We asked our industry experts about where and how EDR (endpoint detection and response) can strengthen their cybersecurity. This article offers some of those insights. You can view our discussions in the CyberShare Series one EDR here.
EDR used to be a coverall term for malware and antivirus programmes running on computers. Fast forward to today, and EDR has evolved considerably to be able to detect malicious or suspicious activity, based on telemetry, from a multitude of endpoints. An endpoint is any device that connects to a network. This could be a laptop, a mobile device, a desktop computer, even the server itself.
Aside from the 'behind the scenes' reputation benefits (where EDR helps to evade disaster from potential malware or data theft attempts), modern EDR can also reveal cost-saving areas. It can, for example, identify devices that have never been activated and raise useful questions as to 'why not' and if those devices (endpoints) are needed.
In terms of the reach ofEDR technology, Bronwyn Boyle, head of security and counter-fraud at Open Banking said: “In previous lifetimes we would have had a very contained perimeter with well-defined perimeter defences, we would have had on-premises applications that would be managed by in house staff. Obviously now that model is very different. We have Bring Your Own Device, we have a shift to the cloud, we have exciting collaborative projects with multi third-party delivery partners or managed service partners.
“And [with] all of that, the concept of the perimeter dissolves so it becomes even more important to find out what's actually happening on your endpoints. And that's where EDR really comes into its own. It gives you that visibility, it gives you that insight into what's happening in the various constituent parts of your now very diverse environment.”
Misunderstandings surrounding EDR can be costly
However, not all products that are claimed to be EDR are true endpoint detection response technologies. And this can lead to buying a solution that doesn't meet expectations.
Lee Rendell, senior pre-sales manager at Kaspersky UK gave a clear example of this: “We were working with a customer and they had kind of been mis-sold EDR. They had purchased it under the understanding that it was going to address a lot of issues they had in terms of advanced threat detection and mitigation. But really it brought them 'noise'. It brought them too many alerts that they didn't have the technical capabilities or resources internally to manage.” He later went on to say that: “I think there needs to be a bit more collaboration from individual EDR vendors to say, 'you cannot call this EDR if it doesn't do these certain things.'”
Additional EDR 'noise' can cause a problem. If there aren't enough resources to manage it properly, alerts can be overlooked and that can leave the door open to an attack vector via a known operating system vulnerability. Further to that issue, purchasing a new EDR solution can go askew when security leaders don't have a clear understanding of their actual needs.
Effective EDR is dependent on scrupulous housekeeping
Bronwyn stresses that: “The bad guys are actually realising that these security products are very pervasive and could give them a foothold in a very broad set of organisations, should they succeed in compromising them.
“So there's a question to address there: How secure are the security products? Are we keeping up to date with these types of solutions to make sure that they're not inadvertently actually opening doors?”
“We speak to organisations which are looking to ingest EDR andSIEM (security, information, and event management) and XDR technologies, but they don't patch their operating systems, they don't train their staff, and they don't harden their devices [patch vulnerabilities to eliminate potential attack vectors],” said Lee.
Basic security hygiene should be thorough and frequent, before even considering implementing highly sophisticated machine learning behaviour analyses and telemetry correlation.
