Wouldn’t it be nice if you could lump all your cybersecurity risks together and design a black box of tricks to neutralize them. It would make life so much easier.
For many organizations, endpoint detection and response (EDR) platforms appear to do just that. They provide an easy frontline defense by collecting, storing, and analyzing data from employee devices and other endpoints to sniff out signs of a digital breach. But they don’t necessarily make your network more secure.
Researchers at the University of Piraeus in Greece recently proved this. In an experiment, they launched simulated attacks against 11 popular EDR products that are regularly deployed by government agencies and private enterprises.
Using spear-phishing techniques and malware delivery tools, as well as tools for moving laterally across an organization’s network, the researchers looked to answer four crucial questions: Can EDR detect the attack? What are its blind spots? What types of data does it use to generate alerts? And can you reduce the overall noise in the telemetry, or data collection, to more effectively suss out threats?
Failure on all fronts was too often the result. Of the 20 attacks the team launched, half were successful and did not generate an alert.
“It is rather alarming that none of the EDRs managed to detect all of the attacks,” the study concludes. “More precisely, 10 attacks were completely successful…and no alert was issued; three attacks were successful, yet they issued a low significance alert; one attack was not successful, yet it did not issue an alert; and six attacks were detected and correctly reported by the EDRs.”
Among IT security operations teams, EDR products have gained popularity—thanks to their ease of use and the belief that endpoints can provide the richest data about potential intruders. However, as security threats have evolved, so too has the attack surface. It’s not just laptops and mobile phones under assault. It’s on-premise servers, cloud applications, and legacy platforms. Complicating matters further, EDRs can detect only specific types of suspicious action, or “known” bad activity, on a network.
As such, government agencies and enterprises of all sizes can no longer rely solely on EDR to protect them against these threats. They need more.
When EDRs are not enough
The trick is adapting with new tools, when necessary, and adopting a new mindset.
“EDR is not a box that you pull off the shelf and plug in,” says Matt Marsden, vice president of technical account management for the public sector at Tanium. “EDR is a blending of tools, teams, and processes. It is nuanced, understanding threat intelligence and moving faster than the bad actors.”
Dave Gruber, senior cybersecurity analyst for ESG, says organizations are increasingly facing pressure to develop IT security strategies that allow them to look at a wider breadth of IT networks and devices. “Prevention is not going to stop everything,” he says.
It’s about more than endpoint protection. It’s about outlier data and anomalies and recognizing departures from the norm.
An approach known as extended detection and response (XDR) is expected to fill in some gaps. XDR is an integrated toolkit that spans hybrid IT architectures, allowing organizations to unify control points, data from security telemetry, and operational analytics into a single system.
Think process, not just product
While embracing the XDR approach is a step in the right direction, it is crucial to view it as a fluid strategy or process that can be updated, rather than a rigid product. And it should use tools that not only monitor for breaches but also those that actively trawl networks to find out where intruders are hiding.
“It’s about more than endpoint protection,” says Marsden. “It’s also active or proactive hunt, identifying inconsistencies, and scalable remediation. It’s about outlier data and anomalies and recognizing departures from the norm.”
Threat hunting is a key cybersecurity tool. It helps IT operations teams pivot their posture away from reactive damage control and toward proactive damage prevention. It requires creativity and ingenuity, and without it, the risks to your network are not always easy to see. By the time a third-party EDR alerts you to a data breach, or you receive a ransomware demand, the damage to your system may have been done and the cost of remediation severe.
As more organizations move from the mindset of solely trying to prevent cyber-intrusion to one that includes searching for network compromise and mitigating the impact of attacks, it’s critical they create strategies that are adaptable, can hunt down potential threats, execute remediation, and monitor for breaches.
The Greek researchers concluded their report with some sage advice. In order to prevent cyberattacks, they say, organizations should adopt a “holistic overview,” deploy a wide array of security tools, and “not solely depend on one solution.”