What is EDR?GRIDINSOFT TEAM
Endpoint Threat Detection and Response, which is usually shortened to fit the “EDR” abbreviation, is a new look at anti-malware software. However, it is not about fitting all possible needs, like “classic” anti-malware apps pretending to do. EDR, as you can understand from the abbreviation meaning, is a system that must protect endpoints rather than individual computers. In fact, the biggest weaknesses of separated security systems for each computer in the company were lack of joint action for each attacked device, lack of control on all possible attack surfaces and absence of journaling. But let’s check each thing step-by-step.
What is Endpoint Detection and Response?
It is great to define the difference between the products. However, that still does not clear out, what is the main idea of EDR solutions, and how does that work. Endpoint security solutions are usually made to perform continuous scanning of the endpoint and all other elements of the network (domain controller and users’ computers) in order to detect the possible threat and create a competitive response. Constant monitoring of all events requires a lot of additional modules to the “classic” anti-malware engine, and a persistent control of a security specialist. Some of the vendors even offer their EDR products in a form of software-as-a-service.
EDR solutions detect the threat presence by its behaviour. Besides the basic heuristic rules, the program also relies on neural networks. The sources, however, may be different from usual "current processes" - endpoint protection solution suppose multiple other ways to get the information about events. Then, it checks the detected item with a “classic” database-backed method. If it finds a matching signature - it instantly removes the threat, considering it is a virus. If not - it just blocks it, giving the right to manage the removal to a human. Such a dome over the all elements of a corporate system allows it to deal even with human-related threats - such as insiders or even advanced persistent threats.
Antivirus vs EDR.
In the previous paragraph, you could see three major problems of “classic” anti-malware software that make them not so useful when protecting corporations. They’re true, however, there is a much more serious problem that makes them even hard to compare. Endpoint detection and response solutions are supposed to be an engrossing thing that protects the whole corporate network. It is feasible to find and set up the solution equal to coverage and based on the regular antivirus, but its efficiency will likely be questionable. As practice shows, it is pretty hard to teach the old dog some new tricks. That’s why those tricks must be done by something that was originally designed for that purpose.
Why is EDR better than regular antivirus?
- Can effectively protect solitaire computers;
- Supports Windows or macOS (sometimes both simultaneously);
- Primary control way is GUI on each computer. Some of them are capable of remote control. That usually requires special app version;
- On-demand scans, database-backed detection. Heuristics are applied in proactive protection mode;
- Logging is primitive, based on the events that happened during the scans and proactive protection.
Endpoint Detection and Response
- Good at protecting the whole network, including servers and the domain controller;
- Supports all possible *NIX operating systems along with Windows;
- Remote centralized control is a primary way to manage. Only local adjustments may be done on the system elements;
- Primary way of the malware detection are heuristic rules. The solution constantly monitors the system.
- Logs all events which are spectated in the protected network, regardless of the moment of time.
Now, let’s check out the importance of the problems we mentioned above. Separation of security systems for each system is critical for establishing a reliable malware protection. Clustering is good in network designing and bombs, but not in the structures that require homogeneity. And malware protection is exactly the one. Having different systems with different protection setups for each decreases the protection efficiency by orders of magnitude. Sure, it is possible to set up all systems in the same manner. But that similarity will not last for a long time if someone uses that computer at least once a week.
Lack of joint action during the attack is related to the previous paragraph. Cyberattacks on corporations rarely aim at a single computer - they usually attack the whole network. And that requires all elements of this network to respond simultaneously and identically. Such an issue is less critical, since even some of the EDR systems suppose the asymmetric response. But it is important to have such ability - and scattered security solutions don’t offer one.
Journaling is a very undervalued thing, which cannot be found in normal anti-malware software in any usable form. Scan/protection logs still do not give you enough information to analyse the current situation or the past cyber incident. The information about how it happens, second-by-second, step-by-step, will help the cybersecurity specialists to make the necessary adjustments to have better protection.
Key principles of Endpoint Detection And Response
Same as any large-scale enterprise product, EDR relies on several key principles, regardless of the vendor. This is like a list of basic rules that are obligatory for following to call your product an EDR solution. These principles can also be interpreted as minimal requirements to the software product that pretends to be a corporation-scale anti-malware program.
Coordinated response of all attack surfaces. As it was mentioned above, it is pretty important to have the simultaneous response of all elements of the system during the attack. This capability must be provided by the EDR system - by default or after the specific setup.
Cloud-based management of the system. EDR solutions must be controllable from the remote position, to be able to counteract the attack and analyse the situation from any place and at any time. As statistics say, most of the cyberattacks happen after hours - when no one supposedly keeps an eye on the corporate network.
Highest protection rates. What is the need to have an expensive and hard-to-setup security system, if it is not able to counteract the modern threats? That is a rhetorical question. The protection in endpoint security solutions must rely on heuristic and database-backed detection mechanisms, and possibly on neural networks. Organisations like AV-Comparatives test the available solutions regularly and therefore publish their own rating for each EDR system.
Which threats EDR is aiming at?
Endpoint detection systems are capable of detecting and removing any kind of threat - that is for what you pay money for. From the most simple adware to obfuscated spyware or backdoor malware, it can stop any of these things. However, it has a significant difference in the way to understand that the attack is happening. Corporations are rarely attacked to inject adware or some other "light" virus - they usually receive ransomware or other nasty things. And the way EDR stops it is different from solely database-backed detection or heuristic scanning.
You can already guess from the key principles of the EDR system what is meant. Such security systems are designed to stop the attack on the initial stage - RDP passwords brute force, for example, or browser exploit execution. For that purpose, endpoint detection systems have a journal of all events in the system. Moreover, the journaling allows the EDR systems to effectively counteract the most dangerous threats - so-called Advanced Persistent Threats, for example. Other long-living things, like backdoors and spyware, that usually try to hold in the system as long as possible, will efficiently be defeated, too.
Is EDR worth it?
This question depends upon too many factors to have a sole answer. By design, EDR is more expensive and more complex than regular antiviruses. At the same time, it is much more effective against real-world threats. Adware and browser hijackers are more like a simple cold, while ransomware or spyware attacks are as serious as pneumonia. But this comparison is not always true.
When you have a small company - for example, a chain of bakeries in your city/county, the price/profit ratio of purchasing the EDR for you is too low. You do not have so many computers and servers to protect with a high-end solution, and your data as well as activity is not a point of interest for cybercriminals. Sure, hoping that you will not be struck does not mean you will never be struck. But still, objectification of your needs is a very important thing when it comes to large expenses.
Even small companies may be in the sight of fraudsters. Accounting and clearing firms, that may cooperate with regional banks and small brokerage firms, have a lot of sensitive info passing through their storages. Same thing is for clinics, local governmental agencies and bank branches. Some ransomware groups agreed to avoid attacking critical infrastructure companies, government agencies, medical and educational institutions. But it never means that you are in 100% safe - even some of the biggest groups chose to ignore these “ethical hacking” rules.