So, you’re trying to protect your organization from cyberthreats, and you start looking at antivirus (AV)... Then, maybe you shift to general malware protection - and then a fully blown Enterprise Protection Platform (EPP), but that’s not enough either! Once you reach next-generation antivirus (NGAV), you may come across another acronym: EDR. This stands for Endpoint Detection and Response, and if you’re the CTO of Palo Alto Networks you think it’s “a really stupid idea.” We tend to agree.
In this blog post, I describe EDR, including reasons it’s insufficient on its own to protect your business. I cover the difference between using EDR as a standalone defense vs as a piece of a larger puzzle, the challenges of implementing orchestration in small to midsize enterprises, and applications as a response vehicle and a source of telemetry (data) - just one of many in the broader organizational cybersecurity context.
To close, I’ll tease one huge factor that separates a ‘stupid’ use of EDR from an ‘intelligent’ one. It is a very practical application of it; in fact, we’ve built our business around it. I’ll discuss machine-learning-derived detections we have built on top of CrowdStrike's EDR.
What is EDR?
EDR is an agent or application that runs on each endpoint in your organization, that curates log data from the endpoint (exactly which logs depend on the particular EDR), and enables response actions to be taken. EDR is only looking at a single attack vector: the endpoint (it’s in the name). This makes it inherently insufficient on its own, as there are multiple attack vectors to consider for your organization.
What am I reacting to?
According to coverage of Palo Alto’s event, the quote was: “Things like EDR are really stupid ideas… It’s really stupid to try to focus just on one data source at a time.”
My interpretation? This speech was aimed at large enterprises, with a very broad attack surface and numerous available data sources that can feed into a SOAR methodology. The tough part is getting such a system to work for them - that’s the “holistic system” mentioned, and it takes vast resources to get each component working together in harmony.
On the other hand, small to midsize enterprises likely don’t have the technology nor people to build, configure and manage an EDR program on their own...
Why we agree
One reason it’s stupid for small to midsize enterprises too, is that EDR alone leaves a gap in technology (necessary to form that broader picture), and in time/bodies to manage, integrate, review, and action the numerous alerts it yields. They want the orchestration out - to save time, complexity, alert fatigue, etc. Even if the EDR is managed for you, you’ll still be blind to all the compromises beyond the endpoint. There’s no amount of visibility a provider or management solution can gain to protect your whole environment from the vantage point of the endpoint, alone.
Anyway, I am glad Nir is surfacing the same conclusion we have long felt for small to midsize enterprises - that the endpoint isn’t the only source of data when it comes to detecting attacks. Beyond that, I feel:
- The endpoint isn’t the only source of data when it comes to detecting attacks.
- Nor is it the only vector. EDR can’t stop the email, network or peripheral activity that ushered the threat to the endpoint in the first place.
- And what happens when that attack jumps from the endpoint to your cloud, or develops in the cloud first? EDR simply lacks the ability to manage the threat when it moves laterally.
You might be asking “But wait - doesn’t your MDR include EDR? Didn’t you just ally with CrowdStrike?”
Yes, we formed an alliance with CrowdStrike, the leader in the EDR space.
The reasons to form an alliance with them are the same reasons we believe buying and operating a single silo of endpoint information to try and stop an attacker yourself is ridiculous: that’s not how threats work and progress, and that’s not how cybersecurity works. Let me break these out:
- Attacks don’t work that way. Instead, hackers phish your users, they act like an administrator (not a virus), and then they zero-day you - something your antivirus cannot catch.
- Why do you care where you get hacked? Hackers don’t. How’s your cloud login? Are we betting our users aren’t being phished? (If you are, you should see my post on the perfect phishing email.) How about being hacked directly in their o365 accounts? (We cover account takeover, too.)
Are you reporting on those hacks? I’m guessing you’re not. That’s why we offer MDR: we look at the broader picture, and treat the EDR sensor as one (of many) sources of data, and as a vehicle to respond to threats on the endpoint. - How about your network? Where’s the data there, are you gathering it? How? Have you firewalled every workstation-to-workstation, and every workstation-to-server connection? Have you got no users working from home? … I didn’t think so! Global network telemetry is required to stay protected, but hard to generate, and even harder to store and search...
Ultimately, what I’m saying is, if you insist on EDR, then “don’t try this at home.” ActZero has already built, optimized and trained the platform, processes and people to remove that orchestration element. EDR will play a tremendous role in data sharing. When combined with telemetry from the network and the cloud, and ingested into a data lake subjected to machine learning analysis, that’s when we yield truly comprehensive protection.
In closing, “EDR is a really stupid idea” is almost right. In reality, it’s closer to “doing EDR yourself is a really stupid idea.” EDR as part of a broader system is not stupid. Being able to react or take action on the endpoint (the “R” in “EDR”) is not stupid. Machine Learning detections, enabled by EDR telemetry, are not stupid. We won’t manage your ‘stupid’ EDR for you - we manage the detection of, and response to, threats across multiple vectors - with intelligent MDR.
The proof is in the pudding; check out our platform for how we address attacks across multiple vectors for both small and midsize enterprises. Or, see how we’re using EDR to fuel our machine learning detections.