The modern enterprise is plagued by security threats such as zero-day malware and advanced persistent threats, in which an attacker quietly lurks within a compromised system for an extended period of time, working toward a specific goal. Unfortunately, legacy endpoint security tools are ill-equipped to deal with these and other modern security threats. Security professionals should consider upgrading their endpoint defenses through the adoption of an endpoint detection and response system.
Shortcomings of traditional endpoint security tools
Traditional endpoint security suffers from a number of different shortcomings. For starters, security is often treated as a piecemeal solution. An organization might, for instance, use one product for malware prevention and a different product for intrusion detection. The problem with this approach is that it creates security silos, and threats can slip between the cracks.
A second shortcoming of traditional endpoint security tools is that such products can sometimes be dependent on the end user. If an endpoint detects a malware infection, for example, the user may receive a pop-up message requiring some sort of response. A user could conceivably ignore the message or choose the wrong course of action.
A third shortcoming is that of inaccuracy. Some of the earlier detection products — especially those used for malware detection — relied primarily on the use of attack or malware signatures. The problem with this approach, of course, is that such products are only able to detect attacks that match a known signature. Because signature-based detection is completely ineffective against unrecognized attacks, security products now use heuristics in an effort to detect attacks that might go unnoticed by a signature-based detection engine. However, heuristics-based detection engines tend to produce a lot of false positives.
Why EDR has a leg up on legacy endpoint security tools
Endpoint detection and response (EDR) products are designed to monitor network endpoints and respond to any security events that are detected.
One of the things that sets an EDR product apart from other types of endpoint security tools is that EDR products are designed to watch for, and respond to, a variety of security threats, not just a specific class of threat, such as malware. But it is important to note that all EDR products are not created equally. EDR products can vary widely in terms of scope and capability.
Most EDR products work by installing an agent onto network endpoints. The agent’s job is to continuously monitor the endpoint’s health, detect security incidents and report back to an EDR server. As such, an organization must work diligently to protect the EDR agent on the endpoints. If an attacker is able to overwhelm the agent through a denial-of-service attack, or disable the agent, then the EDR system can effectively be circumvented.
As an organization evaluates its EDR product options, it is important to consider the steps that the vendor has taken to ensure accurate detection of security events. Some of the newer EDR products, for example, are beginning to use AI as a tool for greatly reducing the rate of false positives. This is especially important since false positives can cause alert fatigue, while also potentially camouflaging real security events.