Many organisations regard Endpoint Detection and Response (EDR) as their main protection against breaches. EDR, as a category, emerged in 2012 and was rapidly acknowledged as the best answer to the numerous threats that legacy AV unsuccessfully struggled to overcome – exploits, zero-day malware and fileless attacks are prominent examples.
While there is no dispute on EDR’s efficiency against a significant portion of today’s advanced threats, a new breed of “next-generation EDR” solutions are now available (learn more here) which on top of featuring all EDR capabilities, go beyond this to protect against prominent attack vectors that EDR does not cover such as those involving users and networks.
“Many people unknowingly mix two different things – endpoint protection and breach protection,” explained Eyal Gruner, co-Founder of Cynet (a next-generation EDR solution).
“It’s perfectly true that many attacks start at the endpoint and involve malicious files and processes, making EDR a perfect solution for the endpoint. However, the actual attack surface is much broader than this, and at the end of the day, it’s not the endpoints you want to protect – it’s your organization.”
Gruner, a former white-hat hacker (starting when he was 15-years-old), also founded BugSec, Israel’s largest cybersecurity consulting company. Today, he is a world-recognized expert 0n attacker tools, techniques, and practices.
“Think of it like this: by definition, each attacker’s activity generates some kind of anomaly. It only makes sense, because what we consider to be ‘normal behaviour’ doesn’t include compromising resources and stealing data. These anomalies are the anchor that enable security products – or threat analysts for that matter – to identify that something bad is happening and block it.”
Gruner said that these anomalies could manifest in three core places – process execution, network traffic, or user activity. For example, ransomware generates a process execution anomaly since there is a process that attempts to interact with a large number of files.
Many types of lateral movement, on the other hand, include a network traffic anomaly in the form of unusually high SMB traffic. In a similar manner, when an attacker logs in to a critical server with compromised user account credentials, the only anomaly is in the user behavior. In both cases, it’s impossible to unveil the attack through monitoring processes alone.
“EDR is a great tool for the attacks that can be identified through process anomalies,” said Gruner. “It sits on the endpoint and monitors process behaviour, so you’re fairly covered against this group of threats. But what about all the rest? There are many mainstream vectors that operate on the network traffic and user behaviour without triggering the slightest process anomaly and EDR is practically blind to these threats.”
images from Hacker News