Should I be doing EDR? Why isn’t anti-virus enough anymore?

By: David Strom

Detecting virus signatures is so last year. Creating a virus with a unique signature or hash is quite literally child’s play, and most anti-virus products catch just a few percent of the malware that is active these days. You need better tools, called endpoint detection and response (EDR), such as those that integrate with SIEMs, that can recognize errant behavior and remediate endpoints quickly.

The issue is that hackers are getting better at covering their tracks, and leaving very few footprints of their dastardly deeds.

I like to think about EDR products in terms of hunting and gathering. Most traditional endpoint products that come from the anti-malware heritage are gatherers: they are used to collect malware that they can identify, based on some known patterns. That works well in the era when writing malware was a black art that had specialized skills and tools. Now there are ready-made exploit kits, such as Angler and tools called packers and crypters. These have made it so easy to produce custom malware that the average teen can do it with a Web browser and little programming knowledge.

But gathering is just one part of the ideal EDR product: they also need to be hunters too. They should be able to find that proverbial needle in the haystack, especially when you don’t even know what a needle looks like, except that it is sharp and can hurt you. The ideal hunter should be able to track down malware based on a series of unfortunate events, by observing behaviors such as making changes to the Windows registry, dropping a command shell remotely or from within a browser session, or by inserting an infected PDF document. While some “normal” apps exhibit these activities, most don’t. For example, some EDR products can track privilege escalation and credential spoofing, common activities of many hackers today that like to gain access to your network from a formerly trusted endpoint and use it as a base of operations to collect and export confidential data. To block this kind of behavior, today’s tools need to map the internal or lateral network movement so you can track down what PCs were compromised and neutralize them before your entire network falls into the wrong hands.

Part of the hunting experience is also being able to record what is happening to your network so you can go to the “videotape” playback function and see when something entered your environment and what endpoints it has infected. From there you should be able to isolate and remediate your PCs and return them to an uninfected state. Some EDR products offer a special kind of isolation feature that basically turns their network connection off, except for communicating back to the central monitoring console. That is a pretty nifty feature.

Finally, an EDR product should be able to use big data techniques to visualize trends and block potential attacks. Another aspect of this is to integrate with a variety of security event feeds and intelligence from Internet sources such as You might as well leverage what researchers around the world already know and have already seen in the wild. Microsoft has jumped into this arena with their Windows Defender Advanced Threat Protection. Announced at the RSA show in March, it will be slowly rolled out to all Windows 10 users (whether they want it or not) thanks to Windows Update.  Basically what Microsoft is doing is turning every Windows 10 endpoint into a sensor with this tool, and sending this information to its cloud-based detection service called Security Graph. Other EDR vendors do similar things with their endpoint agents.

When you go shopping for an EDR product, ask your vendor these questions:

  • Do you need agents or agentless? There are advantages to both methods, depending on the mix of endpoint OS’s and what you are trying to accomplish and protect.
  • What does the user see on their protected desktop? Some tools will obscure any listing in the Control Panel Programs or toolbar icons to make them stealthier.
  • Does the product offer real-time protection? This may be important, depending on your needs. Some products aren’t designed for this kind of response time and need to take a longer view of trends and behaviors.
  • How is the product configured, managed and priced? Some install quickly, some take consulting contracts to set up. Some are priced per endpoint or per server, others by purchasing a physical appliance.

EventTracker offers EDR functionality within its SIEM platform. You can learn more about it here.

Highlights of the Month