EDR is the name of the current trend in IT security, which some call the future of cyber security. What exactly is behind it, for whom is this approach suitable and what can it do? Time for the Tabidus Association to take a look and educate.
Endpoint detection and response (EDR) is currently on everyone’s lips. Almost all security vendors have already included EDR solutions in their product portfolio, a large number of new vendors are now providing “threat detection platforms” and many companies are considering expanding their security strategy with it. But what is behind EDR and is it really the future of cybersecurity?
PROACTIVE OR REACTIVE?
To understand what EDR is, we first need to understand the difference between “proactive” and “reactive” security. Let us consider these two concepts using an everyday example: You own a car and want to make sure that you don’t break down with it. The proactive approach to this is to comply with all service intervals, carry out necessary repairs, replace the tires regularly, etc. With the reactive approach, you assume that you will have a car breakdown sooner or later and concludes a contract with a breakdown service that will give you then helps.
The situation is similar with IT security. The proactive approach includes all measures to prevent security incidents and these are summarized under the term “EPP” (Endpoint Protection Platform). This includes all techniques from anti-malware, firewalls, DLP, encryption, application whitelisting, etc. The reactive approach that should help when a security incident occurs is called EDR. At this point we note that there are also some vendors on the market that provide a combination of EPP and EDR functionality in their solutions.
WHAT IS ENPOINT DETECTION AND RESPONSE?
EDR is a procedure that can be used to determine whether an incident has occurred that has not been prevented by the security systems. This includes determining how the incident started, which users and computers are affected, and taking action to stop the incident.
HOW DOES ENDPOINT DETECTION AND RESPONSE WORK?
The basic mode of operation of an EDR solution is always the same. A software component is installed on each endpoint that collects information (file access, process information, network data, user events, etc.) and uploads it to the vendor’s cloud or a local server. The data collected there is processed, analyzed, compared and clearly presented by the vendor. Then the work of the security analysts begins. Their job is to search through this information, evaluate it and find dangerous situations. Depending on the vendor, the analyst can then take various actions (terminating a process, isolating the endpoints, blocking file access, etc.) to stop the unwanted behavior. These commands can in turn be received and enforced by the local software component.
WHAT DOES ENDPOINT DETECTION AND RESPONSE PROTECT?
There can be various reasons why the security system used cannot prevent a threat. The most obvious are, if not all devices are equipped with the security system, have technical problems or the provider does not have the required detection rate. On the other hand, there are threat scenarios that cannot be identified by a proactive approach. This includes malicious actions by employees (insider threat) or attacks that are carried out without a technical component (social engineering). In these cases, EDR can help to recognize and contain the dangerous situation. However, this approach is only as good as the analysts working with the system and in any case not a substitute for proactive security.
WHO IS ENDPOINT DETECTION AND RESPONSE SUITABLE FOR?
As can be seen from EDR’s described working method, this is not a purely technical solution. Special personnel are required for the operation (security analysts), who constantly check the suspicions reported and can quickly take countermeasures if necessary. This is a big difference compared to the operation of EPP solutions that provide protection fully automatically. An EDR solution is therefore only suitable for those companies that are able to meet the basic requirements for its operation. There are two ways for a company to do this: Either set up its own SOC (Security Operating Center) or hire an external service provider (MSP) to take over the operation on behalf of the company.
WHAT IS THE ASSOCIATION’S POSITION TO THIS?
As a neutral association, Tabidus is open to all approaches. However, since the EDR approach is very complex to operate, it cannot be used by all companies and only becomes effective when an attack is ongoing, we do not prioritize it. However, we see EDR as an additional tool for those companies that have the appropriate know-how and personnel for their operations and want to prepare for emergencies. But our primary goal is that there is no dangerous situation in the first place, that every company should be able to apply this protection and therefore favor proactive protection. However, this goal cannot be achieved by a single vendor alone, but only by uniting different vendors and technologies.