EDR. (2022, January 13). [Photograph]. Https://Cristianthous.Com/Que-Es-Un-Edr-Por-Que-Es-Diferente-de-Un-Antivirus. https://cristianthous.com/que-es-un-edr-por-que-es-diferente-de-un-antivirus
"It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change" - Professor Leon C. Megginson
The reason we kick off tis blog with a quote, one albeit wrongly attributed to Darwin, is due to how currently defines the mindset that everyone in the cybersecurity industry should have when approaching security on their systems and how the tools we used to protect our systems should be, ever-changing and always improving.
In this article, I will try to briefly expose what EDR, and XDR are and how they are helping to keep the tools we use in a constant state of adaptability with a little help from emerging technologies such as machine learning and artificial intelligence.
The Birth of EDR & XDR
Endpoint Detection and Response (EDR) is a term coined by Anton Chuvakin, born from the need to move away to a more robust and better system that could help protect from the rapid increase and complexity of attacks; because the tools we used to rely on, like Signature-based security detection, weren’t making the cut and the way attacks and malicious software could change themselves to sneak pass this tools meant that we couldn’t rely purely on these old methods.
This also meant that to properly protect our systems, we had to look past just the software and look at what was happening at the endpoints and change from a static to a behavior base method.
EDR is the name used to describe all these tools that focused on detecting and investigating suspicious activities on host/endpoints to gather the data necessary for the investigation and prevention of malicious agents that may damage or compromise an organization or individual.
Extended Detection and Response (XDR) is the name given to the new generation of tools whose goal is the same as that of EDRs, but its protection and scope are more robust taking into consideration not only what is happening on the endpoint side but many more agents and devices, and unlike EDR must of the times the whole process is carried from just one tool and not from multiple as it’s the case with most EDR systems.
One tool to protect them all
EDR brought many new features to help identify possible threads like data/telemetry collection (details on files, filesystems, process, memory, network, etc.), exploratory data analysis (being able to interact with the data), and response capabilities just to mention a few examples; however, the real cherry on top is how EDR and XDR are improving and making more efficient these tasks by implementing Machine Learning (ML) and Artificial Intelligence (AI) and before continuing to explain how these technologies are helping keep up with the latest attacks.
First, we need to have a little understanding on the differences between EDR and XDR. Both tools collect, centralize and analyze data and activities, and provide a rule-based response to threats, but the scope in which these tools operated is not the same, while EDR is more concerned with the data generated by host/endpoints XDR broadens the scope across not just endpoints but servers, networks, cloud workloads, SIEM and much more and the environment in which these tools are better deploy is not the same.
While EDR may work just fine on small to medium organizations, for big to very large organization XDR is the way to go because of the extend visibility it has on the organization environment.
ML and AI are helping these tools by enhancing the finding of common features from payloads (attack component responsible for executing an activity to harm the target) and detecting and blocking malicious agents or suspicious activities, it also aids the security researchers by performing analysis of data and performing more sophisticated anomaly detection and in most cases does this automatically without the need of a human.
Not all that glitters is gold
But these tools don’t come without their complications and one of the biggest problems with these instruments is how much data they can end up generating and collecting.
To help understand how so much data can hurt we can consider the following; the visibility that the data facilitates helps the security team to mitigate and recognize possible attacks but it can also hinder this task when there are hundreds of devices in an environment all generating information at the same time, it then becomes a monumental task to filter and recognizes the true attacks from the false positives. We can use of course ML and AI to help mitigate these problems, but even with these technologies in place we have to consider that their implementation and the need of capable resources make these tools inacccesible for some companies.
Adding to this is that EDR and XDR are made to cover a large number of scenarios, as such the need of customization is a concern. As what might work for one company may not work for another, which means that companies must not only consider the budget for the tool but also for the resources to configure, managed and maintain it.
Regardless of the tool, one thing remains true, in order to survive the security game we must continue to adapt to the constant threats and attacks and as these attacks keep evolving so must our tools keep adapting, otherwise, we run into the risk of staying behind and losing more than a few excel sheet along the way.
Author
Jacobo Arzaga
Junior Security Engineer