Before we get into Endpoint Detection and Response (EDR), let's get medieval. Imagine you have a castle (or a few) that you're looking to defend. What do you do?
- You build walls. You want to keep enemies out.
- You put forces on the walls, to repel someone who's scaled the wall.
- You have a forces searching within the walls, checking to see if anyone has penetrated your outer defense.
Of course, defending your digital assets is going to be more complex and abstract, but these three ideas can help to delineate what is, really, a messy collection of concepts and terminology.
Gartner Definition and Term Differentiation
If the endpoint itself is our castle, EDR corresponds to the forces inside the walls that seek out and respond to intruders. They're also responsible for reporting back to you who got in, and how.
As Gartner puts it:
"EDR is not antivirus or novel endpoint protection/isolation. EDR primarily focuses on investigation and detection rather than on automatically blocking actions based on blacklists, whitelists or other logic. However, this line has been greatly blurred given how commonly EDR tools are found as part of traditional and advanced protective tools, such as anti-malware."
So Endpoint Protection Platforms are a broader package of security solutions designed to protect, you know, the endpoint. But those platforms so frequently include EDR that the terms are sometimes used interchangeably. Further complicating is that sometimes the response in detection and response can include protective, blocking actions like old-school antivirus. Dizzy yet?
Historically, protecting an endpoint meant antivirus, which in our medieval metaphor is the guy on top of the wall kicking people off ladders. Old school antivirus used signature detection which, alas, isn't a great solution.
The problem with signature detection is that it's always one step behind. When new malware is discovered, experts look into its code and find a unique section, a 'signature' that allows antivirus to recognize (and block) that piece of malware. That meant antivirus would miss all new viruses, which were being created at an alarming rate.
New malware quickly outpaced antivirus, and in 2012 the New York Times reported that most products were detecting less than five percent of the viruses thrown at them.
In other words, your original wall defender had a really hard time recognizing whether the guy climbing the ladder was an enemy, or just Castle Maintenance.
The shortcomings of antivirus prompted companies to rebrand and attempt to innovate, but what changes did they make and how effective were they?
Next Gen Antivirus
Next generation antivirus (NGAV) advanced beyond signature detection. Antivirus providers began incorporating other techniques into their products, like whitelisting, heuristics, and behavior-based detection (AKA behavioral analysis).
So, antivirus was good to go?
Not according to The Register in 2017: "Peddlers of NGAV are trying to cash in on the ransomware with vague claims about being "better" than traditional antivirus systems. But even the best at detecting ransomware or its behaviours will eventually let some through. It's the nature of the beast."
If the nature of the beast is that it's going to make it inside the walls (and if the castle is much larger and more complex than any given endpoint alone) then you need beast-hunters. All hail detection and response!
EDR takes the concept of threat detection and response and applies it to the endpoint. At least, it used to. In recent years, the changing nature of technology has made for some strange complications, but we'll come back to that in a minute.
What EDR Can Do
EDR focuses on incident investigation, locating and responding to threats, and can use ML to filter and prioritize alerts. There are instances where focusing on the endpoint gives SecOps an edge: it tells you what's running on your computer, versus on that USB device you just plugged in. And just as legitimate users tend to access resources through endpoints, bad actors can also use them as a point of entry into your enterprise.
But endpoint security is currently in a state of flux, where "endpoints" aren't what they used to be. From IOT to the cloud, systems are now composed of more than just computers on a network.
Darknet reported recently that in Forrester's EDR Wave report, customers reported across the board that they were applying EDR products beyond the traditional endpoint. Companies providing endpoint security products and services are redefining themselves from "Enterprise Detection and Response" to "XDR," expanding the scope of what their platforms aim to protect.
Limitations of EDR
EDR relies primarily on agents for data collection, which presents a host of problems:
- Each endpoint needs an installed agent, a hassle and an opportunity for error.
- The security data you're relying on can be altered or deleted.
- Agent software can even be exploited by bad actors.
Another growing risk is that agents don't always work on IOT devices, and that exposes a long list of enterprise devices. Malware has been found on things like an MRI running embedded windows from 1999 (because FDA approval won't allow for patches). You can't run an agent on it. In the changing world, EDR has huge gaps in what it can protect.
Even if agents did work with IOT and were always supplying accurate, real-time data, the endpoint is a pretty narrow view. Imagine trying to defend your castle without being able to see what's happening outside your walls, especially considering that an enterprise isn't just one castle—it's a complex, abstract system.
If all that weren't enough, now operating systems are incorporating their own endpoint protection, like Microsoft Defender Advanced Threat Protection. And with "endpoint" products bleeding into other forms of defense, one starts to wonder if it's worth investing in a standalone tool or if you're just spending more money for more tool sprawl.
Enter Network Detection and Response
With the rapid growth and increasing complexity of the attack surface, defenses need to be not only stronger, but smarter. You need something that is adaptable enough to provide visibility into IOT devices that can't necessarily run agent software. Something with the flexibility to move with your cloud migration and detect threats across the hybrid attack surface. You need the aerial view.
You need a dragon.
Because network detection and response (NDR) products monitor and analyze all communications traveling across the network in real time, they take IOT devices in their stride. With the announcements of virtual taps in the public cloud over the past year, NDR solutions are just as comfortable in the cloud as they are on-premises.
In a single platform, they're able to detect threats that have already breached the perimeter of a hybrid enterprise, contextualize and prioritize those threats using advanced machine learning, and in some cases even automate response. NDR is your eye in the sky, plus fire.
Watch this short video to see an NDR solution detect threats in real time, with details about how this emerging category of security product fills the gaps left by EDR and other legacy solutions: