EDR, or Endpoint Detection and Response, is a modern replacement for Antivirus security suites. For decades, organizations and businesses have invested in Antivirus suites in the hope of solving the challenges of enterprise security. But as the sophistication and prevalence of malware threats has grown over the last ten years, so the shortcomings of what is now referred to as “legacy” Antivirus have become all too apparent.
In response, some vendors re-thought the challenges of enterprise security and came up with new solutions to the failures of Antivirus. How does EDR differ from Antivirus? How and why is EDR more effective than AV? And what is involved in replacing your AV with an advanced EDR? You’ll find the answers to all these questions and more in this post.
What Makes EDR Different from Antivirus?
In order to adequately protect your business or organization against threats, it is important to understand the difference between EDR and traditional or “legacy” Antivirus. These two approaches to security are fundamentally different, and only one is appropriate for dealing with modern threats.
Features of Antivirus
Back in the days when the number of new malware threats per day could comfortably be counted in a spreadsheet document, Antivirus offered enterprises a means of blocking known malware by examining – or scanning – files as they were written to disk on a computer device. If the file was ‘known’ to the AV scanner’s database of malicious files, the software would prevent the malware file from executing.
The traditional Antivirus database consists of a set of signatures. These signatures may contain hashes of a malware file and/or rules that contain a set of characteristics the file must match. Such characteristics typically include things like human-readable strings or sequences of bytes found inside the malware executable, file type, file size and other kinds of file metadata.
Some antivirus engines can also perform primitive heuristic analysis on running processes and check the integrity of important system files. These “after-the-fact” or post-infection checks were added to many AV products after the flood of new malware samples on a daily basis began to outstrip AV vendors’ ability to keep their databases up-to-date.
In light of growing threats and the declining efficacy of the Antivirus approach, some legacy vendors have tried to supplement Antivirus with other services such as firewall control, data encryption, process allow and block lists and other AV “suite” tools. Generically known as “EPP” or Endpoint Protection Platforms, such solutions remain based at-heart on a signature approach.
Features of EDR
While the focus of all AV solutions is on the (potentially malicious) files that are being introduced to the system, an EDR, in contrast, focuses on collecting data from the endpoint and examining that data for malicious or anomalous patterns in real time. As the name implies, the idea of an EDR system is to detect an infection and initiate a response. The faster an EDR can do this without human intervention, the more effective it will be.
A good EDR will also include capabilities to block malicious files, but importantly EDRs recognize that not all modern attacks are file-based. Moreover, proactive EDRs offer security teams critical features not found in Antivirus, including automated response and deep visibility into what file modifications, process creations and network connections have occurred on the endpoint: vital for threat hunting, incident response and digital forensics.
Pitfalls of Antivirus
There are many reasons why Antivirus solutions cannot keep up with the threats facing enterprises today. First, as indicated above, the number of new malware samples seen on a daily basis is greater than the number any human team of signature writers can keep up with.
Secondly, detection via Antivirus signatures can often be easily bypassed by threat actors even without rewriting their malware. Since signatures only focus on a few file characteristics, malware authors have learned how to create malware that has changing characteristics, also known as polymorphic malware. File hashes, for example, are among the easiest of a file’s characteristics to change, but internal strings can also be randomized, obfuscated and encrypted differently with each build of the malware.
Thirdly, financially-motivated threat actors such as ransomware operators have moved beyond simple file-based malware attacks. In-memory or fileless attacks have become common, and human-operated ransomware attacks like Hive–along with “double-extortion” attacks such as Maze, Ryuk and others–that may begin with compromised or brute forced credentials, or exploitation of RCE (remote code execution) vulnerabilities, can lead to a compromise and loss of intellectual property through data exfiltration without ever triggering an Antivirus signature-based detection.
Benefits of EDR
With its focus on providing visibility to enterprise security teams, along with automated detection responses, EDR is much better equipped to cope with today’s threat actors and the security challenges that they present.
By focusing on the detection of unusual activity and providing a response, EDR is not limited to only detecting known, file-based threats. On the contrary, the primary value of the EDR proposition is that the threat does not need to be precisely defined in the way that it does for Antivirus solutions. An EDR solution can look for patterns of activity that are unexpected, unusual, and unwanted and issue an alert for a security analyst to investigate.
