A Brief History of EDR Security

Endpoint Detection and Response (EDR) solutions were developed to fill security gaps left by other tools. The need for EDR can be traced to the early 2010s, but the term EDR was officially coined in 2013. In this article, you’ll learn about the threats that lead to the development of EDR tools, past reincarnations of EDR solutions, and how EDR security will look like in the future.

2010: Threats Leading to The Development of EDR

In the early 2010s, attackers began developing methods for running malicious code without having to install malware. These attacks enabled them to bypass traditional security measures, which relied on identifying malicious executables. Below are some of the methods attackers developed and continue to refine.

1. Document-Based Malware

Most users understand the potential threat of downloading or running applications from unknown sources. However, many users do not understand that document files are capable of running similar malicious processes. This makes users much more likely to accept or open Excel, PDF, Word, or PowerPoint files. Attackers can take advantage of this misunderstanding by hiding malicious scripts in such files, downloadable from sites, or delivered in phishing campaigns.

Attackers often hide malicious content in macros, scripted instructions for particular tasks. While macros are designed to help users automate tasks and to increase efficiency, these tools can easily be harnessed for attacks. 

One security solution is to simply block macros from ever running. However, this does not account for the fact that macros are now vital to many business processes. These tools are used to extract data, standardize formatting, and automate calculations. Macros cannot simply be blocked without causing significant impacts on productivity. Alternative methods for detecting and blocking suspicious macros needed to be developed.

2. Fileless Attacks

Fileless attacks execute processes in memory or take advantage of trusted system processes to execute code. These attacks do not require files to be stored and so can bypass traditional, signature-based security tools. 

In part, these types of attacks grew in popularity due to a leak of NSA infiltration tools. These tools were designed to exploit vulnerabilities in operating system protocols and to allow attackers to move laterally through systems. 

One well-known example of these attacks is EternalBlue. EternalBlue attacks exploit the Server Message Block (SMB) network file sharing protocol. WannaCry, NotPetya, and Retefe (a banking trojan) are all malware that made use of this exploit. 

Like macros, SMB is a vital part of the network communications of most organizations and cannot simply be blocked. Unfortunately, traditional tools could not reliably distinguish between valid and malicious SMB communications. To block these attacks, you must employ methods such as behavioral analysis.

3. Limitations of Antivirus

To detect attacks, traditional antivirus solutions use signatures to identify malware and malicious processes. Signatures are strings of characters, bits of code, or binary files associated with known malware. The use of signatures restricts antivirus solutions to only being able to identify previously seen malware or similar attacks. In practice, this ends up being only around 57% of total attacks.

Another issue is that traditional antivirus tools can only detect malware once it has been encountered by or downloaded onto a system. Unless tools are set up to scan files before installation, files may sit on a system undetected until the next scheduled scan. This increases the chances that users will unknowingly run malicious programs.

To address this issue, new tools, such as next-generation antivirus (NGAV) were developed. These tools incorporate behavior analysis, machine learning, and AI in addition to signature-based detection. These additional capabilities were designed to enable security teams to identify issues regardless of whether threats had been previously encountered.

2013: EDR Is Born

The term EDR was officially coined in 2013 by Anton Chuvakin from Gartner. This term encompassed a new class of tools designed to create greater visibility into systems. These tools, like NGAV, use machine learning and behavior analysis to evaluate system events and identify anomalies. 

To use these tools, you need to continuously collect and process significant amounts of data from across your systems. This requires greater security expertise and resources than traditional systems to operate effectively. These systems also produce significantly more alerts than traditional tools, which can lead to “alert overload”. These requirements could make early EDR tools more cumbersome than helpful.

Endpoint Protection Platforms (EPP) and the Need for EDR Security

Endpoint Protection Platforms (EPP) are solutions that incorporate multiple detection and protection tools for system security. These platforms often include a combination of traditional antivirus, NGAV, and EDR tools. The combination of these tools helps protect systems from a wider variety of threats and ensures a higher threat detection rate.

EPP platforms enable security teams to incorporate multiple tools in a centralized way. This enables teams to reduce some of the additional burden that can come from adopting EDR solutions. These platforms can also leverage the combined detection strategies of various tools to apply more effective and automated protections to endpoints and systems.

Advances in the efficiency of EDR automation and the incorporation of EDR into centralized platforms have made it an essential tool. These tools can significantly help teams prevent and detect attacks quickly and effectively.

2020: Future of EDR: Towards XDR and MDR

Despite being a significant advancement from traditional tools, EDR tools are not perfect. The continued development of new attack methods requires that these tools also adapt. Part of this adaptation involves extending protection and detection beyond endpoints. XDR is one example of this growth.

XDR refers to detection and response across broader systems and networks, designated by the “X”. These networks include cloud services, on-premise data centers, and Internet of Things (IoT) networks. These tools incorporate security information and event management (SIEM) systems, which correlate event data throughout your systems. 

This greater centralization in combination with a broader range of system data provides greater context for events. This context enables security teams to more reliably identify threats and makes it easier to detect attacks early on.

Another way in which EDR is changing is the growth of managed EDR (MDR). The broader visibility achieved with XDR provides greater security but increases the burden on security teams. This is particularly problematic for small organizations and those lacking sufficient security personnel. MDR solutions provide a way for these smaller organizations to benefit from XDR is a cost-effective way.