Recent Webinar: Building an Adaptive Cyber Resilient Cloud
arrow-white arrow-white Watch now
close

EDR Dependency: Ensuring Uninterrupted and Comprehensive Security Coverage Through Service Outages

Posted by Brad LaPorte on July 29, 2024
Find me on:

The Crowdstrike and Windows outage highlighted a new reality for all companies: IT systems are critical infrastructure.  

EDR Dependency

One faulty system update from a service provider resulted in days of lost revenue, customer frustration and fatigue for IT teams responsible for manually bringing company devices back online.  

In the wake of recovery, IT and security professionals, company management and boards alike are acutely aware of how easily a mass outage can happen and as a result, all are looking at their company’s IT infrastructure for singular failure points. 

Much like big tech, in recent years the cybersecurity market has been dominated by large players across respective technology categories. Various factors have driven this trend, including trust and convenience.  

More recently, tech stack bloat and the idea of tools consolidation has in many cases funneled businesses to large providers who offer a wider breadth of services and capabilities than point solution providers. 

But as is often the case with good intentions, banking on, or consolidating services with a single provider can create downstream risk — a hard lesson learned through the CrowdStrike and Windows outage event. Now, some IT and security professionals are seeking CrowdStrike alternatives.

 

Systems outage highlights security risk 

Endpoint Detection and Response (EDR) technology plays an important role in critical IT infrastructure. Many companies depend on a single provider like EDR industry leaders CrowdStrike, Microsoft Defender or SentinelOne, however the recent IT outage has raised new concerns around operational stability and security gaps — leadership teams are increasingly raising the question of vendor diversification. 

Counter to the tech consolidation theme in business environments, government agencies rely on vendor diversification for network and security redundancy to ensure continuous coverage and availability in the event of an outage.   

This approach is particularly important when it comes to singular security technology like EDR, which in the event of an outage or service failure can create security gaps. With lowered security system sensitivity, systems are at greater risk for malware attacks; impersonation attacks driven by phishing campaigns are a popular attack tactic in outage circumstances too. 

 

EDR is not enough 

EDR for singular protection carries risks — it relies on traditional detection methods, which in turn rely heavily on updates. EDR and extended detection and response (XDR) leverage signature and behavior-based detection methods to guard against known attacks effectively. However, these tools face challenges when dealing with advanced and unknown threats.  

To counteract sophisticated fileless, in-memory, zero-day, and other advanced attacks often used to deploy ransomware, EDR and XDR solutions need to be set to their highest alert levels. This setting can negatively impact system performance and generate high volumes of false positives. 

Moreover, managing these solutions demands a dedicated team of professionals to monitor and respond around the clock. Even with a high level of vigilance, some threats may slip through or only be detected after an attacker has gained a foothold within the network.  

Enhancing EDR/XDR solutions with a multi-layer defense-in-depth strategy can support operational resiliency and comprehensive security coverage that fortifies the attack surface.  

Morphisec’s pioneering Automated Moving Target Defense (AMTD) technology provides another layer that elevates EDR and XDR solutions’ ability to defend against advanced attacks. 

 

Gartner Endpoint Security Logical ArchitectureSource - Guide to Endpoint Security Concepts 29 May 2024- ID G00811632

 

What is Automated Moving Target Defense

AMTD technology is built on a military premise that a moving target is harder to hit than a static one. It dynamically alters the runtime memory environment to create a constantly evolving and unpredictable attack surface. This ensures that even if a threat actor manages to locate their target once, they cannot reuse that attack on another device or later on the same device.  

By employing techniques like those used by attackers—such as polymorphism, deception, and evasion—AMTD randomizes application memory runtime, preventing threat actors from accurately identifying their targets. 

AMTD doesn’t replace technology like EDR; instead, it enhances technology already in place with a defense-in-depth strategy and seamless integration into existing technology stacks to catch missed threats and reduce false positive alert volumes. This augmentation is crucial for stopping in-memory, fileless, zero-day, supply chain, and other advanced threats.  

AMTD prevents the 30% of attacks that traditional security misses.

Reducing EDR dependency 

Morphisec AMTD offers true protection without prior knowledge and proactive prevention to halt the execution of threats versus analysis-based reactive detection. Additionally, it’s fully autonomous and doesn’t require connectivity to the cloud for prevention. Its ability to work offline or online provides reliability and redundancy assurance in the event of a larger systems outage. 

For teams weighing their options (e.g. staying with their current provider but augmenting security, or vendor diversification), the CrowdStrike and Windows outage underscores rationale for adopting future-proofed and prevention-first solutions like Morphisec AMTD.  

Moving forward, EDR and endpoint protection platform vendors may exercise greater caution and delay in rolling out security updates. Consequently, security and IT teams will likely conduct more rigorous testing before deployment, widening the gap between the evolving nature of attacks and the defense mechanisms in place. 

Stability assurance will be paramount, as will enhanced defense-in-depth strategy for robust and resilient protection even if updates are less frequent. 

Preparing for future outages isn’t about reducing EDR dependency — it’s about diversifying detection and response strategy with a prevention-first approach that ensures blast radius resiliency in the face of any cyber event.  

Schedule a demo today to see how Morphisec can ensure uninterrupted and comprehensive cybersecurity coverage through future outage events. 

New call-to-action