The Dark Side of EDR

Techcloudlink > Blog > Network & Security > Endpoint Security > The Dark Side of EDR

Why EDR?

Companies today know that compromise is inevitable. An endpoint protection platform (EPP), such as an AV or NGAV, is the first step for stopping threats at the door. But given the sophistication of threats today, EPPs do not and cannot prevent all threats from infecting the endpoint.

This is where Endpoint Detection and Response (EDR) fits in. The goal of EDR, as its name implies, is to reduce the threat’s dwell time – detect the threat once it’s inside the corporate network and remediate it as fast as possible. Combining EPP and EDR provides several benefits:

Prevention

An efficient prevention tool against zero day malware, exploits, scripts and Macros.

Detection

Commodity hacking tools such as Mimikatz, Powersploit and others generate memory patterns that are easily detectable

Investigation

The endpoint agent continuously monitors and records logon activities, internal and external communications and process executions, providing rich investigation context.

Operation

Easily replace AV as all AV functionalities are a small subset from the EPP/ EDR offering.

According to Gartner, an EDR is defined as having four main capabilities:

  • Detect endpoint threats
  • Contain the threat at the endpoint
  • Having some investigative capabilities
  • The ability to remediate on the endpoint

“By the end of 2023, more than 50% of enterprises will have replaced older antivirus products with combined EPP and EDR solutions that supplement prevention with detection and response capabilities.”

While EDR has a lot of promise, it also bears several shortcomings. As a CISO you need to be aware of the gaps prior to implementing an EDR solution so you can best prepare how to close the gaps. It’s important to understand that each company is unique and the EDR that suits one company’s environment might not necessarily be the best one for another company’s environment. This is even truer for companies that have small security teams due to the greater variety of security tools already installed and limited resources to address issues with operating the EDR solution.

To read full download the whitepaper:

The Dark Side of EDR

Leave a Reply

Your email address will not be published. Required fields are marked *