EDR: Redefining SecurityA More Sophisticated Approach to Battling Malware
In an era where attacks involving ransomware and other malware are skyrocketing, a growing number of organizations are turning to endpoint detection and response software to help mitigate the risks. But implementation can present many challenges.
EDR solutions focus on detecting, investigating and mitigating suspicious activities and issues on hosts and endpoints.
A joint study by Sophos and Vanson Bourne, a research house in the U.K., recently found that about 67 percent of organizations in India were hit by ransomware in 2017. Yet three-quarters of these ransomware victims reported that they were running up-to-date endpoint security. So where were they missing the mark? The answer, many security experts say, was the lack of more sophisticated technologies, such as EDR.
"Traditional endpoint protection products suffer from technological limitations as they can only detect and block common and uncomplicated threats, already known vulnerabilities or unknown threats typically built on previously known methods," says Shrenik Bhayani, general manager at Kaspersky Lab for South Asia.
"No organization today can manage with only end point protection solutions," says Sameer Ratolikar, CISO at HDFC, a major private sector bank. "We need to detect attacks in advance. I have deployed EDR in my organization, which has helped me detect some malicious activity originating from Russia."
Dealing With Sophisticated Threats
Companies need to leverage advanced detection technologies, such as EDR, to deal with more sophisticated threats, says Rajesh Maurya, Fortinet's regional vice president, India & SAARC.
The new technologies need to "integrate into the broader security framework to enable the sharing of advanced threat intelligence as well as the ability participate as part of a larger, automated threat response," he says.
EDR software provides a play-by-play of exactly what happened on a computer during and after an attack. The insights can reveal details of how a hacker mounted an attack and moved throughout systems. Programmed with the right rules, EDR products can also cut off potentially infected machines from the network and stem further damage.
"Unlike EPP, which focuses on detection and remediation of attacks that are being executed at a particular endpoint, the EDR takes it one step further," says Anthony Wai, Sophos' senior technology solutions director for Asia Pacific and Japan. "Based on the information collected from the original endpoint that was being attacked, the EDR system identifies suspicious files that might also exists in other endpoints within the organization and takes necessary actions."
EDRs constantly checks the various happenings on the endpoints. The information is then aggregated to a central point for analysis, where it is mapped against known indicators of compromise. EDR software can analyze this endpoint data for known indicators of compromise, and it can also connect to telemetry from sandbox technology to hunt for specific threats on endpoints.
Deploying EDR for Protection
Rohan Vibhandik, a Pune-based cybersecurity practitioner and researcher who did not want his employer identified, says he implemented EDR a few years back as a continuous effort toward effective threat hunting.
"Implemented with machine learning and analytics tools such as Splunk to correlate the data across network infrastructure, it has provided network traffic trends," Vibhandik says. "It proves more effective when log management and log analysis are done to zero down the most prevalent cyber anomaly, such as DDoS attacks."
He says EDR software has enabled him to observe DDoS and man-in-the-middle attacks on network endpoints.
"In a few cases, when whitelisting and blacklisting for the ingress traffic was implemented, the EDR has provided a behavioral analysis for the networked devices based on their responses to the ingress traffic," Vibhandik says. "It was possible to observe the endpoint activities without interfering the network traffic or data flow. It not only helped in detecting the attack, but also helped in identifying false positives and false negatives to take appropriate incidence response action."
So far, financial organizations have been early adopters of EDR solutions.
"Thanks to the Reserve Bank of India's push toward EDR, banks are now beginning to invest in EDR solutions," says Oren Aspir, CTO at Cyberbit, a provider of an EDR platform powered by machine learning and behavioral analysis.
Some organizations are working with managed security service providers to implement EDR software.
"Depending on each organization's maturity and experience in the field of security, and the availability of necessary resources, some businesses will find it most effective to use their own expertise for endpoint security but to call on outsourced resources for more complex aspects," says Bhayani of Kaspersky Lab. "Or understaffed security departments can adopt third-party professional services from the outset."
One of the trickier parts of working with EDR solutions is interpreting masses of data.
"EDR generates a lot of big data, and this requires skilled professionals to interpret the data," says Aspir of Cyberbit. For instance, EDR cannot be used to search for a particular malware.
"There are signs of a malware and one needs to be able to interpret these signs. You have to know the conditions that allows a malware to exist in your system," he says. "The skills gaps required to implement a true EDR solution are high when compared to deploying EPP solutions, which provide basic security. EDR generates a lot of data while using big data analytics to provide value, and this requires skilled professionals to interpret the data."
Another challenge is that many IT teams treat endpoint devices separately from the rest of the network.
"Endpoint security is often applied to devices as an isolated solution, usually in the form of an anti-virus solution or endpoint security package," Fortinet's Maurya says. Network security often begins at the point where an endpoint device touches the network.
"But with networks spanning multiple ecosystems, including multicloud infrastructures, that demarcation point is becoming increasingly difficult to define and defend. Endpoint security is the responsibility of far more than the endpoint or desktop IT team. In fact, it is required to be understood and leveraged by anyone who is responsible for the organization's network security. These groups need better visibility, compliance, controls and response across the entire distributed network, including on and off network endpoints."