Understand why traditional point-based EDR products have failed to catch the bad code, and how a holistic, preventative approach is better
To accomplish their objectives, cybercriminals will use any and every tactic at their disposal to execute their attack: utilize social engineering via a phishing attack; exploit an unpatched vulnerability; take advantage of a system misconfiguration; piggyback on an undetected trojan; or any myriad of techniques.
Meanwhile, cybersecurity products are usually siloed or ‘myopic’ in their ability to protect and respond to threats holistically. Worse, point products are often designed and architected to solve one specific issue and not the problem at large.
Throughout the history of endpoint security there have been many examples of this: what is known today as endpoint protection products is often just an amalgamation of a bunch of point products:
- Antivirus software was originally created to detect nefarious threats like parasitic infectors, worms, and trojans.
- Anti-spyware/Adware products came onto the scene in the early 2000s to address new trend in the threat landscape, and were eventually merged with antivirus software to become anti-malware solutions.
- Host Intrusion Prevention Systems were once point products to monitor endpoint activity for suspicious behavior and memory exploitation. Subsequently merged into anti-malware products, their features were broken up and renamed “behavioral protection” and “memory protection”.
- Host-based Firewalls were once products that were sold separately. They now come standard with most operating systems while a subset of their protection capabilities became known as “network protection” features.
- Application Control solutions were once point products that allowed only known good files to be executed, which was the opposite approach to anti-malware which blocked known bad code.
However, even by combining all these capabilities, traditional endpoint protection solutions have struggle to keep pace with the escalating threat landscape. Endpoint detection and response (EDR) solutions that filled the gaps also traditionally focus only on endpoint activity to detect attacks, but do not offer a complete context to the attacks for analysis, and can result in high rates of false positives and false negatives. Also, traditional EDR tools operate without the context of open vulnerabilities, misconfigurations and missing patches, which is often why malicious activities can still compromise endpoints.
To address such flaws, enterprises can consider EDR solutions that integrate vulnerability management and detection and response with policy compliance, so that common vulnerabilities and exposures, and exploits in the wild, can be detected for patching or remediation.
Key considerations
A holistic EDR solution has the following attributes:
- Helps prioritize the most critical and urgent incidents: The solution should be able to help the incident response team prioritize its time and resources. The focus should be placed on remediating threats that could have the biggest negative impact on the business.
- Helps to prevent future attacks by eliminating unpatched vulnerabilities exploited by malware and preventing all other assets from the same attack.
- Identifies all symptoms of an attack: The solution should have deep integration with the MITRE ATT&CK framework to provide rich context and meaningful insights into suspicious and malicious activities associated with an attack.
- Provides visibility in depth and breadth: The solution should be able to provide deep insights into an endpoint in order to find the root cause of an infection, as well as offer a bigger picture of an attack that spans multiple devices.
- Unlike traditional solutions a holisticEDR solution focuses not just on trying to respond faster, but helps organizations to mitigate their overall security risks and to avoid similar future attacks.
By unifying multiple context vectors around asset criticality, vulnerabilities and system configurations associated with threats, holistic EDR solutions can enable all exposed assets to be patched and remediated before they can be weaponized by cybercriminals against the organization.