Legacy EDR. Yes, it’s a thing

Sponsored Thirty years ago, the industry birthed networked antivirus (NAV), which later morphed into endpoint protection (EP), managed using endpoint protection platforms (EPPs). More recently, this era has faded as endpoint protection and response (EDR) and managed detection and response (MDR) services become the industry standard.

Now, in 2021 the dial has turned yet again and enhanced EDR has arrived, closely followed by extended detection and response (XDR), which adds network and cloud monitoring to the mix.

Each generation is bigger and better than the last, taking in more types of endpoints with more integration and visibility between the different layers in the security hierarchy. Having trouble keeping up? Nobody could accuse the security industry of lacking creativity when it comes to inventing initialisms that promise to stop the rot afflicting endpoints, a category that now includes an expanding family of connected and mobile devices and not only PCs and servers.

Many organisations find themselves using more than one of these security generations at the same time, which might include several versions of EDR alone. But as the evolution of endpoint security has quickened in the last decade so the risk of confusion has grown. What’s especially mystifying is that despite all this verbal and technical ingenuity successful attacks keep coming with no slowdown looking likely.

It remains an uncomfortable fact that a large percentage of successful cyberattacks start or pivot by exploiting weaknesses in endpoint security. In the past, endpoints were a sitting target. This remains true despite successive generations of expensive detection and response. The issue for customers is how to assess the state of their own EDR implementation and where its blind spots and inefficiencies might lie.

What’s influenced each tweak to EDR is the extraordinary evolution of malware from chunks of code that could compromise Windows computers one at a time to modular platforms that can undermine entire wide area networks and the businesses, critical infrastructure, and even governments that depend on them. The industry measures this damage by counting threats, grouping them by type (fileless malware, ransomware, keyloggers, etc.) delivery mechanism (phishing attacks, attachments), and motivation (nation state, extortion).

An alternative and arguably more relevant measure is to look at the outcome and scope of attacks. On that score, something is clearly wrong, acknowledges Patrick Grillo, Senior Director, Solutions Marketing at Fortinet, a company betting big on the idea that the limitations of first-generation EDR systems can be soothed by migrating to enhanced EDR.

“There is no one technology,” he says before slating what he calls the silver bullet theory of network and endpoint defence. “By itself, an EDR system will do its job but stop at the limits of doing its job.”

The limits of EDR

The fundamental struggle has always been to define what malicious software is when the possibilities are infinite, and many threats today hijack legitimate applications and credentials to spread further. The NAV industry started more than 30 years ago with the concept of looking for patterns of code which could be turned into signatures. Polymorphism quickly undermined that even though companies such as Fortinet developed heuristics that could detect variations on the same theme. Pretty quickly, however, the complexity and volume of attacks overwhelmed even this, so EPP platforms emerged to monitor endpoints within their environment by correlating behaviours (process injection, modified registry keys, attempts to disable AV) with unusual network communication.

Eventually, next generation anti-virus (NGAV) appeared as a feature inside firewalls to impose lateral control between network segments. Some of this detection worked well enough but the principles were largely static ones such as application and file allowlisting/blocklisting, sandboxing, and perhaps behavioural analysis.

An obvious drawback was response and investigation; even when threats were detected affecting endpoints, the next problem was reacting to them quicky enough and working out if other endpoints were part of the same attack. EDR stepped into this breach, where it remains today. It’s not always easy to explain the difference between each generation, given that many earlier techniques remain in use, but the selling point for EDR systems is that they can put a single detection in a wider context that gives defenders an idea of how deep an attack has travelled.

This approach is probably correct. Detections are rarely isolated and quickly spread, which means that multiple endpoints will be involved. The kill chain of any attack involves multiple steps, each one of which will leave traces - so long as defenders have the tools to uncover them. EDR, the argument goes, is a way of giving security operations centre (SoC) teams that visibility.

