Lots of new cyber vendors are starting up all the time. Crunchbase’s list of top cybersecurity startups is 1,089 businesses long. What you find is that everyone is specialized in their own particular segment; their own slice of technology to remedy a specific cybersecurity need.
Which brings us to EDR (endpoint detection and response), a much talked-about segment of cybersecurity that has grown on the back of two trends:
- The explosion in IP endpoints, with ubiquitous 4G/5G, Wi-Fi and huge adoption of smart devices, sensors and IoT/OT applications.
- The failure of legacy, signature-based endpoint antivirus/anti-malware (AV) solutions to protect organizations and their users from sophisticated attacks and zero-day exploits.
What EDR has to do with threat intelligence
Endpoint security has always fed off intelligence: creating signatures in response to known viruses, trojans and the like. But this intelligence was always reactive, and unable to work quickly enough to stop new exploits – especially as attackers evolved. Endpoint AV steadily became just one line of defense in a defense-in-depth strategy, filtering out ‘easy’ threats and leaving unknown, complex attacks to other weapons in the security arsenal.
EDR is significantly more sophisticated, enabling leading vendors to capture huge swathes of the enterprise market by replacing legacy solutions with a better alternative.
EDR client software is typically lightweight whereas legacy AV agents consume so much processing power that users are often tempted to disable it. This is because EDR solutions are only partly reliant upon signatures, and use algorithms and (increasingly) AI engines to isolate and remediate behaviors they deem potentially unsafe, with impressively low instances of false positives.
How else EDR delivers compelling business value
EDR is undoubtedly an effective way of collecting and applying threat intelligence to combat endpoint threats. It is also proven to deliver additional business value by enhancing incident response processes and even threat hunting capabilities:
- Incident Response: EDR can capture images of an endpoint at any point in time and rollback to a safe pre-attack state. It can also interpret raw endpoint telemetry to help determine attack patterns and mitigations, and be used to shut down further spread across an organization.
- Threat Hunting: EDR matches files and other artefacts for known malware parameters and can store endpoint data for immediate or future analysis. But EDR’s role as a primary threat hunting tool should not be overestimated; it is a baseline technology as former Gartner analyst Anton Chuvakin states, “threat hunters need EDR data or other rich endpoint telemetry as it’s the mainstay for both beginner and advanced hunting operations.”
Naturally, EDR solutions integrate well with SIEMs and other SOC platforms to provide real-time visibility of the risks to the organization’s endpoint estate and also enable admins to manage endpoints via a single pane of glass.
The other clever aspect of EDR is its capacity to enable an organization to protect all of its endpoints when only one of them comes under attack. Thanks to EDR, the endpoint estate becomes a source of threat intelligence as well as the means through which threat intelligence can be acted upon. EDR vendors go one stage further and extend this intelligence gathering capability to all their customers by aggregating endpoint threat intelligence in the cloud.
How EDR and threat intelligence complement each other
EDR is not able to detect everything. Indeed, it is effectively an internally facing tool that delivers its value when threats are ‘inside the wall’ as a crucial line of defense to prevent further spread. Threat intelligence is much more far-sighted, delivering its value further upstream in a proactive way i.e. external facing. For example, EDR cannot detect threats like credential leaks or fake mobile apps in real time like threat intelligence can. Nor infected POS for stealing credit cards.
By using the two together, threat intelligence supports the goal of EDR by identifying threats that could end up leveraging infecting endpoints. The two also combine well when threats have bypassed external detection methods and been ‘discovered’ by the EDR, with threat intelligence providing essential insights to help mitigate the impact of any attack. For example, if credentials have been leaked without detection before the EDR picks up anomalous activity, threat intelligence can rapidly validate if the attack relates to a new or known threat actor, whether it is part of a wider attack in preparation on the dark web, etc.
Many EDR vendors recognize the criticality of threat intelligence by building their own in-house capability or acquiring the expertise. In such cases, individual customer organizations can employ EDR sandboxing to conduct deeper analysis and investigations into campaigns and IOCs, supported by the EDR vendor’s own internal threat intelligence team.
Why EDR is not complete threat intelligence
While EDR is an essential contributor to full spectrum threat intelligence, it is only one of many potential sources that security teams should call upon. Other internal sources are important, such as SIEM logs. Externally, there are a huge variety of sources on the open, deep and dark web, as well as closed and private forums which threat intelligence analysts should gain access to.
Relying upon EDR as a window on the world of potential threats targeting your organizations will inevitably create blind spots and lose the all-important contextual understanding of how attacks affect your business operations – from protecting your brand against social media misuse and IP theft, to tracking down stolen credentials on underground forums. EDR is helpful for tactical and operational purposes; less so for strategic imperatives.
This is because threat intelligence is more than just data. It enables decision makers to take a comprehensive view (as well as granular), allocate resources and put in place appropriate defense measures; it helps executives make long-term business decisions based on intelligence, and take necessary risks based on the reward and ROI.
When applied well, threat intelligence can help CISOs and their organizations defend against an increasingly difficult threat landscape before, during and after attack. By using threat intelligence to study adversaries and understand their strategies and objectives, you can build more effective, more refined and more robust cyber defenses.