Let’s start off by acknowledging that 10 years ago, the EDR brought a major paradigm change in the world of cyber security. It strengthened organizations and their ability to identify, react and recover from an attack faster than the AV and other tools ever could.
The change was built under the assumption that an attack will occur and given the proper tools and information, defenders would be able to identify the attack and recover in a manner of days/weeks and not months.
Back in 2013, when the term EDR was coined, the total amount of malware discovered was around 120M. Today, the total amount is estimated at over 5B samples (yes, that’s a B) and rising, leaving defenders in a losing battle against threat actors.
A new breed of security but with a baggage
- EDR blocks post-execution, it’s [usually] not meant for pre-execution use
- The “Assume Breach” mentality is flawed
- EDR is a reactive and not proactive approach
- EDRs rely on AI/ML which is prone to errors and biased information, and also can be ingested with bad data
- EDRs produce high false positives rates
- EDRs implementation can be exploited or evaded
- EDRs are resource intensive since every action is recorded
So we already know that threat actors are winning, let’s understand why
First, numerous security researchers have stated their ability to find weaknesses in EDR products and bypass their defenses, allowing full control of the endpoint and subsequently the ability to attack it with malware, uninterrupted! Here are a few examples of EDR evasion/exploitation:
Turning EDRs to malicious wipers using 0-day exploits
Blindside: A New Technique for EDR Evasion with Hardware Breakpoints – Cymulate
In addition, through different research, we can understand that in order to provide full defense, defenders need to man the EDR 24/7 and provide constant monitoring, triage, and response in order for it to work more effectively.
Some key points that should alarm us as security professionals:
- An additional 11% of MSPs plan on investing in EDR in the next 12 months, which means EDR adoption could be set to reach nearly two-thirds of MSPs in 2020.
- Maybe no surprise then that only 5% of MSPs said they have a person dedicated to managing EDR.
- 27% said there is no coverage on nights or weekends.
- According to a report from the IDC, 70% of successful breaches start on endpoint devices.
- 42% of the respondents claimed the business changed the staffing, hiring additional security professionals.
The conclusion, EDR has proven to be a needed tool in the fight against threat actors, but lacks the ability to independently prevent attacks making it insufficient enough for organizations and even MSPs & MSSPs to adopt and utilize it to its fullest.
Does this mean I need to drop my EDR?
No, security is a complicated issue and no one should drop their defenses at a moment’s notice just because they’re not bulletproof (FYI, nothing is). EDRs may be needed in regulated environments and bring certain capabilities that will enhance your security team & visibility of the environment in case of a successful attack.
What are the alternatives?
Deceptive Bytes shifts the paradigm again in cyber security with its prevention-first approach, using evasion techniques against the malware itself and reducing the dwell time to identify the attack & mitigating it to zero, giving defenders much needed time to focus on other security aspects of the organization.
Also, when malware tries to identify and evade your current EDR solution on the endpoint, it will provide Deceptive Bytes a high-fidelity warning of a malicious actor inside the endpoint and it will be instantly blocked.
Embracing a multi-layered approach!
Different solutions in the organization can stop threats in different systems, even prior to them reaching the endpoint. Whether it’s a gateway solution, email protection, sandbox environment, network, etc., and if a threat has reached the endpoint, AV has a ~20% chance of identifying it, EDR has a better chance than the AV but it can’t guarantee 100% identification. And when all else has failed (and at some point they will), Deceptive Bytes’ malware prevention rate is over 99.9% which strengthen the security posture of the organization while reducing their operational burden, costs & time to prevention.
Conclusion:
EDR, despite its limitations, plays a role in the fight against threat actors, especially in regulated environments. However, organizations must acknowledge its shortcomings and implement a multi-layered security strategy that integrates additional solutions to create a robust defense posture. By doing so, organizations can enhance their security, mitigate risks, and stay ahead of evolving threats in an increasingly challenging cyber landscape.