CMI #6 - Endpoint Detection and Response (EDR)

Few frontiers in cybersecurity are as highly attacked and as highly defended as the computers and mobile devices we use in everyday life (like the one you’re on now). Let’s unpack the Endpoint Detection and Response (EDR) space and all it entails.

Mike P
Mike P

Table of Contents

Terms You Might Hear

Problem Statement

  • Most compromises happen at the endpoint. Someone clicks a malicious link or opens a malicious attachment in an email, someone is served malware from a compromised ad network on a legitimate site, etc. The endpoint is the jump-off point for lateral movement, escalation of privileges, and subsequent attacks leading to further compromises.
  • Endpoints are fluid and can come on and off your corporate network. As such, keeping tabs on your corporate endpoint footprint from a security and operational standpoint is a huge challenge. The bigger or more distributed the workforce, the more fluid and complex this becomes.
  • Traditional endpoint security tools like anti-virus (Anti-virus has long been dead) and "next-gen" malware protection only give you a small piece of the puzzle regarding the overall state, health, and security of an endpoint. Companies have to use a host of other tools (often managed by non-security teams) to cobble together a complete picture of what's happening, making detection, response, and containment a significant challenge on security teams.

Market Solutions

Enter the Endpoint Detection and Response (EDR) product market space.

  • EDR products combine both endpoint malware protection, file and integrity monitoring, and endpoint management solutions. They continuously or periodically scan or query, detect, inspect, or act on suspicious or malicious activity on endpoints. They focus on the devices employees use every day – think laptops, servers, and critical business devices.
  • EDR products give a real-time view of an environment and take remediation or proactive actions on endpoints. EDR products can give visibility into both the operational and security health of an endpoint.
  • EDR tools are excellent for cross-checking other security or manageability tools on systems and can often perform maintenance or health checks if there are breakdowns anywhere in the endpoint security stack.
  • EDR products let you take a more active and comprehensive approach to security. You can actively and passively scour your endpoints for Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTP) and take necessary actions.

We can’t talk about EDR without talking about Managed Detection and Response (MDR) in the same breath.

  • MDR sounds like just a managed version of EDR, but MDR is not a technology itself – it's a service, a service focused on threat detection, remediation, and response. An MDR service will continuously monitor your network and endpoints to detect and respond to cybersecurity threats.
  • MDR is a collection of technologies (SIEM, IDS/IPS, Network Traffic Analysis, etc.) combined with people and technology to monitor and respond to alerts. Each vendor will have a slightly different set of capabilities similar to what the Managed Security Services Provider (MSSP) concept has promised.
  • Some vendors will offer a cloud-hosted and managed version of their EDR products, effectively making them "Managed Endpoint Detection and Response (MEDR)" players. See how complicated this product space can be?

Where does Extended Detection and Response (XDR) fit in?

  • XDR is an EDR or MDR platform that collects data from network security sources and correlates threat indicators. Think across email platforms and firewall or IDS/IPS devices to give you more accurate context and reduce the responding teams' burden.
  • XDR platforms are built on large, cloud-based data warehouses that store and correlate data from different sources to surface threats.

Players in the Space

EDR

MDR

XDR

Product Space Predictions

  • XDR capabilities will become a standard part of EDR platforms. Most EDR products already integrate with a few network security controls out of the box via API connectors, so extending these capabilities is an easy step. Deeper partnerships and alliances in the industry amongst network security players and endpoint security players will make acquisitions more likely.
  • Internet of Things (IoT) and EDR combinations will win out. It's not just the managed endpoints you need to protect; it's everything else on your smart/connected network that you need to worry about too. Armis is already doing this.
  • That's Dr. EDR to you. There will be a rise in medical/hospital applications in this space specializing in defending IoMT (Internet of Medical Things) devices. The IoMT space is expected to reach $72.02 billion in 2021, at a compound annual growth rate of 26.2%. The devices are different, the use cases are complex, and the implications of failure can be dire.
  • Cloud Service Providers (CSPs) have the strongest hand when it comes to XDR. XDR promises correlations at the network and cloud workload level. Do you know who is good at cloud things? You guessed it. Microsoft has the edge over the other CSPs as they have a dominant foothold in endpoint computing, collaboration, and Infrastructure-as-a-Service (IaaS) domains. If you are already a heavy Microsoft shop on the previous fronts, this is a no-brainer if you're looking to upgrade your security posture.