Moreover, because EDRs work by collecting a vast range of data from all protected endpoints, they offer security teams the opportunity to visualize that data in one convenient, centralized interface. IT teams can take that data and integrate it with other tools for deeper analysis, helping to inform the organization’s overall security posture as it moves to define the nature of potential future attacks. The comprehensive data from an EDR can also enable retrospective threat-hunting and analysis.
Perhaps one of the greatest benefits of an advanced EDR is the ability to take this data, contextualize it on the device, and mitigate the threat without human intervention. Not all EDRs are capable of this, however, as many rely on transmitting EDR data to the cloud for remote (and, therefore, delayed) analysis.
How EDR Compliments Antivirus
Despite their limitations when deployed alone or as part of an EPP solution, Antivirus engines can be useful compliments to EDR solutions, and most EDRs will contain some element of signature and hash-based blocking as part of a “defense-in-depth” strategy.
By incorporating Antivirus engines within a more effective EDR solution, enterprise security teams can reap the benefits of simple blocking of known malware and combine it with the advanced features that EDRs have to offer.
Avoiding Alert Fatigue with Active EDR
As we noted earlier, EDRs offer enterprise security and IT teams deep visibility into all the endpoints across the organization’s network, and this in turn allows for a number of advantages. However, despite these advantages, many EDR solutions are failing to have the impact enterprise security teams had hoped for because they demand a great deal of human resources to manage: resources that are often unavailable due to staffing or budget restrictions or unobtainable due to the cybersecurity skills shortage.
Instead of enjoying greater security and less work for their IT and security teams, many organizations that have invested in EDR have simply found themselves reallocating resources from one security task to another: away from triaging infected devices to triaging a mountain of EDR alerts.
And yet it doesn’t need to be like that. Perhaps the most valuable potential of EDR is its ability to autonomously mitigate threats without the need for human intervention at all. By harnessing the power of machine learning and Artificial Intelligence, Active EDR takes the burden off the SOC team and is able to autonomously mitigate events on the endpoint without relying on cloud resources.
What Active EDR Means For Your Team
Consider this typical scenario: A user opens a tab in Google Chrome, downloads a file they believe to be safe and executes it. The program leverages PowerShell to delete the local backups and then starts encrypting all data on the disk.
The work of a security analyst using passive EDR solutions can be hard. Swamped with alerts, the analyst needs to assemble the data into a meaningful story. With Active EDR, this work is instead done by the agent on the endpoint. Active EDR knows the full story, so it will mitigate this threat at run time, before encryption begins.
When the story is mitigated, all the elements in that story will be taken care of, all the way to the Chrome tab the user opened in the browser. It works by giving each of the elements in the story the same TrueContext ID. These stories are then sent to the management console, allowing visibility and easy threat hunting for security analysts and IT administrators.
Upgrading Your Security with EDR
Once we see the clear advantages of an EDR system over Antivirus, what is the next step? Choosing the right EDR requires understanding the needs of your organization and the capabilities of the product being offered.
It’s also important to conduct tests, but to make sure those tests have real-world application. How will this product be used by your team in day-to-day operations? How easy is it to learn? Will it still protect your company when any cloud-services it relies on are offline or unreachable?
It’s important to consider deployment and rollout, also. Can you automate deployment across your fleet? What about platform compatibility? Does your chosen vendor give equal importance to Windows, Linux and macOS? Every endpoint needs to be protected; the ones that get left behind can provide a backdoor into your network.
Next, think about integration. Most organizations have a complex software stack. Does your vendor offer powerful but simple integration for other services you rely on?
For a more comprehensive guide on how to choose the right EDR, see the free ebook The Secrets of Evaluating Security Products.
Beyond EDR | XDR For Maximum Visibility & Integration
While Active EDR is the next step for organizations that have yet to move past Antivirus, enterprises that need maximum visibility and integration across their entire estate should be thinking about Extended Detection and Response, or XDR.
XDR takes EDR to the next level by integrating all visibility and security controls into a full holistic view of what happens in your environment. With a single pool of raw data comprising information from across the entire ecosystem, XDR allows faster, deeper and more effective threat detection and response than EDR, collecting and collating data from a wider range of sources.
Threat actors have long moved beyond Antivirus and EPP and organizations need to consider that such products are no match for the threats that are active today. Even a cursory look at the headlines shows how large, unprepared organizations are being caught out by modern attacks like ransomware even though they have invested in security controls. The onus is on us, as defenders, to ensure that our security software is not only fit for yesterday’s attacks, but today’s and tomorrow’s.