Endpoint detection and response (EDR) has been an important technology for security professionals as they attempt to find suspicious activity, or at least traces of it, on endpoints and hosts. Cybersecurity itself is as old as computers, but the EDR segment is still in its infancy with the first solutions dating back only about five years or so.
The technology works by monitoring the endpoint and then storing the data in a centralized repository where analysis can be done to detect a threat. Typically, EDR solutions require a software agent to be installed on the host system to provide the data used in monitoring and reporting.
EDR has been critical for advanced protection, as more threats are being directed at the user. In fact, one of the industry’s leading penetration testers recently told me that he can normally breach an organization within an hour by attacking the user and compromising the endpoint. Also, Windows is still the most widely used operating system in the business world, and many of its internal features are used by threat actors to breach that computer and others.
So, if EDR is so integral to threat protection and provides so much value, why am I proclaiming EDR dead? Is that crazy?
As valuable as EDR has been, it provides a very narrow view of the world. It’s akin to looking out a porthole on a ship where one sees only a slice of the horizon. To determine what the weather is like, if there are islands around or if there are passing ships, one would need to be on the bridge to get an overall view.
EDR is narrowly focused
EDR is too narrowly focused, as it provides a view of only the endpoint. It’s time for EDR to give way to XDR where X is a far broader set of data that includes endpoint, as well as cloud, threat intelligence, network data, logging information and possibly even community data. This certainly isn’t meant to be an exhaustive list of data feeds into XDR, but rather serves to highlight the point that more sources of data from more enforcement points lets the security team and technologies find more threats faster, and then block them.
It’s like being on the bridge of a ship and being able to see everything at once. The difference is that XDR brings into view all elements of an attack, not just those found on a single endpoint, it adds the analytics that are required to interpret the data across different data sources, and it makes more efficient use of security analysts’ time in investigations.
XDR sees everything
Also, because XDR solutions have an understanding of the enforcement points, they can actually respond and block the threat faster and across a wider range of vectors, not just the endpoint. With EDR, the endpoint may highlight a breach, but the only thing known is what occurred on the endpoint. The solution is able to see what occurred on the endpoint and then pivot to another endpoint to evaluate it. If the source is external, then EDR wouldn’t help because the endpoint data would not reveal anything and is blind to network data.
What’s required is visibility into the network portion of the threat and the link between the different stages of the attack. For example, something showing that administrator credentials were stolen off server A and then those credentials were used to infiltrate server B.
XDR can trace threats back to their source
With XDR, the system is able to better trace the bad traffic from where it was discovered, reconstructing the attack. This helps the security team better understand what happened, determine where it happened, and respond at the best possible enforcement point (or points if there are multiple ones). Without that, all one knows is that an attack occurred and a single endpoint is involved. Using the ship metaphor, water in the bottom would indicate there was a leak. One could clean up the leak, but if the source isn’t known, the problem can’t be fixed.
One of the criticisms I’ve had with EDR is that it focuses largely on the detection and often doesn’t help much with the response unless you’re a specialist. With XDR, they are equal parts detection and response. Think of EDR as being big D and little r and XDR being big D and big R across all potential data sources, giving the security team a much better chance at fighting the bad guys.
In its time, EDR was a breakthrough for security buyers because it provided a way to see what was happening on the endpoint, which is the biggest attack point. Now that we live in a world where literally everything is connected, it’s important that EDR evolve into XDR so security teams can see more and block more at their source. If you’re going to commit the budget and time of your security team, why restrict them to endpoint?
Zeus Kerravala, CSO