How EDR stops hackers in their tracks
- 08 November, 2019 22:00
Endpoint detection and response (EDR) is a category of security tools that monitor end-user hardware devices across a network for a range of suspicious activities and behaviour, reacting automatically to block perceived threats and saving forensics data for further investigation.
An EDR platform combines deep visibility into everything that's happening on an endpoint device — processes, changes to DLLs and registry settings, file and network activity — with data aggregation and analytics capabilities that allow threats to be recognised and countered by either automated processes or human intervention.
Endpoint here generally means any end-user device, from a laptop to a smartphone, and can encompass IoT gadgets as well.
The first recognition of the category of endpoint detection and response is widely accepted to be in a 2013 blog post by Gartner analyst Anton Chuvakin who was trying to come up with a "generic name for the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints."
He used the phrase endpoint threat detection and response, but the more succinct endpoint detection and response is what caught on.
EDR vs. anti-virus / EDR vs. EPP
A good way to understand a category like EDR is to explore what differentiates it from similar offerings. EDR is often contrasted with anti-virus programs, or with endpoint protection platforms (EPPs), which are umbrella offerings that integrate anti-virus/anti-malware capabilities with other familiar security tools — data encryption, firewalls, intrusion prevention systems, and so on.
The tools that make up EPPs tend to be preventative in nature and signature based, meaning they match potential threats against a database of known malicious code in order to stop attacks before they begin execution.
But as threats grow more nimble, this sort of defence, which depends on a static library of known threats and firm perimeter defence, grows less effective - and that's where EDR comes in.
All the action happening on endpoints - from configuration changes to processes launched or killed to files being accessed, copied, or exfiltrated - is the meat of a hacking operation, and EDR platforms aim to provide a front-row seat for security staff along with a certain degree of automated response.
How does this work in practice? EDR platforms generally consist of agents installed on end user devices; these agents monitor activity and send information back to a centralised server, which may be on-prem or in the cloud.
The server can automatically detect problems and attempt to correct them or alert a security staffer; it also surfaces information via dashboards monitored by infosec teams.
Endpoint detection and response use cases
In what sort of scenarios would EDR really shine? The archetypical EDR use case would be a scenario when an active threat plays out in multiple forms across an endpoint, looking at patterns of action rather than simpler signals like a specific virus or the breaching of a firewall.
They would initially have free reign of the endpoint, but their activities after that, like trying to elevate privileges or move horizontally to other systems, will likely get flagged by a good EDR system, or will at least leave traces in the data that a human infosec pro can spot.
In a 2016 blog post, Gartner's Chuvakin lays out the top-level use cases for EDR:
- Detecting suspicious activity (the D in EDR)
- Aiding and automating searches through and investigation of data (the R in EDR)
- Performing triage on potentially suspicious activity
- Enabling data exploration and hunting
- Blocking and containing malicious activity automatically
There's a lot of specific capabilities that EDR platforms need to deliver within that framework, but as is true for many broad product categories, there's no single canonical list of EDR features.
But after taking a look at the offerings from various vendors, including Digital Guardian, Cybereason, and Carbon Black, along with the Gartner post that started it all, we've put together a list of some of the most commonly offered EDR capabilities.
- Suspicious activity detection is at the core of what EDR does: you want to know when something is going wrong.
- Advanced threat blocking works to fight threats as soon as they're detected.
- Alert triage and filtering is important to fighting "alert fatigue" among infosec staff. An EDR solution should be able to sort through potential warning signs and only escalate when something genuinely requires human attention.
- Multiple threat protection—the ability to, for instance, fend off ransomware and malware simultaneously is needed to prevent advanced attacks, which can come in waves.
- Threat hunting and incident response capabilities assist security staffers as they sift through forensic data looking for potential attacks.
- Visibility is key to just about all of the above capabilities. An EDR platform needs to be able to see into all the endpoints and the connections between them in order to track down suspicious activity.
- Unified data in turn helps the EDR platform make sense of everything it sees, bringing together information from disparate sources into a coherent picture.
- Integration with other tools helps expand EDR's power and make sure it helps you get the most bang for your buck: the visibility and data access an EDR platform provides should make your existing security tools work more effectively. An EDR platform should be a force multiplier, and vendors are eager to cultivate whole ecosystems that can work with their EDR offerings.
EDR software and solutions
There are a number of endpoint detection and response vendors offering platforms on the market. For a deep dive into three of them, which can give you a sense of the variations across product offerings, take a look at these reviews from CSO and IDG:
The biggest differentiator with Falcon is that the brains of the platform exist completely in the cloud, which gives it unlimited scalability as well as a massive footprint of users and enterprises. Any attack against a protected endpoint anywhere within an enterprise that Falcon is protecting will benefit every other endpoint, even those sitting at organisations also using Falcon.
SentinelOne is able to deploy powerful agents with advanced detection and response capabilities onto endpoints where they can intercept threats on the frontlines. Every agent is fully independent, able to act even when the endpoint it’s protecting is disconnected from the core network, or has no connectivity at all. Beyond acting independently, each agent collects detailed forensic data about any attacks or attempted attacks.
Each Cynet 360 agent is fully autonomous and capable of taking actions on its own. The agents don’t exist on an island, just watching over whatever asset they are installed within. Instead, they constantly talk with the other agents in the network, sharing intelligence about what they’re finding on their host. This can quickly help them to, for example, decide if an attack is an isolated incident or part of a campaign that is attacking multiple nodes at the same time. They can then take appropriate actions across an entire network if needed.
Other prominent offerings include:
- Symantec Endpoint Protection, which includes anti-virus, memory exploit prevention, deception technology, device network firewall, and intrusion prevention, as well as EDR
- RSA NetWitness Endpoint, available as a physical or virtual appliance
- Cybereason Endpoint Detection and Response, which can combine EDR data with alerts from SEIM tools and firewalls
- FireEye Endpoint Security, which includes an agent with four detection engines
- Carbon Black, owned by VMware and providing security for virtualised data centres
The EDR market is already big - and it's growing. Statista estimates that the market for EDR tools will be worth $1.5 billion by 2020. Gartner thinks an EDR platform will become a must-have for big companies: they project that by 2025, 70 per cent of organisations with more than 5,000 endpoints will have EDR software deployed.
But one thing to keep in mind is that the whole EDR market is in some ways an attempt to put an umbrella label on a somewhat heterogenous category, and is thus always evolving.
With many vendors offering both EDR and EPP platforms—and allowing the different tools on each platforms to work together—they're helping drive the rise of a more general unified endpoint protection market that could account for more than $7 billion in sales.