EDR: The Security Camera of the Enterprise Network
David Feldman
| 24/07/2017
David Feldman, CEO of CYBONET
The concept of Endpoint Detection and Response (EDR) has become central to the global cyber and information security world in recent years. For example, in June 2017, Gartner Inc. included EDR as one of the top ten information security capabilities in 2017 and estimated that, by 2020, 80% of large organizations and 25% of mid-sized organizations would invest in these capabilities.
EDR is the generic name for a class of tools and solutions that focus on detecting, investigating and tackling suspicious activity and information security problems in the host computers and endpoints of an enterprise network. As an array of solutions, which provide constant threat detection and handling, this class fulfills a parallel function to the combination of a security camera, which identifies threats, and the security person who neutralizes them, as found at banks, supermarkets, and other businesses.
In the case of digital threats, the work of EDR solutions is more challenging than the work of a security camera. There is growing evidence that advanced cyber attackers may dwell inside enterprise networks for up to 250 days before they are detected. Similar to a security camera, EDR solutions create a checkable registry of all actions undertaken at the endpoints and critical servers. Even if the attackers damage the endpoint and delete their tracks, EDR solutions can capture the entire chain of events and store them for future reference.
The critical question that needs answering: what is the functional and technological difference between a cyber defense array with EDR and a cyber defense array without EDR? There are numerous differences, but for illustrative purposes, we will focus on three critical areas.
In overview, it can be claimed that EDR includes technologies that enable the fastest automatic detection of cyber threats and thorough investigation both of the vector from the past to the present and conversely, from the present to the past. To illustrate, strong EDR solutions can, within seconds, detect an event or cyber threat on a network of tens of thousands of workstations.
With the help of visualization tools, sandboxing and other means, EDR precisely diagnoses the root cause of the cyber event. Firstly, the EDR solution will know to diagnose whether the source of the cyber event lies in the software, operating system, user’s actions, crash of another application, unauthorized connection by a disk-on-key that ran a problematic file, or another cause.
Secondly, EDR solutions take into account a much wider range of vectors and causes than usual in order to take decisions regarding the handling of cyber threats. One of the technological expressions of this is the ability of the EDR world to correlate external data communications of events at the network level and internal data communications of events that take place within each computer. The EDR solution links these two dimensions, differentiating it from many current solutions, which only operate either at the computer level or the network level.
Thirdly, EDR solutions are able to deal with one of the main enemies of every cyber network: false positives. They do this by maximizing the number of vectors and elements that are taken into account in order to decide what the real threat is. False positives of cyber events and threats are similar to a car left on the street with its alarm sounding because of a malfunction, which bystanders disregard as a background nuisance. Given that the defense sector is characterized by very high vigilance in general, and cyber vigilance in particular, false positives are liable to divert cyber security defenses away from an effective path. EDR solutions know how to deal with a situation in which they receive warnings of unclear communications to a destination, to distinguish whether they are false positives, and to prevent a false alarm. This ability is heightened because EDR solutions carry out a behavioral analysis that compares online events to the behavioral profiles of problematic users and identifies whether a user is located 'within' the problematic profile.
These three areas of differentiation, together with other factors not discussed here, are highly relevant to a key pain point for defense organizations. The defense sector constantly uses professionals, including cyber analysts, who 'sit' on data traffic 24/7. However, the number of analysts is limited, and the activity of a Security Operations Center (SOC) may result in an insufficiently fast response to alerts.
Furthermore, the defense sector uses far-reaching means to protect information, such as separate networks and continuous human monitoring of all data traffic. Nonetheless, additional methods of overcoming network separation and human monitoring are discovered every day. Even the most protected layer aimed at countering cyber threats has loopholes, and additional solutions at the forefront of technological advancement are critical in strengthening the weakest link.
In response to these challenges, the technologies on which EDR solutions rely are characterized by high speed, automation, and precision in identifying and handling cyber events. These features differentiate EDR solutions, saving many hours of expensive manpower and making it easier for organizations in general, and particularly defense organizations, to provide as effective and rapid a response as possible to a cyber incident.
