EDR - Hunting on the EndpointHow Endpoint Detection & Response Hopes to Redefine Endpoint Security
Endpoint detection and response tools have evolved in response to the need for advanced detection capabilities on the endpoint and hosts to detect targeted attacks and other suspicious activity. Traditional endpoint security products consistently fail to address this gap, and there is increasing interest by organizations to defeat advanced threats on endpoints (see: Human Behavior Analysis: The Next Big Thing?).
Anti-virus software and other security products depend on heuristics and signatures, which no longer work with sophisticated threats and polymorphic malware, says Felix Mohan, CEO of the CISOAcademy. "AVs are designed to protect endpoints - a task at which they have failed miserably when it comes to advanced threats." he says. The cornerstone of EDR technology is visibility, and it supplements traditional technologies with behavior-based anomaly detection and visibility across endpoints.
Moreover, while there is rich telemetry available today in the form of threat intelligence feeds and mature SIEM platforms and sandboxes, operationalizing this intelligence and hunting for these advanced threats on the endpoint is a challenge (see: How to Consume Threat Intelligence).
How It Works
The term EDR was coined in 2013 by Anton Chuvakin, vice president of research at Gartner, to describe tools being developed that primarily focus on detection and investigations on hosts/endpoints.
Unlike the anti-virus products, where the focus is protection, EDRs focus on visibility and situational awareness. EDRs look into endpoints, activities of processes, binaries and threads within the operating system itself, providing much greater visibility, says Lawrence Pingree, research director at Gartner (see: Security Focus Shifts to Detection).
EDRs can obtain endpoint telemetry at scale, says Wias Issa, senior director, APAC, at FireEye, and head of the firm's security-as-a-service in this region. This accelerates the security team's response to breaches and contains the spread of infection throughout the rest of the enterprise.
EDRs do this by looking at what is happening on the endpoints, looking at what processes are running, what are the kinds of handles in use by the kernel, what are the kinds of DLLs that are being loaded, active network connections and open ports, ARP and routing tables and state of the registry, Mohan says.
This information is then aggregated from the endpoints to a central point for analysis, where it is mapped against known indicators of compromise. EDRs can analyze this endpoint data for known IOCs, and they can also connect to telemetry from sandbox technology from such companies as FireEye, Trend Micro and McAfee to go and hunt for specific threats on endpoints. "Industrywide, practitioners and security teams, once they have telemetry from these products or from the threat intel feeds, are lacking the visibility into the endpoint today, to go look for the infection," Pingree says.
EDR is an essential step toward uplifting detection on the endpoint beyond anti-virus, Pingree believes. EDRs are a combination of endpoint behavior analysis, network behavior and the ability to take telemetry from advanced detection sandboxes and feeds.
The Evolution to EDR
It is important to understand that historically, controls for networks and endpoints existed separately, Mohan says. Network security started slipping away from security professionals when organizations started losing control of the perimeter with cloud and other technology.
Security's focus then on the endpoint depended on AV until 2013. In the meantime, there were many changes happening in network security, such as network traffic analysis and network forensics. The need for looking beyond traffic, at the payload, brought about sandbox technology, which detonated the payload within sandboxes to perform analysis. None of these looked at the endpoint, Mohan says.
All this occurred while the only security available for endpoints was the AV, patching and OS hardening. It was clear even then that the traditional AV cannot stop the polymorphic malware and advanced threats on the endpoint, Mohan says. To supplement these came the concept of whitelisting, blacklisting and graylisting.
Graylisting or behavior analysis is the category under which EDR technologies fall. Together all these form the advanced threat protection framework. EDR itself is a complement to existing APT controls today and is set to be a core component of the defense in-depth philosophy, Mohan says.
Being a nascent technology, EDR has its fair share challenges. The response component of EDR was added after EDR's detection functionality, Mohan says. Right now, automated response is peripheral and limited, and not evolved to a great extent. False positives can be high if you are looking at unknown processes, and a fair amount of human intervention from trained analysts is required.
While EDRs give a fair degree of visibility, response is still not effective enough, and investing in EDR without having an appropriate enterprise incident response process in place can be overkill, Mohan says. "For EDR to be effective, you need a robust incident response process. So success depends on how long processes take to mature," he says. "It's like DLP - it is good technology but has failed in 90 percent cases because the enterprise processes it depends have not kept up."
The second big challenge is that to be in a position to capture all this telemetry from endpoints, EDRs need to have an agent sitting on the endpoint, sending this information on to the central analysis hub. Over the years, agents have gone out of fashion because of deployment and administration issues across networks and different operating systems - no IT team wants to deal with them, he says.
Mohan expects the EDR market to push toward going agentless. EDRs will not replace existing endpoint protections like AV, but rather complement them, he says. "The only area of overlap I see between EDRs and AVs could perhaps be the automated response piece," he says.
He believes that EDRs will eventually get more closely linked to SIEMs, which have evolved today into security intelligence platforms. SIPs tend to be network oriented, and they only go as far as looking at logs generated at the endpoint, he says. When you link an EDR to SIEM/SIP you get visibility and analysis right to the kernel level - which is a powerful mix.
Mohan also predicts that EDRs will develop close linkages to network forensics tools. "Today, enterprises look at network security and endpoint security as two different silos. They need to become integrated - because incident response and forensics spans across both, he says.