Endpoint detection and response (EDR) tools are the cornerstone of most cybersecurity defenses today. But while technology has an important role to play in threat investigations, too many organizations have made the mistake of relying on EDR as the first line of defense against security breaches.
The reality is that a “presume violation” mindset means it’s already too late. EDR solutions are increasingly evaded by the latest malware and attack techniques, especially when it comes to ransomware and zero-day exploits.
Organizations cannot rely on EDR alone to protect their environments from the latest threats. So why isn’t EDR enough on its own, and what can companies do about it?
Why detection is too late
The biggest disadvantage of EDR is that it is a reactive approach. Traditional EDR tools rely on behavioral analysis, meaning the threat ran on the endpoint and it’s a race against time to stop it before damage is done. caused. Upon observing malicious intent or activity, the EDR will block it and the security team will intervene for remediation and cleanup.
In an era where skilled resources are scarce, SOC productivity is important to protect your organization. A typical EDR produces a high volume of alerts and false positives, which impacts the SOC team’s ability to perform valuable proactive tasks, such as patching and hardening systems.
Serious threats can easily get lost in all the noise, making it more likely that threat actors will fly under the radar and achieve longer dwell times.
As such, visibility into each endpoint is critical to protecting an organization. Yet a typical company doesn’t know if all terminals are instrumented, leaving holes in the fabric. Ensuring every device is covered has been made increasingly difficult by trends such as BYOD and remote working.
To be truly effective, organizations must have complete visibility into every device connected to the network. However, this is very rarely the case. Indeed, a Deep Instinct survey found that only 1% of companies believed all of their endpoints were protected.
A reactive approach is no longer enough
Some of the fastest malware can infect in less than a second after running on the terminal. Ransomware, for example, may start encrypting systems before it is detected and blocked, and malware may have left behind droppers and artifacts that have not been patched.
The fastest and most sophisticated variants of malware were once the domain of organized cyber gangs and state-sponsored actors. But thanks to a growing underground economy, advanced malware and zero-day exploits have never been more accessible. The ransomware-as-a-service (RaaS) trend is a prime example of this, mimicking the structure of legitimate SaaS offerings to provide criminals with affordable access to execute powerful new ransomware attacks. The booming malware trade has also resulted in more variants appearing in the wild, with hundreds of thousands of new versions appearing daily.
The need for a prevention strategy first
A prevention-focused approach is needed to stop more attacks before they are deployed.
While XDR solves many EDR issues, it is still stuck with a reactive model which is vulnerable to advanced and unknown malware and is likely to create many security alerts. Indeed, unless tightly managed, the greater volume of alerts created by increased telemetry can make things even more difficult for SOC teams to manage.
Rather than a reactive approach that can only address threats as they emerge, security strategies should be built around a preventive approach. Incoming malware must be detected and blocked before it can run in the network environment. Neutralizing attacks before they can execute greatly reduces the risk of a breach occurring. It also means that SOC teams can more effectively use their EDR and XDR tools to investigate and resolve other issues without constant fear of a serious attack occurring.
To stay ahead of rapidly evolving cyber threats, security solutions need to evolve even faster. deep learning The technology presents one of the greatest opportunities for success, as its self-learning nature can allow us to understand the DNA of an attack without having to know its hash, and to predict and prevent unknown threats.