Product Space Opportunities

  • Combine EDR with anti-phishing workflows. Where do the two most impactful threat vectors originate? That's right, on the endpoint and via email. Think of it as a lightweight SOAR platform without all the investment of time, money, and people needed to stand up and operate a SOAR platform. PhishBarrel comes to mind as a potential integration target.
  • Get rid of agent bloat and be more lightweight. Run agentless like Ansible and have less client impact. The fewer agents that go on and endpoint, the easier to troubleshoot and operate for tool administrators.
  • Integrate or extend EDR with Mobile Device Management (MDM) platforms. MDM platforms are moving to provide more threat intelligence data, and the number of threats targeting mobile devices has only skyrocketed. Bring these separate houses together and check out the MITRE ATT&CK Framework for Mobile if you want a deep dive.
  • Move from MDR to a Cybersecurity-Program-as-a-Service model. As a business owner or someone working at a small business or startup, It's not hard to imagine paying a flat monthly fee for an entirely managed cybersecurity program. Don't just manage my endpoints but manage my Cloud Service Provider (CSP) configurations, track vulnerabilities, track patching, and track compliance requirements. And while you're at it, give me a SaaS dashboard to view all of this myself. Cyvatar is already trying to do this.
  • Combine with automated security and compliance platforms like Vanta. For the cloud-first, digital-native startups of the world looking to get SOC2 compliant and go a bit further on security. Having an EDR platform that can help you monitor and enforce compliance and security practices can bring tremendous benefits beyond traditional anti-virus.

Key Insights

  • In Issue #3, we talked about how remote work is here to stay and how that has added additional burden to Security Operations Center (SOC) teams—having a mostly or fully remote workforce that once has complicated the endpoint detection, response, containment, and remediation process. Combine this with how COVID-19 brought about changes in cybercriminal activities, and you can't afford to not have an EDR/MDR solution in place.
  • This is the land of giants. Looking at the players in the market, you can see that most are very late stage in the EDR space, leaving little room for new entrants into the market. The MDR space has the potential for disruption still in the race to capture the largely underserved mid-market, however, many EDR players are starting to offer MDR options as well.
  • The XDR concept is a new marketing spin on an existing capability set within EDR platforms in an attempt to stand out. Remember how crowded this market space is? This is an attempt to "extend" coverage to the network security side of the house. It triggers action on the network when there are endpoint events and vice versa.
  • Managing Agent Drift. Any technology that relies on an endpoint agent installed will always have drift and saturation coverage issues with deployment. You can't detect and respond if you can't see the endpoint, so you need upstream installation and downstream monitoring and remediation workflows for systems without agents. Unchecked drift is one of the most common and fundamental failings of endpoint security implementations, and you cannot underestimate the operational toll this requires.

Pro Positions

What type/size/stage company should leverage these platforms?

  • Startups - this technology isn't the first purchase you should make. You'll be better off doing other basics like enforcing SSO with your identity provider wherever possible, enabling multi-factor authentication (MFA), and focusing on employee education around phishing. This should be be fast follow here.
  • Small and Medium-sized Businesses (SMBs) - your best bet is getting an MDR solution to take advantage of the force multiplier. Having a service that monitors, detects, and responds for you will give your smaller IT staff more leverage.
  • Larger Companies - you will get the most out of an EDR platform that is a tool in the toolbox for your security operators and analysts. You'll need centralized logging and monitoring platforms and detailed procedures to make the most use of this threat intelligence data. If you purchase an enterprise-class EDR platform, the chances are that you'll have XDR capabilities already with other security products in your environment.

What makes one of these platforms “good?”

EDR

  • Look for platforms that can sunset other disparate technologies but avoid retrofits that require reconfiguring or upgrading an enterprise-sized security posture. Go for the platforms that can integrate into your current environment the best.
  • Is the interface complex? You want to make sure that you can generate quick reports on historic data and not hours at a time because nobody has any time these days.
  • Look for what it can do outside of a pure security space. How can it lead to collaboration and help with security-adjacent functions like patching and IT operations? How can it help security and keep the lights on for the business?
  • Pay special attention to how it works in a cloud environment versus just working well with traditional VMs or on-premise servers.

MDR

  • Differentiating factors here include having a sledgehammer coverage as opposed to a scalpel. Scalpel products mean I need other products to compensate for what one product can't do, and these should be used sparingly in an enterprise environment. I need the highest degree of integration without having to change my entire technology stack.

Out of the Players listed, who are the top to consider?

References

  • EDR - and what you need to know about it.
  • MITRE - and the ATT&CK Framework for Mobile.
  • Mobile Device Attacks - and how much they have risen over the years.
  • Cybercrime - and its evolution during COVID times.
category-report