The Case For EDR: Can it be right that in 2018 antivirus products missed on average 76% of cyber-attacks?
In this article Sudarshan Krishnan, ITC Senior Cyber Analyst, details what EDR is, what it isn’t and how you can apply it to your business.
For many years, antivirus software primarily focused on protecting end-user devices (laptops, mobile devices, etc.) against “known” security threats, has been the foundation of endpoint security. However, cyber threats have evolved considerably in the recent times – with cyber criminals becoming increasingly sophisticated as they adopt new, emerging tools and leverage hyper advanced exploits and tactics. This means the once sufficient antivirus (AV) system we all relied upon to detect suspicious activity (that it is familiar with) and guard against known malware, no longer offers enough protection.
We all know that it only takes one person to click a harmful link or download a dodgy attachment for an entire organisation’s security to be irretrievably compromised. So, with cybercrime expanding and more advanced types of malware going about their business hidden in plain sight, what’s needed is a system that can go beyond traditional malware protection – a solution that integrates threat visibility, intelligence and behavioural analysis with detection and remediation capabilities all in one.
Too many businesses continue to focus on the network, the server and the data centre as their security combat zone. What they fail to recognise is that while these classic targets will always be of interest to an attacker, endpoints and the perimeter are the new frontline and have become a more favoured target for cyber miscreants.
In the recent years, we’ve seen real incidents of cyber-attacks where high-value targets such as banks, large corporates and global law firms have fallen prey. The WannaCry attack in 2017, for instance, is reported to have affected millions of endpoints worldwide.
But despite the high level of technological sophistication, it’s not the case that attackers are only after large enterprises. In reality, it’s much easier for them to target small to mid-sized organisations and easier still to go after individuals. And these individuals may be using devices that open up access to your organisation’s network, and each of those connections is a potential entry point to your data.
Modern-day tools to tackle modern-day threats
To counter and manage today’s cyber threats, focus needs to be shifted to the endpoints which may comprise business-owned devices and, given the rise of the BYOD culture, employee-owned devices too. The solution is to employ an Endpoint Detection and Response (EDR) system. These offer an advanced level of protection capable of detecting suspicious behaviour, allowing you to contain it, and to take corrective action.
With EDR, security teams can continuously gather and store endpoint activity data, that can later be used to investigate potentially suspicious activity and to proactively hunt for threats within your environment. An EDR solution performs 4 main functions. It monitors, aggregates, detects and responds.
This diagram illustrates the EDR event lifecycle
EDR is a sensor-based system, installed on endpoints and configured to continuously monitor and record system behaviour and events. This includes tracking processes, file system and registry modifications, network connections and so on, across all devices. The sensors monitor how these events relate to each other and send behavioural data to a central database for analysis. Using analytics tools and threat intelligence, IT security teams monitor this endpoint activity, enabling rapid response to zero-day, ransomware and advanced persistent threat attacks.
So, let’s say you agree that while antivirus protection is still important, it’s crucial to support it with advanced security measures, and decide to include EDR within your existing security framework. At this point, it’s important to recognise that EDR is not a “set-and-forget” type of solution. Implementing EDR to its full potential will require a dedicated team of experts, and additional investments in advanced tools and training. Which may not always be easily achievable.
You’ll not only need the budget to procure new security technology, but also need resources to implement and manage it. With EDR you are in for the long haul. The table below highlights what an organisation might need for the most basic EDR solution (to support approx. 1,000 endpoints).
So, you could spend over £200,000 to build a basic EDR solution. While this will help to defend your organisation’s endpoints, it might not cover all your security needs and is it realistic for most businesses to build a security operations capability?
To build it yourself, you’ll need a clear understanding of the:
- Estimated timeline to deploy (including requirement analysis; recruiting and training the security team)
- Additional resources required (tools and IT resources to support the security team)
However, to derive real value and protection from EDR, it doesn’t have to be an expensive option.
Buying a managed EDR solution from an established Managed Security Service Provider can prove to be a much more suitable option for organisations that cannot afford (in terms of time and/or money) to develop the capability in-house.
Managed EDR is a means of reducing costs without compromising on protection. It can also take significantly less effort to deploy across an entire estate. An organisation can go from no EDR to a complete and mature EDR in weeks – something that could otherwise take years.
Busting common myths
EDR replaces antivirus systems
Implementing an EDR solution will not replace your antivirus system unless the service specifically is designed to do so, seek out the newer breed of converged EDR and antivirus services. EDR complements your existing endpoint antivirus protection, but remember EDR is designed to:
- continuously monitor endpoint activity
- protect endpoints against fast-moving and ever-evolving threats
- respond to advanced internet threats
EDR is an all-inclusive solution
EDR is not a substite for your intruder detection or intruder protection systems (IDS/IPS) as they provide tremendous visibility and insight into your network. EDR will enhance your ability to detect and respond rapidly to threats, but don’t mistake it for being a comprehensive solution.
EDR is just like artificial intelligence
Having EDR without a security analyst is as good as not having EDR at all. EDR will gather and record events and save them in a searchable manner, but human intervention is still needed to analyse and translate these events in a meaningful way. The whole point of having EDR can be completely lost unless it’s supervised by a security expert.
Now, if you’re the “jump-to-the-end” kind of reader, here’s what I’ve been on about and what you need to know:
- EDR is a modern-day solution that’s designed to tackle advanced, highly sophisticated threats.
- The ability for EDR to respond and remediate brings a new level of security
- EDR solutions rely on the supervision of highly skilled humans to identify and resolve issues.
- Building an EDR capability internally requires significant investment in people, processes and technology.
- A managed EDR service can prove to be a more suitable option for organisations that cannot afford to build a fully matured capability internally.