And yet, “by itself, any amount of first generation EDR telemetry will not stop ransomware from getting into your network,” points out Grillo, aware that the depressing stats are on successful attacks against apparently well-resourced companies back him up. That’s because many earlier EDR systems solve one set of problems by creating a new more demanding set, namely alert overload and complexity.

“Some EDR systems are susceptible to raising alarms on false positives but would drive security managers crazy trying to figure out what an alert meant.” That’s why, says Grillo, Fortinet uses the well-regarded UEBA (user and behaviour analytics) tech acquired with ZoneFox in 2018 across its entire platform to weed out detection from background noise.

Vanilla EDR, then, solves the problem of visibility by creating more data. But the more data you can see, the more data you must analyse, which means not only adding machine learning to make sense of it all, but more security people to make decisions based on those findings. In theory, some of this can be automated out of existence with clever rulesets but a complaint with many first-generation EDR has been that this eats engineering time and skills.

Tweaks to the model appeared, for example adding threat intelligence and better remediation capabilities but none of these could overcome the reality that even in a well-resourced organisation the complexity of EDR systems often means they can be difficult to implement. According to a 2020 study by analysts Enterprise Strategy Group cited by Fortinet, 83 per cent of enterprise respondents agreed that using EDR effectively requires advanced security skills while 78 per cent agreed that their EDR projects had been more complex to implement than anticipated.

Another biggest grinch is that basic EDR is too slow. It can tell defenders what went wrong if they have hours or even days to conduct a breach investigation. Of all the failures that catch out victims, it is probably this one that does the most damage. Extra data, threat models, and fancy analysis is no good if it is applied minutes or hours behind the compromise it was deployed to detect and contain.

Salvaging EDR

EDR marketing often struggles to fully explain how second-generation EDR is better than the systems already in use but really it comes down to the fact that vendors have finally tweaked the architecture to counter how modern cyberattacks unfold as opposed to the vague and idealised concept of a ‘threat’.

At the heart of this evolution is the ‘playbook’, a set of procedures that organisations can use to design how their EDR should respond in an automated way when it thinks it has detected something worthy of further investigation. Although security orchestration, automation, and response (SOAR) platforms appear to achieve the same thing, those are about higher-level analysis and automation rather than immediate reaction. It is the EDR system that will act as the tripwire telling defenders that there’s a problem.

Ironically, after years when traditional anti-virus came to be seen as ineffective, this still rests on the capabilities of a vendor’s detection endpoint client. “Effective EDR works at the kernel level, it’s signatureless, and it uses machine learning. It has the capability to react on its own,” says Grillo. This allows it to terminate a suspicious process, delete files or isolate that device within a second of a detection, something that traditional EPP and even some earlier EDR would not do without SoC investigation first.

In theory, this runs the risk that false positives turn into an inadvertent denial of service if too many machines are isolated at once, but unlike first-generation EDR the second generation should also be able to conduct rapid clean-up or rollback to get a machine up and running again without disconnecting it. Alternatively, this is where third-party MDR services come into their own, allowing remote human investigation without distracting the core SoC people.

“Fortinet uses machine learning to shorten the decision making process but never to the point of letting the machines take over the entire operation, “comments Grillo.

Increasingly, endpoint security has become only one part of a much larger system, which in Fortinet’s case is the company’s Fortinet Security Fabric, a broader architecture that integrates endpoint security and EDR with other areas of security such as the cloud, firewalls and switches, authentication, SIEM, and wireless access. This type of system isn’t the proprietary security architectures of old that swamped customers with a one size fits all approach a decade ago and ideally should be able to integrate with equipment from other vendors.

The mistake made with EP and EPP was to see protecting endpoints in isolation, something that could be contained as a special case. Surely, if defenders have learned one thing it’s that the security silo approach never worked. Defenders must see the whole network and every event that happens on it in its context regardless of which device, service or application generated it. This will be the test by which enhanced EDR must be assessed: does it mark the moment when networks become a complete security space and not simply a series of leaky domains?

Sponsored by Fortinet