivirus
- Can effectively protect solitaire computers;
- Supports Windows or macOS (sometimes both simultaneously);
- Primary control way is GUI on each computer. Some of them are capable of remote control. That usually requires a special app version;
- On-demand scans, database-backed detection. Heuristics are applied in proactive protection mode;
- Logging is primitive, based on the events during the scans and proactive protection.
Endpoint Detection and Response
- Good at protecting the endpoint and related things, including servers and the domain controller;
- Supports all possible *NIX operating systems along with Windows;
- Remote centralized control is a primary way to manage. Only local adjustments may be made to the system elements;
- Primary way of malware detection is heuristic rules. The solution constantly monitors the endpoint and all related elements.
- Logs all events that are spectated in the protected network, regardless of the moment.
Now, let’s check out the importance of the abovementioned problems. Separation of security systems for each system is critical for establishing a reliable malware protection. Clustering is good in network design but not in structures that require homogeneity. And malware protection is exactly the one. Different systems with different protection setups for each decrease the protection efficiency by magnitude. Sure, it is possible to set up all systems similarly. But that similarity will not last for a long time if someone uses that computer at least once a week.
Lack of joint action during the attack is related to the previous paragraph. Cyberattacks on corporations rarely aim at a single computer - they usually attack the whole network. And that requires all elements of this network to respond simultaneously and identically. Such an issue is less critical since even some EDR systems suppose the asymmetric response in some situations. But it is important to have the such ability - and scattered security solutions don’t offer one.
Journaling is a very undervalued thing, which cannot be found in standard anti-malware software in any usable form. Scan/protection logs still do not give you enough information to analyze the current situation or the past cyber incident. The information about how it happens, second-by-second, step-by-step, will help the cybersecurity specialists make the necessary adjustments for better protection.
Key principles of Endpoint Detection And Response
Same as any large-scale enterprise product, EDR relies on several key principles, regardless of the vendor. This is like a list of basic rules that are obligatory for following to call your product an EDR solution. These principles can also be interpreted as minimal requirements to the software product that pretends to be a corporation-scale anti-malware program.
Coordinated response of all attack surfaces. As mentioned above, responding simultaneously to all system elements during the attack is important. The EDR system must provide this capability by default or after the specific setup.
Cloud-based management of the system. EDR solutions must be controllable from the remote position to counteract the attack and analyze the situation from any place and at any time. As statistics say, most of the cyberattacks happen after hours - when no one supposedly keeps an eye on the corporate network.
Highest protection rates. What is the need to have an expensive and hard-to-setup security system if it cannot counteract modern threats? That is a rhetorical question. The protection in endpoint security solutions must rely on heuristic and database-backed detection mechanisms and possibly on neural networks. Organisations like AV-Comparatives test the available solutions regularly and therefore publish their own rating for each EDR system.
Which threats EDR is aiming at?
Endpoint detection systems are capable of detecting and removing any threat - that is for what you pay money for. From the most simple adware to obfuscated spyware or backdoor malware, it can stop any of these things. However, it significantly differs in understanding that the attack is happening. Corporations are rarely attacked to inject adware or some other "light" virus - they usually receive ransomware or other nasty things. And the way EDR stops it is different from solely database-backed detection or heuristic scanning.
You can already guess from the key principles of the EDR system what is meant. Such security systems are designed to stop the attack on the initial stage - RDP passwords brute force, for example, or browser exploit execution. For that purpose, endpoint detection systems have a journal of all events in the system. Moreover, the journaling allows the EDR systems to counteract the most dangerous threats effectively - so-called Advanced Persistent Threats, for example, . Other long-living things, like backdoors and spyware, that usually try to hold in the system as long as possible, will efficiently be defeated, too.
Is EDR worth it?
This question depends upon too many factors to have a sole answer. By design, EDR is more expensive and more complex than regular antivirus software. At the same time, it is much more effective against real-world threats. Adware and browser hijackers are more like a simple cold, while ransomware or spyware attacks are as serious as pneumonia. But this comparison is not always true.
When you have a small company - for example, a chain of bakeries in your city/county, the price/profit ratio of purchasing the EDR for you is too low. You do not have so many computers and servers to protect with a high-end solution, and your data and activity are not a point of interest for cybercriminals. Hoping you will not be struck does not mean you will never be struck. But still, objectification of your needs is an essential thing when it comes to large expenses.
Even small companies may be in the sight of fraudsters. Accounting and clearing firms that may cooperate with regional banks and small brokerage firms have sensitive info passing through their storage. The same thing is for clinics, local governmental agencies, and bank branches. Some ransomware groups agreed to avoid attacking critical infrastructure companies, government agencies, medical and educational institutions. But it never means that you are in 100% safe - even some of the biggest groups chose to ignore these “ethical hacking” rules.