***
The author is the CEO of CYBONET
David Feldman, CEO of CYBONET
The concept of Endpoint Detection and Response (EDR) has become central to the global cyber and information security world in recent years. For example, in June 2017, Gartner Inc. included EDR as one of the top ten information security capabilities in 2017 and estimated that, by 2020, 80% of large organizations and 25% of mid-sized organizations would invest in these capabilities.
EDR is the generic name for a class of tools and solutions that focus on detecting, investigating and tackling suspicious activity and information security problems in the host computers and endpoints of an enterprise network. As an array of solutions, which provide constant threat detection and handling, this class fulfills a parallel function to the combination of a security camera, which identifies threats, and the security person who neutralizes them, as found at banks, supermarkets, and other businesses.
In the case of digital threats, the work of EDR solutions is more challenging than the work of a security camera. There is growing evidence that advanced cyber attackers may dwell inside enterprise networks for up to 250 days before they are detected. Similar to a security camera, EDR solutions create a checkable registry of all actions undertaken at the endpoints and critical servers. Even if the attackers damage the endpoint and delete their tracks, EDR solutions can capture the entire chain of events and store them for future reference.
The critical question that needs answering: what is the functional and technological difference between a cyber defense array with EDR and a cyber defense array without EDR? There are numerous differences, but for illustrative purposes, we will focus on three critical areas.
In overview, it can be claimed that EDR includes technologies that enable the fastest automatic detection of cyber threats and thorough investigation both of the vector from the past to the present and conversely, from the present to the past. To illustrate, strong EDR solutions can, within seconds, detect an event or cyber threat on a network of tens of thousands of workstations.
With the help of visualization tools, sandboxing and other means, EDR precisely diagnoses the root cause of the cyber event. Firstly, the EDR solution will know to diagnose whether the source of the cyber event lies in the software, operating system, user’s actions, crash of another application, unauthorized connection by a disk-on-key that ran a problematic file, or another cause.
Secondly, EDR solutions take into account a much wider range of vectors and causes than usual in order to take decisions regarding the handling of cyber threats. One of the technological expressions of this is the ability of the EDR world to correlate external data communications of events at the network level and internal data communications of events that take place within each computer. The EDR solution links these two dimensions, differentiating it from many current solutions, which only operate either at the computer level or the network level.
Thirdly, EDR solutions are able to deal with one of the main enemies of every cyber network: false positives. They do this by maximizing the number of vectors and elements that are taken into account in order to decide what the real threat is. False positives of cyber events and threats are similar to a car left on the street with its alarm sounding because of a malfunction, which bystanders disregard as a background nuisance. Given that the defense sector is characterized by very high vigilance in general, and cyber vigilance in particular, false positives are liable to divert cyber security defenses away from an effective path. EDR solutions know how to deal with a situation in which they receive warnings of unclear communications to a destination, to distinguish whether they are false positives, and to prevent a false alarm. This ability is heightened because EDR solutions carry out a behavioral analysis that compares online events to the behavioral profiles of problematic users and identifies whether a user is located 'within' the problematic profile.
These three areas of differentiation, together with other factors not discussed here, are highly relevant to a key pain point for defense organizations. The defense sector constantly uses professionals, including cyber analysts, who 'sit' on data traffic 24/7. However, the number of analysts is limited, and the activity of a Security Operations Center (SOC) may result in an insufficiently fast response to alerts.
Furthermore, the defense sector uses far-reaching means to protect information, such as separate networks and continuous human monitoring of all data traffic. Nonetheless, additional methods of overcoming network separation and human monitoring are discovered every day. Even the most protected layer aimed at countering cyber threats has loopholes, and additional solutions at the forefront of technological advancement are critical in strengthening the weakest link.
In response to these challenges, the technologies on which EDR solutions rely are characterized by high speed, automation, and precision in identifying and handling cyber events. These features differentiate EDR solutions, saving many hours of expensive manpower and making it easier for organizations in general, and particularly defense organizations, to provide as effective and rapid a response as possible to a cyber incident.
***
The author is the CEO of CYBONET
