I get it. This sounds like another sales pitch for the latest buzzword in the IT industry. But let me prove why Endpoint Detection and Response (EDR) is the next generation of anti-malware solutions and why all businesses will be carving out a section of their annual budget for it each year if they haven’t already.
To better understand EDR, why it exists, and how it’s an important element of your overall cyber security strategy, we’ll first examine how anti-malware solutions have evolved over the years.
In the beginning
During the late 80s and throughout the 90s, antivirus (AV) applications started coming onto the market from providers well-known today, such as McAfee and Norton. The AV solutions of this time were primarily based on signature-based scanning and detection.
Signature-based AV involved the AV vendor having a team dedicated to detecting and investigating the latest computer viruses. Once identified, they’d create a unique signature which corresponded to that virus. Signatures were usually made up of hash values of files or known unique strings of characters found within a malicious file (more information about hashing can be found here: https://www.sentinelone.com/cybersecurity-101/hashing/).
The AV applications would receive updates from the AV vendor, usually daily or weekly, containing the signatures of the latest known computer viruses. The AV applications were usually configured to run a scan of the computer’s files at periodic intervals or after certain events like computer startup, file execution and when removable media was connected. During a scan, files on the computer would be compared to the entries in the signature database, and if there were a match, the AV application would usually act to quarantine or delete the suspicious file.
But there were two main downsides to the signature-based approach. First, it only operated on known malicious files, meaning the malicious files were usually already in circulation before an AV vendor found them, built a signature, and then deployed the signature to their AV applications. Second, it was relatively straightforward to evade their detection. Utilising encryption, obfuscation, and other techniques, the content of the file could be changed enough to prevent a successful match with an entry in the signature database. Signature-based scanning on its own is now deemed too weak in helping protect endpoints from today’s cyber-attacks, but it is still often used as part of a multi-layered approach.
Responding to the evolving cybersecurity landscape
AV vendors realised that with signature-based detection techniques, cyber criminals were always one step ahead. So, to help reduce that gap and sometimes be ahead of the cyber criminals, new methods started to gain traction, such as heuristic-based scanning and detection.
Heuristic-based methods were designed to identify potentially malicious files without requiring a signature database. They examined a file’s properties and functions using algorithms and known cyber-attack patterns to determine whether the file or software was doing something suspicious. If a suspicious file were identified on the endpoint, the AV application would usually flag the file and notify the user or administrator, prompting them to investigate further or to choose from a list of actions, such as ignore (false positive), quarantine, or delete the file.
Whilst heuristic-based methods are still widely used today and can detect some unknown malicious files, they still rely on the knowledge of known cyber-attacks and how they function. This means newly developed cyber-attacks that contain unknown methods of operation evade detection. It also relies on the detection engines to be finely tuned, as they can sometimes flag a legitimate or trusted file as potentially suspicious, wasting time and resources to investigate.
Where we are today
Unfortunately, we often see attacks that can evade a traditional AV solution today. Examples of these types of attacks include:
- Fileless malware – malware that can operate without leaving traditional files on the system.
- Advanced Persistent Threats (APTs) – these are usually targeted, long-term attacks that can use custom-built malware and often remain undetected for an extended period.
- Ransomware – malware that usually blocks access to computer systems or data in exchange for a ransom.
- Insider threats – threats which originate with authorised employees who intentionally or accidentally misuse their access.
- Data Exfiltration – unauthorised data transfer, usually from one authorised computer system to a remote unauthorised computer system.
- Polymorphic malware – malware that continually changes its code but maintains its malicious outcome.
This is where EDR solutions step in and help prevent attacks like these from successfully achieving their goals. EDR’s typically use behaviour-based detection methods to look at the overall behaviour of one or more endpoints to help identify attacks.
Taking the same list of examples, here is how an EDR solution can help detect these attacks:
- Fileless malware – EDR solutions can detect suspicious behaviour like unauthorised code injection into legitimate processes or abnormal memory usage associated with fileless attacks.
- Advanced Persistent Threats (APTs) – EDR solutions can detect the behavioural patterns of APTs, such as lateral movement within a network.
- Ransomware – EDR solutions can detect the rapid encryption of files across the network.
- Insider threats – EDR solutions can identify unusual behaviour, such as employees accessing sensitive data they wouldn’t usually do.
- Data Exfiltration – EDR solutions can detect large or unusual data transfers.
- Polymorphic malware – EDR solutions can detect malicious behaviour patterns even if the malware code keeps changing.
So how does EDR work?
At a high level, EDRs typically work in the following way:
- Data collection – EDR’s operate in real-time, collecting a wide range of data from its endpoints such as network activity, process activity, authentication attempts, file/folder changes, and much more, sending that off to a secure and centralised location, usually hosted in the cloud.
- Data analysis – With the continuous feed of data from the endpoint devices, the EDR solution can establish a baseline of activity to help identify any future anomalies in behaviour. Leveraging the vast number of endpoints and data EDR solutions consume, they also utilise Artificial Intelligence and Machine Learning techniques to identify suspicious patterns or cyber-attacks, even before they’ve had a chance to establish themselves and cause disruption.
- Response – Once a potential attack has been detected or flagged, IT teams are notified and can set about investigating the issue, following recommended guidelines or investigation techniques, and even utilising advanced actions such as remotely isolating all affected endpoints to prevent the attack from spreading.
EDRs are also not brand-new technology solutions. They’re at that sweet spot in time, where they’ve gotten through the first few initial years of testing and development to where they are today; proven and effective tools for detecting and responding to the more advanced and unknown cyber-attacks. So now really is the time to start planning for your implementation of EDR.
At bzb IT, we recommend Microsoft’s EDR solution, Microsoft Defender for Endpoint. This can be licensed in several ways:
- Microsoft Defender for Endpoint Plan 2 – Not the best in terms of value, but it does get you access to Microsoft’s EDR solution.
- Microsoft Defender for Business – Only available for SMBs (up to 300 users) but provides much greater value. You get access to Microsoft Defender for Endpoint for a lower price than ‘Plan 2’ above and you also get other solutions bundled in, such as threat and vulnerability management, and next-generation antivirus protection.
- Microsoft 365 Business Premium – This is the license bzb recommends for most organisations, as the value provided in this license is incredible. We could easily write another blog post about what this license includes, but some key features include Azure Active Directory Premium P1 (advanced identity management), Intune (Mobile Device Management), Defender for Business (as listed above), Defender for Office 365 (advanced email protection), Office applications (Word, Excel, SharePoint, OneDrive, etc) and more!
So, speak with us today to find out how we can get started implementing and managing your EDR solution.