What is EDR and Why It is Critical to SMB Security?
February 25, 2019
The Current Threat Landscape and Endpoint Security
Over 7 billion global devices in an always on and continuously connected world create a soft target for today’s attacker. Whether working to monetize data or make a political statement, adversaries are well funded and staffed in the battle for endpoint access and control. Traditional endpoint security methods such as anti-virus software are no match for the growing sophistication and volume of advanced threats found in the current threat landscape. According to the Ponemon Institute, over 52% of businesses have experienced a security incident that has bypassed traditional defenses. Modern cybersecurity threats evade signature-based detection and are useless against advanced threats such as insider risks, zero-day attacks, and file-less malware. This growing security gap is the catalyst for Endpoint Detection and Response solutions.
What is EDR?
Data breaches take an average of 197 days to be uncovered, and organizations often receive notification via law enforcement or card holder merchant services instead of detecting the breach themselves. Reducing the time attackers spend in an organization – called dwell time – and detecting incidents sooner can have a dramatic improvement in data breach costs and protecting brand reputation. Gartner Research defines Endpoint Detection and Response (EDR) solutions as those that record and store endpoint-system-level behaviors, use various data analytics techniques to detect suspicious system behavior, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected systems. There are usually two product approaches to EDR: self-managed EDR software or a managed service. Organizations of all sizes and verticals are embracing EDR and anomaly detection as a crucial way to prevent, detect, respond to, and predict cybersecurity attacks. In addition, Gartner Research is forecasting a 3x increase in EDR adoption through 2020.
What Are Considered Critical EDR Capabilities?
The EDR market is still evolving with solutions and providers varying widely in features and scope. However, the majority of EDR solutions encompass these five primary capabilities:
From insights into unfolding endpoint attacks to root cause analysis and blocking of actual threats, rapid detection is essential to stop threats early. While many small and mid-sized businesses (SMBs) understand the need for better security effectiveness, they may not be familiar with all the options for advanced threat detection or know where to start. All too often, overworked IT teams opt to re-image a laptop without a full investigation into root cause and a forensic investigation of the scope of the compromise. The result? A loop of re-compromise as the adversary capitalizes on systemic weaknesses in people, processes, and technology that negatively impacts business resiliency.
What Limitations Exist with Traditional Anti-Virus Security?
Anti-virus (AV) software is one traditional security tool that relies on an ever-growing library of signature-based recognition. Attackers adapt to the evolving threat landscape by changing and mutating their tactics, often reverse engineering anti-virus tools to learn how to bypass detection, according to “Endpoint Protection and Response: a SANS Survey” from June 2018. With the disclosure of more and more data breaches, SMBs realize that anti-virus software has some sizable drawbacks. Some anti-virus limitations include:
- Ineffective visibility: because it relies on signature-based detection, traditional anti-virus does not detect emerging threats that are unknown or zero-day attacks. Attackers often make slight changes to malware to create a new variant with a new hash value; they become adept at covering up their tracks. EDR can detect new and unknown threats as well as protect against insider threats, whether malicious or inadvertent, uncovered with behavioral analysis.
- Limited insight into attacker actions: anti-virus software as well as next-gen anti-virus focus on prevention techniques rather than detection and investigation. EDR helps pinpoint how the attacker entered an organization and the path of compromise called the “cybersecurity kill chain”. EDR also enables forensic investigation, so you can detect lateral movement within your organization and ensure that compromised devices are fully detected.
- A false sense of security: once the foundational security tool of every organization, anti-virus effectiveness has declined in recent years as the hacker economy has exploded to monetize threats such as ransomware and evade detection with a low-and-slow approach. Traditional anti-virus catches only 47% of endpoint compromise, according to a SANS endpoint research study (5). Organizations may be lulled into a false sense of invincibility that creates a risk gap due to an insufficient security investment.
- Credential spoofing: compromised credentials are legitimate computer logins of username and password combinations that have been exposed via a data breach. These stolen logins are valid logins that work if passwords have not been reset. Hackers can use the over 1.4 billion stolen credentials that exist on the deep and dark web to gain access to sensitive systems and SMB supply chain partners of larger enterprises. Although anti-virus tools will not detect credential spoofing, EDR solutions with behavioral analytics can detect adversaries who log in at suspicious times or from countries where your organization does not operate.
While anti-virus and next-gen anti-virus (NGAV) tools offer some level of protection, layered security defenses are needed to mitigate stealthy and mutating threats. Endpoint detection and response (EDR) is one such approach. Organizations can accelerate cybersecurity effectiveness when integrating EDR and security information and event management (SIEM), all with a managed service and 24/7 security operations center (SOC). These three components, when properly integrated and managed, provide a SMB with powerful and efficient advanced threat protection.
We understand the challenges you face in the battle for endpoint security. EventTracker EDR optimizes your effectiveness with a managed service and 24/7 SOC, augmenting your staff with hard-to-find security expertise. Purpose-built for SMBs, it harnesses automation and machine learning for deeper insights, actionable threat intelligence, and to pinpoint adversary actions in real time. EventTracker EDR enables you to rapidly detect and efficiently respond to, and recover from, cyberattacks without the complexity and high cost associated with bloated enterprise-centric EDR software. EventTracker EDR is naturally much more effective at reducing attacker dwell time when integrated with our EventTracker SIEM (security information and event management) solution.
Security incidents are inevitable. Organizations of all sizes must also adapt to the changing threat landscape and further invest in detection and response capabilities. With their finite IT and security teams and resources, SMB organizations must focus on reducing the attack surface that makes them vulnerable to attackers and enabling integrated solutions such as co-managed SIEM and managed EDR service that provide defense-in-depth security.