EDR: The richest data in your SOC

Endpoint detection and response solutions – EDR as it’s more commonly known – act as enterprise surveillance and thus deliver a rich dataset to security professionals. But as with all advances in security, this rich data wasn’t always available in a speedy and cost-effective way. Yet, as a security professional in today’s always-on world, one of your key responsibilities is to efficiently leverage incoming data from every endpoint across your organization.

Before EDR: how we monitored threats

Historically, if a breach or a significant event on the endpoint occurred, your SecOps team would conduct forensics. This entails the seizure of the machine to recover the information on the hard drive. Seems simple enough, right? Well, when threats began utilizing execution in memory – as opposed to on the file system itself – the moment SecOps seized the machine and unplugged it  from power, all the good forensic data was lost. This realization was a critical moment that helped drive the development of EDR solutions as we know them. I was there, and played a role in creating one of the industry’s first EDRs.

At the same time, another turning point for EDR was the move away from dependence on network-based threat monitoring. During this time, firewalls, intrusion detection, proxies, and more were each logging and generating alerts as part of a broader threat detection capability. However, there was no way to easily validate if a threat was successful getting to its target. This is the major gap EDR fills, and it is why it’s such a critical part of security operations today.

Today’s Endpoint Detection and Response

Today, EDRs record all activity taking place on the endpoint and stream it in real time to a local repository, empowering your SOC to enhance the data with rules and intelligence for stronger threat detection and response processes. If, for example, an employee visits a known bad site, the “response” part of EDR can immediately respond to a rule, such as “Isolate the endpoint” to prevent any further communications until the threat is resolved.

The EDR solution can also enable you to automate your validations; if your network-based threat detection tool triggered an alert, the alert data can be sent to the EDR to confirm the event. If the solution does not confirm the event after receiving the data, it’s possible the threat was blocked by spam filters or other antivirus software. Yet, if the solution does confirm the event, you can invoke automated response workflows such as “kill the process that is linked to the file seen in the network transmission.”

Another example – one that’s particularly relevant in the increasingly mobile workforce – is the ability of EDR solutions to track endpoint activity from one WiFi network to the next. Picture this: a salesperson works from his or her corporate office on a Monday morning, but works from a hotel in a different city visiting customer prospects on Monday night. If malware is able to creep onto the laptop in the hotel through an unsecured WiFi network, it can spread to the corporate office as soon as that salesperson is back in the office and connected to the company’s network. EDR solutions can detect this right away through automation and response capabilities.

In these ways, EDR has completely changed the landscape of how we monitor and manage security threats, both off corporate networks and on, by giving full visibility into the endpoint activity.

What are the drawbacks?

Let’s face it, every technology has an argument to be made against it. In EDR’s case, the main challenge associated with it is cost. It can be incredibly expensive to retain the information from recorded endpoint data – it’s a lot of information. Today, many companies are only retaining their endpoint data for a month or two at most.

With Devo’s compression, ingestion and search criteria, our customers can keep a year’s worth of data without blinking an eye related to cost. This is an incredibly powerful capability, one that can be business-changing for companies who have experienced a breach. With Devo, they can easily go back into historical endpoint data and pinpoint the issue.

How will EDR change in the future?

As adversaries grow smarter and stronger, we’ll always need to stay on our toes and evolve our tools along with the newest threats of the moment. One of the ways we’re doing that is through machine learning and artificial intelligence; these technologies are becoming an important part of a good security solution. EDRs have already begun to shift to conduct anomaly detection or behavioral analytics to combat adversaries. An important thing to remember is static indicators are no longer strong enough for SecOps; we must use every tool available to keep company data safe. Endpoint data is an information-rich resource, and EDR solutions are evolving to help take advantage of the data, so we must use it to its full potential.

Read more about how Devo can help you evolve your SOC.