EDRs, the new Sherlock of cybersecurity
Cybersecurity calls on a whole range of tools to deal with the diversity of sources, vectors and types of cyber attack. Like the layers of an onion, organizations stack different specialized tools to provide the broadest possible functional coverage for their cyber defense strategy.
What began with anti-virus and firewalls in the 80s, has diversified into a dozen or so types of tools and acronyms, evolving regularly in line with technical and marketing innovations, to end up in a landscape where it's not always easy to find your way around.
The aim of this series of articles is to shed light on the latest acronyms in cyber security, combining feedback from the field and industry experts to provide a clear, practical and "0-bullsh.t" vision.
In this first issue, we explore EDRs, or Endpoint Detection and Response, the latest solution for protecting workstations and servers.
This article is also a summary of our podcast with HarfangLab, one of the first EDR solutions in France, available here.
Definition of BDUs
Endpoint Detection & Response solutions specialize, as the name suggests, in detecting and mitigating threats to endpoints (computers, servers and, in some cases, mobile devices).
Theorized in 2015 by Gartner, EDRs are an evolution, if not a revolution, of antivirus software, helping to protect workstations (but also servers).
Since antivirus products are based mainly on file signature analysis, they were quickly overtaken by malware that modified its source code on the fly (polymorphism). Similarly, the emergence of "fileless" malware, i.e. malware that writes directly to the computer's memory without creating any files, has rendered antivirus software totally useless.
EDRs are the answer to detecting next-generation malware
Unlike antivirus software, which mainly looks at file signatures, EDRs take a much broader, systemic approach. These days, the EDR is an agent that runs on different machines (PC, server etc.) and will focus on 3 elements:
- user or system behavior: a process that starts or writes to places where it's not supposed to. A user making dozens of connection attempts at unusual times. In short, any suspicious behavior outside the computer is likely to generate alerts on the administrator's side.
- indicators of compromise: these are IP addresses, domains identified as malicious, suspicious traffic sources, unusual protocols, etc. the EDR uses threat databases or known threat sources (YARA databases, IP/URLs known to be malicious, etc.) to raise flags when it finds occurrences.
- signatures: much like antivirus software, the EDR is on the lookout for unsigned software binaries or files with known dangerous signatures, to attract the attention of administrators.
An architecture that requires SOC or MSSP teams
EDR, by definition, analyzes a large volume of data to identify unusual or suspicious signals: log files in particular. The agent will subscribe to various sources of information on endpoints, such as audit logs, security logs, application logs, OS activity logs (Windows, Mac, Linux), to search for suspicious types of behavior.
Multiply that by the number of machines to be analyzed and you get a huge volume of data that the user can't interpret.
An EDR therefore needs a dashboard or administrator's console that will bring together all the telemetry and alerts reported by the various agents running on the machines, and enable a human operator to investigate the alerts, classify them (false positive or true danger) and take appropriate action. The dashboard will run on an independent server, either within the customer's own IS infrastructure, or in the cloud, and operated by an MSSP if the customer does not have in-house expertise. Unlike antivirus or EPP, EDR is a managed solution.
How does it differ from antivirus or EPP?
In addition to focusing mainly on file signatures, antivirus/EPP do not allow for investigation or forensics. Similarly, remediation (file deletion, quarantine, process shutdown) is also automatic.
Modern attacks are more subtle and difficult to detect than in the antivirus era. It is therefore essential to offer a human operator the possibility of investigating, classifying and documenting alerts before making a remediation decision. An EDR puts the SOC operator in charge of deciding what action to take. Nevertheless, depending on the rules, types or criticality of the alerts or configuration, it remains possible to take immediate action without waiting for human intervention.
Are BDUs magic?
Although essential, EDRs are neither sufficient nor infallible. Increasingly intelligent malware, or threat databases that aren't necessarily up to date in time for attacks, mean that several additional layers of protection are needed to cope with the onslaught of cyber threats we face today.
Filtering solutions, such as Olfeo Saas, help block threats before they reach workstations, and are a powerful complement to EDRs for ensuring employee security.
Who are the major French BDU players?
- Tehtris:
Tehtris offers a complete cybersecurity solution that includes an Endpoint Detection and Response (EDR) platform. Their approach focuses on detecting and responding to advanced threats. The Tehtris EDR solution offers real-time monitoring of endpoint activity, behavioral detection, and automated response capabilities to counter sophisticated attacks. The integration of artificial intelligence and machine learning helps strengthen threat detection capabilities.
- HarfangLab:
HarfangLab offers a complete security solution for enterprises, and their offering includes an EDR solution for endpoint incident detection and response. HarfangLab's EDR solution focuses on early detection of threats using behavioral detection mechanisms and advanced analysis techniques. It aims to provide in-depth visibility of endpoint activity to enable rapid response to security incidents.
- Stormshield:
Stormshield offers a range of cybersecurity solutions, including an EDR solution called Stormshield Endpoint Security. This solution aims to protect endpoints against a wide range of threats, including targeted attacks. It integrates behavioral detection, exploit prevention and incident response capabilities. Stormshield also focuses on endpoint activity visibility to help organizations better understand and counter threats.