Why Do Companies Need Endpoint Detection & Response (EDR) Solutions?
Phishing emails carrying sophisticated malware undetectable by standard antiviruses more and more often serve as the main infection vector for data breaches and various cyber-scams. Protection against such threats requires a more advanced solution — a system for detecting attacks on endpoints, aka EDR (Endpoint Detection & Response). This article reveals how EDR identifies sophisticated attacks and whether it is worth installing it yourself or choosing EDR-as-a-service.
Professional cybercriminals are drifting from a quick monetization of an attack to a persistent, covert stay in the victim’s infrastructure. Persistence facilitates access to classified commercial information and allows the development of an attack inside the corporate network that eventually leads to its total compromise and enables destructive actions (for example, launching ransomware, quitting certain critical technological processes).
Threat tackling typically applies infrastructure monitoring and data security suites. However, identifying advanced, sophisticated scams with these tools is getting more difficult.
The effectiveness of using standard monitoring mechanisms decreases for a number of reasons:
- Indicators of compromise (IP addresses, hashes, and domain names) are often used one time only. Attackers can modify these in a breeze, especially in the case of APT.
- Attackers in their campaigns use legitimate executables, standard OS tools, etc.
- As stolen credentials are becoming widely used to circulate malicious code through the network, initial penetration is no longer depends on exploits only.
- Occurrences of malware that neither antivirus nor network signatures can recognize are getting ever more common.
- As infrastructure grows, keeping all signatures and licenses up to date becomes a serious challenge.
Implementation of a range of routines for bypassing classical security tools, multi-stage obfuscation, steganography, and deep environment scanning ensures the malicious code introduction into the endpoints of the company.
Monitoring the toolkits used by cybercriminals, experts reveal an increase in the number of malware installers applying chains of calls to popular utilities (wmic.exe, rgsvr32.exe, hh.exe, etc.) already installed on the host and executing code that was sent to them through the command line directly or as an Internet link or a file.
This approach distributes the malware installation process among the calls to benign utilities. As a result, automatic detection tools cannot combine these split processes into a single chain of malicious object installation. As malware counteraction experts apply tech-powered incident investigation (forensics), they often find signs indicating that it is the above technology that the hackers evade whitelists with.
How to monitor hosts?
To effectively combat such threats and minimize the consequences of an attack, you need additional detection and response tools, for example, Endpoint Detection & Response (EDR) designed for detecting complex attacks on end hosts. Why EDR and not Windows Event Viewer or Sysmon?
The key advantages of EDR solutions:
- Extended set of logged events. Yes, it all depends on the specific product. For example, there are cases when clients log all interactive input to the command line that enables detecting malicious techniques that neither Windows audit nor Sysmon would spot.
- Centralized management and configuration. Centralized monitoring and control of agent settings are critical for large infrastructure. Lack of these features delays response to attacks for hours or even days. A centralized system also effectively searches for indicators of compromise and traces of attacker activities in the infrastructure.
- Active response. Responding to an incident involves actions to be taken simultaneously on multiple systems. This almost always becomes a problem. EDR allows you to work with files and the registry in a convenient interactive way, block network connections, terminate processes, scan using YARA rules, collect artifacts for further analysis, and much more.
In general, EDR significantly reduces the malicious activity detection time, enables timely response and mitigates the impacts of unfolding attacks. Besides, EDR expands the scope of events covered by the security operation center (SOC) as it also deals with the analysis of event logs collected from various systems, including workstations and servers. EDR provides extended event logging features and extra context, including data on processes spawned on hosts, services, etc. This allows the SOC to more efficiently detect and isolate compromised workstations minimizing the spread of infection across the infrastructure.
EDR: integrated system or service?
The company has two options for using the EDR system on endpoints: buying an on-premises solution or subscribing to a service provided by a commercial SOC.
The service offers two options for its implementation. In a cloud model, the contractor provides both licenses and services to manage and investigate incidents. In a hybrid model, the client buys licenses, and the contractor runs management and investigation routines. Each option has its inherent features.
The key advantage of such a project is that all the data processed by EDR remains within the organization. There is no way for the crooks to intercept the information flowing into the service provider’s cloud. Besides, no malicious insiders operating on the cloud side can view your data. The urge to keep information safe is understandable. Meanwhile, the companies using on-premises EDR face some critical challenges.
