Security operations · 3 MIN READ · GRANT OVIATT · DEC 6, 2017 · TAGS: EDR / Selecting tech / Tools
Perhaps you’ve heard AV is dead, or maybe someone tossed around the EDR acronym in a meeting and you had to Google it. You might even just be skeptical of what an EDR can do. In any case, the constant drumbeat of new products makes it harder than ever to keep current with security solutions. It’s easy to become desensitized to all of the market hype.
In this blog post, I’m going to try to cut through the hype and explain what EDR products can do for you. If you’ve ever been skeptical of EDR vendor promises, but curious if they can solve real security problems… you’ve come to the right place.
What is EDR?
Endpoint detection and response (EDR) tools are a new(ish) category of security solutions. They require you to install an agent on each endpoint. In return, you’re able to record and store endpoint system behaviors and events. These events typically include tracking processes, registry alterations, file system activity and network connections on all hosts where the agent is installed. Security teams can use this event stream to detect and investigate suspicious activity that occurs in their environment.
What are the three most important things an EDR tool will do for me?
- Give you visibility into behaviors, not just indicators of compromise
Attacker tools aren’t stagnant, so why should your detections be? EDR solutions enable you to detect more than just a filename or hash match by providing a simple way to collect, store, and search host-based events. Changing a single byte in a file can ruin an indicator of compromise. But the broader techniques that lead to a compromise change far less frequently. EDR products use the events they collect to identify suspicious process relationships, unusual network connections, potential credential theft and lots of other behaviors that can help you identify a potential compromise faster. Most EDR products even allow you to inject your own expertise into the device by augmenting its out-of-the-box detection behaviors with your own rules.
- Answer security questions at scale
Ever wonder how many hosts in your environment are using a particular piece of vulnerable software? Or, perhaps what hosts have gone to a particular known-bad domain? Has an investigation ever left you asking “Is this activity normal?” These are all questions you can quickly answer when you have an EDR solution to query collected file, network, and process events across your environment. And they’re not just valuable when you’re responding to an incident. They also arm you with valuable data you can use for proactive threat hunting.
- Help you respond faster
It’s probably obvious that you can respond faster when you can easily get additional context on alerts by searching events from all your endpoints. But what happens when there’s a specific file, registry key or process that needs closer inspection — beyond the event stream? Luckily, most EDR solutions eliminate the need to physically chase down the laptop or server in question by empowering you with remote file acquisition, file listing, registry listing, and in some cases, even memory analysis capabilities.
…and a few things EDR tools won’t do
- Be a complete replacement for your antivirus
While antivirus and EDR solutions are slowly converging, they’re still two distinct offerings. Traditional AV blocks known-bad indicators that commonly plague enterprise environments. EDR solutions complement that by giving you a way to perform root cause analysis on specific incidents, identify all infected hosts, and even contain them in some cases– but most won’t prevent compromise in the first place.
- Be the last detection solution you’ll ever buy
While EDR tools provide tremendous visibility and insight into your network, they aren’t substitutions for your IDS/IPS, next-gen firewalls or good old-fashioned security policies. You’ll get a ton of value from your ability to detect and respond rapidly to threats, but don’t mistake them for being a comprehensive solution.
- A substitute for having an investigative process and mindset
The conclusions you take away from your EDR tool will be directly proportional to the expertise of the analysts using it. EDR tools will collect, store and make events easy to search — but a human still needs to interpret the events in a meaningful way. In short, the benefits of an EDR can be entirely lost on a team that isn’t prepared to use them. Train your team,hone your process, and your EDR tool will become an invaluable asset.
Should you buy an EDR?
So, now that we’ve covered what EDR tools are (and aren’t) how do you know if you’re ready to take the plunge and buy one? Well… if these three points describe you… you should definitely take a look.
- You want to up-level your detection and investigative capabilities
- You understand that an EDR tool isn’t going to replace your AV solution
- You’re prepared to invest the time and expertise required to use an EDR tool effectively