The term EDR – Endpoint Detection and Response – only entered the vocabulary of computer security a few years ago and still causes some confusion among customers entering into the crowded field of enterprise security solutions. What, exactly, is EDR? How is it different from legacy AV and EPP (Endpoint Protection Platforms)? And how and why did it come into existence? Has EDR really solved the problems it was designed to address? In this post, we explain the past, present and future of EDR.
The term EDR was coined by Anton Chuvakin of the Gartner Blog Network in 2013 as a means of classifying a new group of tools or capabilities that focused on the detection of suspicious activities on endpoints. These tools were different from earlier security solutions in that they did not necessarily focus on identifying specific malware but instead looked for anomalous activities. They were distinct in that their objective was to provide alerts to security terms that could trigger further investigation, rather than simply identifying and quarantining a file suspected of being malware.
Prior to the advent of EDR solutions, most businesses relied on traditional anti-virus protection. The problem was that by the time Chuvakin coined the term “EDR”, these solutions were already failing to protect enterprises. By 2014, an executive from Symantec told the New York Times that AV was essentially 49% ineffective. It was no surprise to many businesses that were already starting to adopt early EDR solutions, but to everyone else it was an amazing admission coming from the AV company that had 25% of the market share at that time.
The problem that businesses were facing with the old, legacy AV solutions revolved around the fact that they were based on detecting malware files through signatures – typically a hash of the file, but later through identifying tell-tale strings contained in the binary through search methodologies like YARA rules.
This approach was proving to have several weaknesses. First, malware authors began to sidestep signature-based detection simply by padding files with extra bytes to change the malware’s hash or using different ways to encrypt strings that could not be easily read by binary scanning. Second, adversaries intent on stealing company data, IP or inflicting damage through ransomware were no longer just trying to write malicious, detectable files to a victim’s machine. Bad actors’ tactics had evolved to include in-memory “fileless” attacks, exploiting built-in applications and processes (“living off the land”) and compromising networks by phishing users for credentials or stealing resources with cryptomining. Legacy AV solutions simply didn’t have the resources to deal with the new wave of tactics, techniques and procedures.
Given this threat to their existence, legacy AV solutions started offering further services such as firewall control, data encryption, data loss prevention through device blocking and a suite of other tools attractive to IT management in general, but not necessarily centred on security itself. Regardless, EPP was still fundamentally signature-based and did not really solve the inherent problem with legacy AV.
The failures have only become more marked with time. WannaCry, EternalBlue, NotPetya…a catalogue of disastrous breaches that have caused huge losses to those affected. Then there were cyber attacks like Target, Equifax and Marriott Hotels, which were infiltrated by cyber criminals for months prior to discovery, allowing access to the personal data of the majority of the US population. The more recent threats presented by the emergence of nation-state actors, cyberwarfare and the trading of hacking technologies on the darknet made enterprises realize they needed something else – visibility.
Aside from being signature-based, what primarily distinguishes EDR from EPP and legacy AV is that these earlier security solutions were based around prevention. In contrast, EDR is all about providing the enterprise with visibility into what is occurring on the network.
There were earlier “homegrown” attempts to do this before security vendors stepped up to the plate. There were hundreds of GitHub repositories offering open source tools for visibility, some even cross-platform, like Facebook’s OSQUERY. But using such solutions required skilled personnel that can code, integrate, do some devops and come up with a feasible process to make the enterprise aware of the active breaches as soon as possible.
At the same time, innovation had finally made it to the AV industry, and a new line of products began to appear focusing on detecting unusual activity and issuing a response – one, or often, many, alerts – for a security analyst to investigate.
Essentially, these EDR solutions attempt to provide the enterprise with visibility into what is occurring on the network. Some would claim that this is an easier nut to crack than protection as it shifts the work onto a human agent and is only required to generate alerts. For EDR solutions relying on weak heuristics and insufficient data modeling, the upshot for the SOC team can be either (or both) a never-ending stream of alerts and a high number of false positives. What the EDR market lacked was a means of contextualizing the complex amount of data streaming from the endpoints that this visibility provided.
Increased visibility means an increased amount of data, and consequently an increased amount of analysis. Because of this, most EDR solutions available today aren’t scalable. They require too many resources – time, money, bandwidth, a skilled workforce – that are in short supply.
In addition, EDR, as it is known today, requires cloud connectivity, and as such will always be late with protecting endpoints. If the solution is not on the device, there will inevitably be some dwell time. A successful attack can compromise a machine, exfiltrate or encrypt data, and remove traces of itself in fractions of a second. Waiting for a response from the cloud or for an analyst to take action in a timely manner is simply not feasible in the modern threatscape.
At SentinelOne, these drawbacks led us to develop ActiveEDR, a technology that is capable of correlating the story on the device itself.
ActiveEDR is an automated response that relies on artificial intelligence to take the burden off the SOC team. It allows security teams to quickly understand the story and root cause behind a threat. The technology can autonomously attribute each event on the endpoint to its root cause without any reliance on cloud resources.
This revolutionizes enterprise security. It can be used by businesses regardless of resources, from advanced SOC analysts to novice security teams, providing them with the ability to automatically remediate threats and defend against advanced attacks.
Cybersecurity is a never-ending game of cat-and-mouse. As attackers up the ante, developing new skills and deploying new tactics and techniques, defenders respond by trying to play catch up. Endpoint security solutions have been lagging behind adversaries for a long while now, but with the advent of ActiveEDR – a technology that can in a matter of seconds prevent, detect and respond to the most advanced attacks regardless of delivery vectors, whether the endpoint is connected to the cloud or not – defenders may at last have a winning edge.