In the ongoing arms race between attackers and defenders, endpoint detection and response (EDR) is widely viewed as a major step forward for enterprise security teams. First coined by Gartner back in 2013, the technology category has come of age several years later. In fact, EDR software was mandated for use by all federal government agencies in the May 2021 Presidential Executive Order.
Yet as useful as these tools are, they’re not a panacea. Technical Solutions Engineer at Tanium, Nir Yosha, sat down recently to explain why — and how — the Tanium platform can fill critical gaps in capability.
An endpoint threat explosion
The endpoint is where global organizations now do business. It’s also where they’re most likely to be targeted by malicious third parties out to steal sensitive data, extort money from encrypted systems, and much more.
Over two-thirds (68 percent) of organizations experienced an endpoint attack that resulted in compromised data or IT systems over the previous 12 months, according to one 2020 report.
The shift to mass remote working last year created an explosion in corporate endpoints that only increased the enterprise cyberattack surface. Some 90 percent of CXOs we spoke to said they experienced a surge in breaches.
All of which makes EDR a no-brainer for many cybersecurity leaders today. Yet, it’s also important to understand where the limits of the technology lie, and where additional tooling may be required:
Misconception #1: EDR software is a great tool for proactive threat hunting
EDR software products are built to detect suspicious system behavior, provide contextual information and block malicious activity. But they do so only for known malware (via signatures) and bad behavior (via heuristics). They’re not set up to detect the in-memory/fileless attacks and living off-the-land techniques increasingly used by threat actors to stay hidden. It’s these that you need to focus on in threat hunting.
Misconception #2: EDR tools can reduce the workload for Security Operations Center (SOC) analysts
It’s certainly true that EDR tools can automate the protection and blocking of some malicious activities, which can free up some analyst time. But in fact, rather than reduce the SOC workload, they add to it. Why? Because every EDR tool generates thousands of alerts each day — alerts which analysts need other tools to provide context on.
As a result, the typical analyst may suffer from alert overload/fatigue, where it’s impossible to clear an alert list by the end of each day. That means some threats will sneak through while analysts end up chasing false positives and dead ends.
Martin Fisher, director of information security and chief information security officer at Northside Hospital in the Atlanta area, spoke to Endpoint about how his team is experiencing burnout from the constant signals.
Misconception #3: EDR provides capabilities for full response and remediation
EDR can help with some incident response activities, but it is certainly not a go-to tool. That’s because most don’t provide behavioral analysis to help scope an attack in progress. They don’t provide historical data for investigation and analysis, and don’t record activities across all hosts. That means incident responders must find alternative tools to deliver real-time scoping, isolation and forensics.
How can Tanium help?
Security teams should instead look to complement their EDR capabilities with the Tanium platform. Tanium allows customers to:
- Ask the right questions to rapidly discover advanced malicious activity not detected by EDR
- Gain visibility into how far attacks have spread, and if data has been exfiltrated
- Help isolate any threats in real-time and at scale
- Understand what happened post-incident, what the damage is and how the organization can improve before the next attack
Tanium and EDR work hand-in-hand to minimize cyber risk and make your organization safer, more secure and resilient.
Learn more about Tanium’s threat hunting solutions and contact us to schedule a demo.