Are you a security professional? Or are you new to the field of cyber security? Maybe you are tasked with researching EDR security tools and need a push in the right direction.
Regardless of what your title or position might be, we explain the key concepts of EDR security that is easy to digest for both professionals and newcomers.
We hope you get a lot of value and EDR training from the contents featured in this guide.
Contents
So: What is EDR and how does it work?
Endpoint detection and response, also known and abbreviated as EDR, is an endpoint security tool that comes in two parts: an agent and a management platform.
The endpoint agent provides real-time rule-based analysis and continuous monitoring of all activity happening on the device. Captured traffic and activity is forwarded to a management platform for deeper inspection including forensic analysis. The EDR agents are all managed from a single management platform as well.
Primary Functions of EDR:
- Monitor endpoint activity
- Analyze endpoint activity for threat patterns
- Manually or automatically quarantine endpoints with threats
- Forensic tools for investigating threats
- Sandboxing suspicious files and programs
Now:
A common use case for EDR is to detect advanced persistent threats (ATP) like nation states or large Blackhat groups. These actors use advanced tactics, techniques, and procedures (TTPs) that typical antivirus tools cannot detect.
But how does EDR detect Advanced Persistent Threats?
Endpoint security solutions use machine learning and advanced human curated rules to identify advanced threats. Often, pre-configured rules are built around cyber-attacks that already occurred. Hackers are smart not to use pre-built malware because most tools can identify and detect these based on malware signatures.
Since endpoint agents monitor and collect large amounts of human behavior data, they can baseline normal activity.
Think about it this way:
Often administrators use schtask.exe to create and run scheduled tasks on a remote or local computer. This executable is known to be safe and is used dozens of times a day on a single computer.
A piece of malware might use the same process to embed itself into a task for persistence. Now, a rule that matches only the process name will generate a lot of noise. There is no way to determine if its use is malicious or benign.
An EDR agent will analyze not only the process name, but also the command line arguments used to start the program and even what is happening in the computer’s memory. Modern malware can be fileless thus impossible to detect with only malware signatures.
By also integrating threat intelligence, EDR tools accurately identify true-positive malicious activity even though the malware sneaks past traditional anti-virus tools.
EDR Benefits to the Security Operations Center
One of the worst pains a security operations center (SOC) deals with is alert fatigue. Typical antivirus tools generate a lot of false positives. Correlation of firewall logs against threat intelligence requires fine tuning often requiring hours to sift through all the network traffic.
Now, here’s where EDR tools win:
Get used to trusting and paying most of your attention to your EDR security events. They tend to be true-positives most of the time compared to a lot of ‘out of the box’ solutions. The best part of this means simplified automation. Since EDR alerts are focused on endpoints; this will allow you to build simple quarantine playbooks with a security orchestration automation and response (SOAR) tool.
An EDR tool will exist in just about every endpoint incident response playbook you have. Whenever an EDR alert fires off, one of the first things to do is quarantine the computer, especially with workstations. Servers tend to require extra caution before quarantining since it will take it offline thus interrupting business.
What is the Difference Between EDR vs Antivirus?
You might be wondering how these tools differ? Surely, EDR and Antivirus cannot be the same tool, right?
Correct:
Antivirus was developed to detect, prevent, and remove computer viruses. It did a pretty good job at this for a long time. But the advent of modern malware and ever-increasing complex business processes demanded an advanced endpoint security solution like EDR.
So, do you need an antivirus tool?
Don’t fool yourself. Antivirus is still important to catch low hanging threats. In fact, most antivirus features merged into modern endpoint detection and response solutions such as signature detection and scanning. This eliminates needing both antivirus and EDR.
EDR vs Antivirus Key Features and Capabilities
| Features | EDR | Antivirus |
|---|---|---|
| Signature-based Detection | X | X |
| Virus Removal | X | X |
| Scans Filesystems | X | X |
| Scans Memory | X | |
| Quarantines Endpoints | X | |
| Forensics | X | |
| Machine Learning | X | |
| Pattern Detection | X | |
| Whitelisting/Blacklisting Processes | X | X |
Do You Need an EDR Security Tool?
It’s a reasonable question considering the amount of security tools an average security operations center has.
As we previously mentioned, APT groups are unleashing undetectable zero-day attacks that traditional signature matching won’t find. A zero-day attack is an exploit that doesn’t have an available patch for. Essentially, if you are hit with a zero-day attack, you are one of the first targets to witness it. Thus, there are no signatures pre-built to detect it.
Now:
EDR tools aren’t the ‘grand all’ solution to stopping every threat but, they do more than their predecessor: antivirus. The advent of file-less malware attacks demands a tool like endpoint detection and response since it scans memory where file-less malware lives. By scanning memory, building baseline behavior models of systems, and leveraging machine learning, EDR tools are extremely effective in preventing threats.