Endpoint Security: What you need to know about "Next-Gen" EDR

In my previous blog article - Knowledge is Power – Endpoint Detection and Response - I explained what Endpoint Detection and Response (EDR) is and why, in my opinion, it should be an essential part of the set of cybersecurity solutions within each organization. In addition to describing the power and capabilities, I discussed the new developments where organizations will need to go to get maximum insight and grip on the IT assets within (and outside of) the organization.

In this article, meant for everyone active in IT Security, I expand my view of the specific differences with Endpoint security (Antivirus/Endpoint protection), the challenges with standalone EDR solutions and the differences when compared to a SIEM.

In the third and final part of this article series on security, Multilayer EDR or XDR, I will look at the trend towards Managed Detection and Response, Cross Layer Detection and Response and SOAR solutions.

What are the specific differences? In the past, a traditional antivirus solution was often enough to provide solid endpoint protection. However, as malware evolved into more advanced forms, traditional antivirus solutions were no longer sufficient, and prevention and detection mechanisms were needed to keep up with the ever-evolving threat landscape. EDR solutions have several unique features and advantages that have not been offered by the well-known traditional security players in the market in the past. The classic solutions are simpler in nature and while they are an important part of EDR, they only perform basic tasks, such as scanning, detecting, and removing malware.

EDR tools are much broader in scope and must include multiple security components, such as blocking attacks and exploits against applications, blocking exploits, and protecting against intelligent file less malware and theft of user credentials, to name a few areas of focus. In addition, they offer comprehensive capabilities to provide insight into the threats with an overall analysis of the cause of the threat with touched files, registry settings and network connections (Root Cause Analysis). If, despite all the protection measures, an incident has been detected, it is important to be able to search quickly ("threat hunts") within the entire environment to determine whether the same malicious behavior is now present in other places where it needs to be preventively and proactively neutralized and prevent further damage.

Organizations are already starting to grapple with existing Endpoint Detection and Response tooling in the following areas:

• Visibility and detection: Blind spots make it difficult to understand what is happening.
• Analysis and research: Security teams suffer from a lack of data or are flooded with large amounts of data.
• Incident response: More and more resources – and the associated hours - are needed to respond accurately to incidents.

In addition, classic EDR solutions have the following disadvantages:

• Difficult to use: EDR can be complex in use and relies heavily on expert and available security analysts.
• Limited added value: The lack of proactive protection and automatic response leads to overloaded security teams.
• Resource-intensive: They are expensive, time-consuming and require dedicated (specialized) staff.

As a result, businesses are overwhelmed and left with questions such as: is the threat over now or are we still under attack? Has the threat spread, are we out-of-compliance? What should I prioritize, how should I respond and where else is the threat? And perhaps most importantly, how do I prevent this for the future?

To address the above it is advisable to look at a solution with intelligent EDR. All expertise is then provided from within. This provides the most important three aspects in a solution:

• Insight: in understandable human language displayed, prioritized and focused on automatic actions.
• Research: to threaten the search and investigation of and "hunt" throughout the business domain.
• Data: correlated, automatically placed in proper context and organized in an orderly way.

EDR starts by providing the most powerful protection - stopping outbreaks before they start contributes significantly to its effectiveness. The expertise should come from the solution itself as much as possible, rather than by the actions of a person. The incident response should be automated.

Stopping the attacks before they start must be configured within the Endpoint solution to proactively prevent threats. As a result, the workload for human resources is significantly reduced.

To clarify the differences between EDR and a SIEM, I will first give a brief description of a SIEM and why organizations have a need for one. A Security Incident and Event Management solution (SIEM) is an important part of the overall data and infrastructure protection landscape. It collects real-time data from multiple systems and analyzes it to detect abnormal combinations of events, abnormal behavior and potential cyberattacks. A SIEM tool therefore provides a central place to collect security events and alerts from endpoints, network components, middleware, applications and appliances.

A SIEM has a broad focus that concentrates on network components (including IDS/IPS, switch and firewall), infrastructure, IAM, applications and databases. The reason that many organizations need a SIEM system to monitor logs and report suspicious events is that most organizations generate far too many events for an IT Security employee to correlate significant security events from the data. One of the causes of a large volume of alerts in SIEM is from endpoints (e.g. laptops) which can quickly overwhelm a Security Operations Center Team (SOC). An EDR solution is specifically tuned to the alerts raised by the endpoints and will reduce these alerts to a volume that is manageable by the SOC.

The pure-play EDR vendors as they have emerged in recent years have focused on the gaps that the traditional security parties left behind in workplace security. These focus mainly on the endpoint with "Next-Gen" detection techniques, better and more complete analysis on the endpoints and possibilities for remediation (clean-up) in the workplaces. However, the period that can be used for analysis in time is often limited to several months and blind spots remain.

In my next blog I will look at the trend towards Managed Detection and Response, Cross Layer Detection and Response and SOAR solutions and advise what to look at when selecting and evaluating EDR tooling.