Many organizations regard Endpoint Detection and Response (EDR) as their main protection against breaches. EDR, as a category, emerged in 2012 and was rapidly acknowledged as the best answer to the numerous threats that legacy AV unsuccessfully struggled to overcome – exploits, zero-day malware and fileless attacks are prominent examples.
While there is no dispute on EDR’s efficiency against a significant portion of today’s advanced threats, a new breed of “next-generation EDR” solutions are now available (learn more here) which on top of featuring all EDR capabilities, go beyond this to protect against prominent attack vectors that EDR does not cover such as those involving users and networks.
“Many people unknowingly mix two different things – endpoint protection and breach protection,” explained Eyal Gruner, co-Founder of Cynet (a next-generation EDR solution).
“It’s perfectly true that many attacks start at the endpoint and involve malicious files and processes, making EDR a perfect solution for the endpoint. However, the actual attack surface is much broader than this, and at the end of the day, it’s not the endpoints you want to protect – it’s your organization.”
Gruner, a former white-hat hacker (starting when he was 15-years-old), also founded BugSec, Israel’s largest cybersecurity consulting company. Today, he is a world-recognized expert 0n attacker tools, techniques, and practices.
“Think of it like this: by definition, each attacker’s activity generates some kind of anomaly. It only makes sense, because what we consider to be ‘normal behavior’ doesn’t include compromising resources and stealing data. These anomalies are the anchor that enable security products – or threat analysts for that matter – to identify that something bad is happening and block it.”
Gruner said that these anomalies could manifest in three core places – process execution, network traffic, or user activity. For example, ransomware generates a process execution anomaly since there is a process that attempts to interact with a large number of files.
Many types of lateral movement, on the other hand, include a network traffic anomaly in the form of unusually high SMB traffic. In a similar manner, when an attacker logs in to a critical server with compromised user account credentials, the only anomaly is in the user behavior. In both cases, it’s impossible to unveil the attack through monitoring processes alone.
“EDR is a great tool for the attacks that can be identified through process anomalies,” said Gruner. “It sits on the endpoint and monitors process behavior, so you’re fairly covered against this group of threats. But what about all the rest? There are many mainstream vectors that operate on the network traffic and user behavior without triggering the slightest process anomaly and EDR is practically blind to these threats.”
|Next Gen EDR Detecting Malicious Activity Across Endpoint, Network and Users|
To better understand the problem, let’s step into the attacker’s shoes. He has successfully compromised an endpoint and is now calculating his way onward in the environment, to access and then exfiltrate sensitive data. There are several steps necessary to accomplish this task. Let’s use one as an example – credential theft.
High privilege credentials are essential to access resources in the environment. The attacker might attempt to dump them from the compromised endpoint’s memory. An EDR would probably catch this because it would cause a process anomaly.
However, password hashes can also be harvested by intercepting internal network traffic (utilizing techniques such as ARP poisoning or DNS responder) which can be identified only through monitoring for a network traffic anomaly – and EDR would miss this altogether.
“From my experience, attackers that are good at their job usually learn quickly what defense measures are in place and act accordingly,” said Gruner. “If there’s a good EDR in place, they’ll shift their techniques to the network and user fields and operate freely under the EDR’s radar.”
“So, if you want a component in your security stack that will protect you only from process-based attacks such as malware, exploits, etc., EDR can provide coverage. If what you’re seeking is protection from breaches, you need to think much broader – this is why we created Cynet 360.”
Cynet 360 continuously monitors processes, network traffic, and user activity, providing full coverage of the attack vectors that are used in today’s advanced attacks. This means essentially all the capabilities of an EDR, expanded and integrated with User Behavior Analytics and Network Analytics, and complemented by a robust deception layer that enables operators to plant decoy data files, passwords, network shares, etc. and deceive attackers into luring their presence.
But Cynet gives much more than just incremental value. “It’s not just process-based threats plus network-based threat plus user-based threats, said Gruner. “The more advanced the attacker is, the better he is at concealing his presence and activity. So there are many attacks that are invisible if you only look at processes or traffic or user behavior.”
“It’s only by joining these signals together to form a context that you can identify that there’s something malicious going on. Cynet 360 automates the creation of this context to unveil multiple threats that are otherwise invisible.”
|Next Gen EDR delivers full visibility into all threats|
Gruner concludes, “No protection is one-hundred percent, but you must have guards across all the main roads. Can attackers bypass them? I guess the answer is yes if they are skilled, determined, and resourceful enough. But if you monitor all the main anomaly paths, it would force them to work really hard – more than most of them would want to,” Added Gruner.
“EDR is an amazing thing, and that’s why Cynet 360 includes all of its capabilities – plus more. EDR alone is not enough for sound breach protection, and that’s why we gave Cynet 360 all the rest.”