First, this requires diverse qualifications of the staff. Implementation of such systems often encounters difficulties with rules to be drafted, analysis of collected events to be conducted, and IT incidents to be detected.
EDR can detect anomalies in OS events, process performance, directories, and RAM. Implications of each specific incident are not always clear. Besides, it is not always clear if the revealed anomaly should be attributed to viruses as it may result from a legitimate application running on the host. Therefore, correct interpretation of threats flagged by EDR as well as lookup and development of compromise indicators, require highly skilled professionals who are experts in computer forensics.
For example, identifying hidden processes in RAM requires in-depth analytics. The same goes for the anti-APT solution, which looks for traffic anomalies. When analyzing transport protocols such as SMB, which Windows OS widely applies, anti-APT can detect many modern techniques used by attackers, for example, DCSync. At the same time, this technique hardly helps when it comes to distinguishing a real attack from regular routines, which again brings us back to the point of employing highly qualified experts, and that is extremely difficult given the existing staff shortage in the industry.
Using the incident response functionality also requires versatile expertise. In particular, the skills should enable the refinement of applicable attack detection workflows in order to reduce the number of false positives. Experts with such skills are not available in every company. Consequently, the EDR response features will be wasted, or incorrect configuration can disrupt business processes (for example, if it terminates an allegedly suspicious process that your regular app has spawned).
In EDR-as-a-service, it is the contractor’s staff who operates the system, including investigation of the incidents. The client does not need to hire extra staff and expand the existing IT department. The service model does not diminish the importance of full-time security personnel, though, since the provider does not always have the necessary privileges when responding to an incident. Decision-making, internal investigation, and penalties for critical non-compliance typically remain within the domain of the client’s IT unit.
In addition, a contractor contributes additional information sourced from threat intelligence (TI) database, commercial subscriptions to information on current threats, as well as insights provided by supplementary services such as NTA (Network Traffic Analysis).
The content for EDR provided by the provider is constantly updated based on information about current threats from various additional sources, including from other customers. Thus, using EDR-as-a-service does not require purchasing additional subscriptions to feeds and threat intelligence.
Provider’s infrastructure that is big enough lets you be flexible in scaling the service. EDR is readily available for covering new infrastructure components, additional offices, servers, or workstations.
At the same time, the service model raises concerns among some business owners and security professionals. First, it is the access by a third-party organization to valuable corporate information. Second, EDR-as-a-service only notifies the client of the threats it detects and does not provide access to critical data stored on the workstation or server. Ensure the rules for EDR observe critical points as misconfiguration may quit important business processes unexpectedly. Staff members can also make such mistakes, but when it comes to the service model, some clients have the feeling that the outsourcer may fail to understand the client’s processes well enough and may be unaware of certain workflow requirements. To exclude any disputes, your contract should cover the entire scope of the service provider’s liability and the SLA.
The cost it takes
From an economic point of view, the service model avoids high initial expenditures and evenly distributes your money over the long term as the service is provided.
If the service builds upon the hybrid model, you first need to pay for the license and the system deployment. The services of the provider’s experts in setting the rules, monitoring, and response are to be covered by the subscription plan.
Again, a company using EDR-as-a-service does not need to sustain too many highly paid experts. This reduces labor costs.
Modern threats and the growing skills of cyber criminals force organizations and IT service providers to create new information security tools. Workstations serve as the most common rooting and attack deployment environment for intruders. So, their security move to the fore. To effectively combat such threats, a standard set of tools such as SIEM or antivirus software is no longer enough. Many attacks require a deeper audit to identify hacker activities no matter how well they are disguised. And we know malefactors are using legitimate OS processes more and more now. EDR accelerates primary evidence collection, reducing the overall response time from hours to a few minutes.
However, processing this data and competently responding to incidents involves a professional team of analysts. A company would need a dedicated IT crew, which is extremely difficult given the staff shortage and the high cost of hiring such professionals. Contracting a third-party service provider is a viable option. Your service provider will take care of the maintenance and analytics. High expertise, access to TI databases, subscriptions, and the industry regulator data enable the contractor’s experts to contribute additional details to the incidents recorded by EDR and improve the performance of the investigations.