EDR: Is it worth it?

When working with smaller businesses, sometimes we’re asked whether Endpoint Detection and Response solutions are worth the money, over and above traditional anti-virus.  Much of the time, EDR is used in large enterprises in conjunction with a sizeable technical team of experienced professionals who engage in active response and threat hunting as their full-time job.  It can be difficult for smaller businesses to see where EDR might fit in.

Let’s look at traditional anti-virus.  It has long been accepted that any business worth its salt needs to have credible AV protection on its endpoints.  Sometimes, there is an assumption that this will be enough to stop malware from getting into a network.

Detection rates for traditional AV products tend to be very low against new threats, and for very understandable reasons:  As soon as you start getting false positives on an AV product - as a business end-user or as a consumer - you lose confidence in the product.  If your AV product starts deleting legitimate business applications or files when there is no malware present, you will uninstall it – for the AV vendor, this leads to lost market share.  AV is very good at one thing: looking at a file in isolation and determining whether, based on its database, that file is known-bad.

Bypassing an AV product in an attack is not necessarily a feature of highly-targeted, nation-state sponsored groups – most threat actors will try to ensure that their attacks are not subject to blocking.  Before an adversary launches their attack – such as a phishing campaign or similar – they will take the time to check their payload to make sure it doesn’t trigger AV on the way in.  They will use techniques like packing and obfuscation, or slight modifications to payloads to prevent detection – why would they waste their time sending in an attack that they know will be blocked by AV?

The advantage EDR has over traditional AV is the completeness of information that it can use to make decisions about risky activities.  In assessing the same file as an AV product, EDR is able to take into account the full context around that file – what was the user doing around the time the file was accessed, what led to the file being placed on the filesystem, what happens when you run the file?

EDR is completely different to AV in terms of completeness of context.  An EDR tool will log all activities which have been conducted on an endpoint - file read and writes, registry read and writes, network connections, process creations and terminations.  Any and all actions that can be done on a workstation are recorded within the EDR solution.  In common with AV, signatures exist for known-malicious events or behaviours, but these can take into account far more context than an AV product possibly can – what happened before, during and after the activity of concern, and how does this affect the likelihood of something being malicious.  EDR solutions typically come equipped with signatures for concerning behaviours, but EDR users can also write their own signatures to detect behaviour that they are specifically concerned about.

Incident responders, SOC analysts and blue teams have long known the limitations of AV products and for years have spent their time looking for generic indicators of suspicious activities when they are triaging possible intrusions – indicators like files with shellcode in, documents containing macros, the use of obfuscation techniques.  In the past, analysts might have written scripts for different file types which looked for these contents and scores them, giving a better indication of whether something might be malicious.  They would then review these results and do further investigation.  The unparalleled information available from EDR logs has transformed these processes and made them far more efficient.

It’s not just logging and signatures, though.  Most EDR solutions have other tools – they can profile the system based on users who use it, catalogue applications on an endpoint and proactively highlight vulnerabilities on the systems for active management of exposure.  When an incident occurs and you need to respond, EDR solutions have a whole range of tools offered to the incident responder which simply aren’t available in a traditional architecture.

For example, if a malicious action is seen, you can isolate a host and prevent it from communicating with any other endpoint except the EDR management platform itself – allowing the responder to contain the host of concern whilst still maintaining control of the host and continuing investigations.  You have ways to interact with a compromised host via the EDR – downloading files, uploading scripts, querying registry settings, uploading tools, running automated investigation activities. 

With a good EDR tool, you are much less likely to need physical access to a host to do triage, and can often eliminate the need for a full forensics investigation of a host.  In many cases, when one is responding to a security incident that is unlikely to go to court, the purpose of a full forensic investigation is to determine exactly what has happened on that host leading up to a particular event.  With EDR, the data which is captured by the solution already contains a complete log of what has happened on those hosts and gives you all the context you need to understand what has occurred and how - so the need for traditional forensic data acquisition and access to physical devices is much reduced.

EDR solutions give visibility across a whole estate – because all of your assets are linked into a single EDR platform, you can quickly implement checks across the estate.  If you identify a suspect file and determine it is malicious, you can quickly and easily search for this file across all endpoints in the estate at once.

EDR solutions are adopted widely in large enterprises, but tend to be less popular in small and medium sized businesses.  The benefits of adoption of EDR for overall cyber security resilience should not be underestimated, even in small enterprises. 

SMEs, compared to larger organisations tend to have more limited and less mature security controls overall at the perimeter and across the estate.  For cyber security resilience, the quicker you can detect and contain an incident in progress, the less damage your business will take.  Without a decent EDR tool, you are far less likely to be able to detect an incident that happens.  When the worst does occur, even without a dedicated expert response team, the tools you have available within an EDR platform will help you to isolate and recover from compromises more rapidly.

When we’re asked whether an EDR platform is worth considering, even in a smaller enterprise, our answer is a resounding ‘Yes’.

Tags