Evolution of EDR

State of Security

On average it takes organizations 201 days to identify a breach and 70 days to contain a breach. Enterprises primary defense continue to be prevention-based technologies such as Next-Gen Anti-Virus (NGAV) and Next-Gen Firewalls (NGFW). Although these are great products, they are not enough to stop a breach by themselves. These are easily bypassed in a multitude of ways – even today. For example, obfuscated malware, using a script-based attacks, compromising credentials, or a software vulnerability that enables remote in-memory exploitation.

The possibilities are for bypassing prevention-based tools are endless. We need something more attack-agnostic. Something that ages better with time.

Moving Beyond Prevention

Most people in security have heard of Endpoint Detection and Response (EDR) products at this point. EDR was originally conceived to “fill the gap” left behind by Anti-Virus. In many respects this makes sense. The endpoint is the ultimate perimeter and it’s where attacks occur the most often. In addition, very little endpoint visibility existed prior to these EDR products.

Where is the “R” in “EDR”?

The downside is that EDR solutions are really lacking on the “response” capabilities. Typically, it’s a list of “actions” that can be taken on the endpoint such as “Kill Process”, “Network Contain”, etc which are completely human-driven. This is certainly better than confiscating the endpoint but a far cry from a perfect solution.

This has led many to send EDR data into a Security Information Event Management (SIEM) product and then eventually to a Security Orchestration & Automation (SOAR) product to automate the incident response process. First, the downside to this is the imposed cost on the SIEM as endpoints can generate a lot of data. Second, the SIEM relies on fragile regular expressions which can easily break. Third, maintaining the infrastructure and and complex integrations is a total nightmare.

Bottom line, this architecture is very expensive, fragile, andcomplex. Really not the kind of thing want organizations want to rely on in a business-critical situation like incident response.

Evolution of EDR

It’s time for EDR to evolve into a more converged, autonomous solution. Security automation is a real game changer. It provides the “connective tissue” between detection and response that the industry has been waiting for.

The result?

  • Accelerate remediation times from days/weeks/months to seconds
  • Enable proactive security operations workflows
  • Stop security incidents from turning into breaches