1 Introduction
Endpoint Detection & Response (EDR) solutions have become increasingly popular in just the last few years as a means to help security analysts determine if other security mechanisms such as Endpoint Protection (EPP) have failed, if their systems have been attacked and compromised, and if valuable data has been exfiltrated. Surveys show that 11% of cybersecurity breaches are targeted attacks, and 13% are acts of corporate espionage, designed to steal state or trade secrets. Malware and account takeovers are involved in 48% and 14% of attacks respectively. Almost every industry and every level of government agency are under attack. Organizations are justified in looking for additional security tools to discover and thwart such attempts. A main goal of EDR is often reducing the Mean Time to Detect (MTTD) and Mean Time To Respond (MTTR) to security incidents, given that many reports show that attackers can spend months inside organizations before being detected.
EPP began as antivirus and grew steadily in importance and effectiveness from the late 1980s through the early 2000s. Though the advent and usage of ML techniques may have led to some additional marketing buzz around EPP in the early 2010s, anti-malware technologies have never been over-hyped. Today EPP is widespread and mature, and that's a good thing, as attacks involving malware are frequent and still increasing. EPP products are designed to determine if code is malicious and, if so, prevent it from executing. EPP products have accumulated numerous other security functions, such as serving as endpoint firewalls, performing URL filtering, and controlling which applications are allowed to run on endpoints.
EDR solutions look for evidence and effects of malware or other malicious activities that may have slipped past EPP products and other security tools, such as email/web gateways. Security professionals refer to such data points as Indicators of Compromise (IoCs). Examples of IoC types include:
- MD5 file hashes
- Known bad IPs and URLs
- File/process name mismatches
- Unusual application and network port usage
- Unusual process injections
- Module load point modifications
- Registry changes
EDR solutions log activities centrally, allow administrators to examine endpoints remotely, and generate reports often complete with attribution theories and confidence levels. EDR tools are host-based agents for detecting malware infection, command and control (C2) traffic, reconnaissance and lateral movement of bad actors, and signs of data exfiltration attempts. Additionally, as part of the detection process, EDR tools can also perform evaluation of threat intelligence information, event correlation, interactive querying, live memory analysis, and activity recording and playback. Using Machine Learning (ML) and Deep Learning (DL) algorithms can help produce normal activity baselines for comparisons, discover and classify anomalies, and reduce false positives.
EDR solutions have a management console for collecting and analyzing information from deployed agents, producing alerts, and facilitating incident response, threat hunting, and forensic investigations.
One of the advantages that EDR offers is the ability to automate investigations and responses. Playbooks often ship with EDR tools and can be configured on consoles and executed by agents. Responses can include actions such as case creation, forensic evidence collection, termination of processes, file removal, quarantine, memory analysis, and full endpoint restoration.
EDR systems typically output event information to Security Incident and Event Management (SIEM) platforms for centralized storage and analysis.
EDR solutions can provide additional insights into possible nefarious activities in your enterprise and can serve as a complement to other security tools. EDR is not a substitute for EPP, but rather a complement to EPP, email/web gateways, Network Detection & Response (NDR), and Distributed Deception Platforms (DDPs) as important components of modern security architectures.
EDR solutions require a special set of skills to not only implement and run but also from which to derive value. The inclusion of ML technology does not obviate the need for trained security analysts. Most organizations that successfully deploy EDR have a well-defined IT security organization and one or more SOCs (Security Operations Centers), staffed by knowledgeable security analysts. Such organizations would be categorized as at least Level 1 or 2 in the Hunting Maturity Model.
A few years ago, EDR was mostly used by these kinds of larger enterprises with dedicated security analysts. Today, however, EDR capabilities are sought after by a wider variety of organizations including smaller companies without EDR specialists. Managed Security Service Providers (MSSPs) and SOC-as-a-Service (SOCaaS) providers are offering expert managed detection and response services utilizing commercial EDR products.
Nucleon Security was launched in 2015 in France by a team of cybersecurity consultants who wanted to bring a Zero Trust approach to endpoint security. Nucleon Smart Endpoint was first made available in 2018. The company is a mid-stage startup that is actively growing and has customers in multiple countries across the EU, Africa, and the Middle East.