The drumbeat of directives meant to tighten the U.S. government’s lax cybersecurity practices has accelerated. This month, the Biden administration ordered all federal agencies to fix nearly 300 cyber vulnerabilities that hackers can use to infiltrate and damage government computer networks.
But it was a previous directive that caused alarm among security experts. On Oct. 8, the U.S. Office of Management and Budget (OMB) told agencies they had three months to adopt several key proposals. Among them: Take steps to embed endpoint detection and response (EDR) tools into agency networks.
Those tools, however, have come under recent scrutiny. That’s because many organizations in both the public and private sectors are over-relying on them and don’t realize their limitations. J.R. Cunningham, chief security officer at Nuspire, a managed services provider, warns that if you install EDR products incorrectly or believe their scope to be bigger than it is, the impact can be as disastrous to network operations as a cyberattack.
Cunningham often cites the case of a hospital that tried to deploy an EDR product.
“They wanted the maximum level of protection they could get and blew up their whole network,” he says. “You’re messing with knobs and dials that can be as disruptive to availability as an attack.”
Indeed, researchers have recently raised serious questions about EDR effectiveness. A study at the University of Piraeus in Greece used simulated hacks against 11 popular EDR products that are regularly deployed by government agencies and private enterprises. The researchers, who published their findings in July 2021, found 50% of simulated cyberattacks slipped by EDRs and did not generate an alert.
Despite such concerns, the Biden administration is keen to parlay the widespread popularity of EDRs among private companies into the public sector, to show that government agencies are making strides in toughening up their cyberdefense. Here’s why the EDR approach alone can be a dangerous one.
Developers designed EDR tools to detect and respond to suspicious activities on endpoints, such as laptops and PCs. But these automated tools are often limited to spotting only previously known attack types. Organizations install the products with the belief that they are getting a much wider range of services, like threat detection or the capability to proactively monitor an entire enterprise network.
They wanted the maximum level of protection they could get and blew up their whole network.It can be hard to assess the capability and effectiveness of an EDR product. That’s because EDR functions are open to interpretation. Products often vary in effectiveness and purpose. Ask a vendor to provide a definition of what its EDR is supposed to be and they’ll often portray their own product as being representative of the entire market. Advisory firms and consultants muddy the waters further by applying their own terminology and filters onto product capabilities, presenting their findings as fact.
Matt Brown, director of security at cloud vendor and consultancy Involta, says companies will often say they have an EDR approach when, in fact, they just operate signature-based security protocols, which recognize patterns like malware in network traffic. “That was fine 20 years ago,” he says. “It’s not what people need today.”
To cope with today’s supply chain attacks, ransomware, and sophisticated phishing expeditions, organizations need modern security tools that can combat cybercrime on multiple fronts and be proactive in detecting potential threats. And that’s not what basic EDR products offer, say experts.
“There’s a lot of bloat” about the functionality and benefits of EDR, says Ben Goodman, CEO of 4A Security & Compliance. To counter that, a new approach known as extended detection and response (XDR) can potentially plug the gaps left by EDR products. But it also complicates the cybersecurity task. As a result, many companies don’t know how to manage the products and are becoming fatigued by them. “They end up turning off alerts,” says Brown, “which defeats the purpose.”
EDR is a process, not a tool
Many experts say EDR should be applied as a flexible process—rather than a packaged product. Organizations first have to consider the weakness of EDR products. Frequently, they are designed to see only specific types of activity on endpoints. So, there are network blind spots for attackers to hide in. EDR products also often limit the activity they log, to protect bandwidth and storage consumption.
I have one client that I’ve taken to calling Neo from The Matrix because he’s dodged so many bullets.On the other hand, EDR processes—not products—are far more effective at keeping an organization secure. They monitor endpoints and move along entire networks looking for suspicious activity. Organizations can add these processes to locate previously undefined threats. Also, remediation strategies—again, not products—can be adapted to an enterprise’s network. Security teams can then kill rogue processes, delete registry keys, and uninstall services on multiple systems simultaneously.
The EDR process can detect much more than EDR tools or traditional antivirus software. “It’s looking at behavioral patterns,” says Goodman. “But what’s really valuable is the response part. It can pull systems off the network” and at a speed manual action will never match, he says.
Not only is damage from a nation-state attack or ransomware code limited, but an organization doesn’t have to take everything down and bring it back up one piece at a time, which can disrupt an organization for days. “I have one client that I’ve taken to calling Neo from The Matrix because he’s dodged so many bullets,” Goodman says. “The whole work-from-home thing has made the EDR process more important.”
To be effective, EDR processes need to be designed by skilled security practitioners. They should include architectures that can protect all vulnerabilities. Such capabilities aren’t usually offered by EDR products.
EDR processes are also not the type of platform that can be switched on and then forgotten. Nor should EDR be a plank of an organization’s cyberdefense that is operated in isolation from other security software. EDR processes should be supported instead by good cyber hygiene strategies like asset inventory management, network configuration, and patch management. EDR is not a set-it-and-forget-it tool.
“EDR technology is only one piece of the totality of what EDR is,” says Andrew Plato, a 25-year security pioneer and currently CEO of professional services firm Zenaciti. “You buy an EDR program, that’s great. But if you don’t have an EDR practice, you might as well not have bought it.”
Ed Amoroso, former chief information security officer at AT&T and CEO of analyst firm TAG Cyber, says EDR processes require regular updates to support their threat-detection abilities.
With EDR, he adds, “the idea that the endpoint needs to be managed doesn’t go away.”