Antivirus protection is a baseline cost of doing business for the modern organization. At first, companies and governments only needed signature-based antivirus that tracked known malware. As fileless malware and exploits accelerated, next-gen antivirus that leveraged AI and behavioral analysis came on the scene to respond.
This leads to organizations having their traditional AV and their next-gen AV often working in tandem to block most attacks. Then endpoint detection and response (EDR) solutions were developed, and billed as the next step in defending the organization from cyberattacks. With the rich data collection and monitoring capabilities, the theory goes, EDR solutions allow organizations to detect and remediate advanced threats before they can cause any significant damage.
The idea that EDR is the next step is, however, fundamentally untrue. If it were, then it’s very likely that more than 36 percent of organizations would have an EDR solution deployed (Ponemon Institute); especially because EDR has been around for the past decade. The reality is that EDR solutions are both too much for most organizations and simultaneously not enough to protect them from advanced threats. Part of knowing why both of those statements are true is understanding what EDR tools are supposed to do.
Understanding Endpoint Detection and Response
Traditional antivirus solutions do one thing very, very well: block malware that has a known signature. In fact, every traditional antivirus solution does this so well that it’s basically become table stakes for the solution class. What these AV solutions don’t do as well is block in-memory attacks or fileless malware; if there isn’t a signature associated with it, traditional AV will often be circumvented. Next-gen AV that leverages AI-driven behavioral analysis is meant to close this gap with traditional AV. NGAV often doesn’t do that very well, but that’s a topic for a different article.
EDR solutions are designed to allow security professionals to detect attacks on endpoints and, in some cases, respond to them. They do this through continuous monitoring of endpoints, as well as recording all activity at the endpoint. Beyond that, the solution class is architected to enable proactive threat hunting for indicators of attack and remediate the changes that external attacks cause.
In that respect, EDR solutions provide an extra layer of security against advanced threats. They empower security teams and SOC analysts with new insights and new tools to respond to them via the added context of rich endpoint data. The problem, though, is that EDR tools don’t actually reduce risk enough to be beneficial unless they are staffed by large and experienced teams of analysts working around the clock that can manually investigate the more than 10,000 alerts per day that these products generate.
Endpoint Detection and Response Is Not Enough
The underlying concept behind EDR is a good idea. Detecting and responding to malware is definitely something that security professionals want to be able to do; they also would like to do proactive threat hunting to determine what kinds of attacks might be entering their system. The problem is that EDR solutions, although good in theory, are not enough to actually protect your organization from the kinds of advanced cyber-attacks that threaten your organization every day.
The market agrees too. Sixty-five (65) percent of the companies who lack an endpoint detection and response solution, according to Ponemon, said they don’t have one because it’s not effective against new or unknown threats. Consider that AV-TEST has collected more than 1 billion distinct types of malware and potentially unwanted applications as of January 9, 2020. There is no real way that any solution can detect every possible variant with any reliability.
In this way, EDR isn’t enough to protect you from cyberthreats. More than the sheer scale of malware though, is the fact that most organizations haven’t taken the basic steps of improving their security processes and baseline IT hygiene. Without that work, EDR isn’t enough to protect you from advanced threats—no matter how good the detection and remediation capabilities are.
Beyond effectiveness, an additional problem is time. EDR tools require an alert to trigger their capabilities, which it does frequently. Although most of these alerts are false positives, each one requires staff time to investigate, determine what happened, and how to deal with the problem. There is no realistic way that most organizations can investigate and remediate each one of these alerts in a timely manner. The only groups who can are the ones with the budget to hire multiple L3 analysts and have eyes on glass 24 hours a day/seven days a week.
Endpoint Detection and Response Is Too Much
At the same time, the data collection that EDR performs results in far too many signals to realistically analyze. Some of this can be automated, but the fundamental truth is that endpoint detection and response solutions require the input of skilled humans to make judgement calls on which alerts to take action on. Given the propensity of EDR to throw false positives, even with automation, this is a massive undertaking for even well-resourced IT departments.
Cost is another major barrier. The cost of EDR per endpoint is higher than most budgets allow; it’s high because EDR constantly needs to ingest and store huge amounts of data, which creates a high cost of goods sold for the vendor that then trickles down to the user. More than that, it also has a high cost because it requires humans to operate. This can be either an in-house security operations center or with a managed services provider; an MSP adds additional services cost on top of the per endpoint cost though.
It’s because of the high cost that one of the few types of companies with the skills to truly benefit from EDR are those with the budget to fully staff a security operations center. And by that, I mean large multinational corporations with an entire floor of a skyscraper devoted expressly to IT security. Yes, managed services providers with EDR capabilities exist and are good for companies who think they need the solutions … but the reality is still that there is a significant human component to gaining value from these solutions.
This doesn’t even get into proactive threat hunting, which is one of the key benefits of EDR. Only 39 percent of companies with an EDR solution, according to Ponemon, use it to proactively hunt for threats on their network. There is simply too much data for almost any organization to realistically go through in order to proactively hunt for cyberthreats.
Moving Target Defense: The Next Step in Protecting Your Enterprise
EDR is great for the organizations who have the budget to either staff an internal team or hire a managed services provider. When you consider that EDR agents are very costly on a per-agent basis, despite dropping in price by 35 percent (Gartner), and services are expensive because they involve putting eyes on glass, it’s clear that EDR isn’t feasible for a majority of organizations.
Since endpoint detection and response isn’t viable for most organizations, andto be honest is only effective for a small number anyway, now we need to consider alternatives. After all, traditional AV has clear gaps around protecting you from fileless malware and the behavioral analysis of NGAV has the potential to be tricked. You need something to fill in that gap, and I propose the answer is moving target defense technology.
Why moving target defense? Imagine, if you will, two signs at a fork in the road. One road leads to a fancy mansion (your organization) filled with rare jewels and tons of money. The other leads off a dangerous cliff. Where traditional security thinking focuses on walls and security cameras around the mansion, moving target defense flips the road signs so attackers go off the dangerous cliff instead of even finding your mansion in the first place.
Moving target defense does the same thing for your application memory. It deterministically blocks threat actors first, and then tells you what attacked your system. There’s nothing to detect because it’s already blocked. It’s far cheaper than EDR on the whole, and often doesn’t require the same level of eyes on glass as those technologies.
Deploying an EDR solution doesn’t, by that act, mean that the organization reduces its intrusion risk in any appreciable way. Especially not if basic hygiene measures are ignored, and the EDR solution is leveraged without the additional investment in personnel. Companies who continue to believe that EDR is some sort of panacea will leave themselves open to intrusion risk over the long term, unless they begin to consider a moving target defense platform that solves the problems EDR was meant to conquer.