This article will help you understand the most important trend in endpoint security today – the transition from endpoint detection and response (EDR), until recently the state of the art in enterprise protection for endpoints, to extended detection and response (XDR), which builds on EDR but offers a new paradigm in holistic protection for endpoints, networks and enterprise workloads.
What is EDR?
Endpoint Detection and Response is a security solution that monitors and logs endpoint data in real time, detects suspicious behavior, and enables security analysts to gain direct access to endpoints to respond to threats. EDR solutions can store, enhance, and consolidate endpoint data to enable automated alerts and manual analysis.
Most EDR solutions have four main functions:
- Event detection – the ability to track endpoint anomalies and detect malicious activity, by analyzing all activity on the endpoint rather than just scanning for malware.
- Event containment – when a security incident occurs, EDR solutions must be able to prevent propagation of the threat via the network, by locking down and isolating endpoints.
- Event investigation – EDR enables analysts to perform comprehensive forensic investigation of incidents, by creating a consolidated database of endpoint security data.
- Response – a key function of EDR is to enable analysts to respond immediately when an incident occurs. This involves triage, identification of the threat, and taking action such as wiping and re-imaging the endpoint.
A typical EDR process for identifying and responding to an incident:
- Endpoint monitoring—continuous data collection from all endpoint devices.
- Behavioral analytics—anomalies are detected through traffic analysis. The EDR solution establishes behavior patterns for each device, detects activity that deviates from normal patterns, and identifies potential malicious activity.
- Quarantine affected endpoints—upon detection of malicious activity, EDR automatically isolates endpoints and suspicious processes on the device are stopped.
- Trace original point of entry—the EDR solution gathers data on possible entry points for an attack and provides a broader context, beyond the current endpoint activity. This can help analysts identify and respond to the threat on other endpoints.
- Provide more data about the incident—gives analysts everything they need to fully investigate and resolve the case.
Limitations of EDR
While EDR is extremely valuable, it presents several challenges for organizations:
- EDR relies heavily on data collection agents, which creates several problems. Agents need to be deployed on all endpoints, which is complex and error prone in an enterprise setting. There is also a potential for bad actors to take control of agents, contaminate security data in the EDR system, and even use agents to compromise the endpoint.
- It is difficult or impossible to deploy EDR agents on many IoT devices. These devices are often unsecure and are extremely vulnerable to attacks.
- EDR adds one more tool to the already bloated tool stack used in the modern Security Operations Center (SOC). This adds complexity and overhead for security analysts, who are already stretched thin.
- EDR offers a narrow view, because it only monitors endpoints. It cannot combine endpoint data with security events occurring at the network level, or data from other security tools, which may be extremely relevant for responding to an incident.
- Modern operating systems provide fairly advanced endpoint protection tools, such as Microsoft Defender Advanced Threat Protection, which offers capabilities roughly equivalent to some commercial EDR tools. This makes it less valuable to invest in and deploy a full EDR solution.
XDR: The Future of EDR
A Lockheed Martin paper published in 2011 described the concept of the kill chain. The concept is simple – instead of setting up security controls and assuming bad actors will encounter them, the organization can analyze all the steps required for an attacker to succeed in a security breach.
In the context of an endpoint, the attacker’s goal is typically to gain access to an endpoint, compromise it, use it to perform lateral movement and access other, more sensitive assets, and finally exfiltrate the data. The kill chain model encourages the organization to place security controls at every stage of the kill chain, ensuring that attackers will hit an obstacle at every step of their campaign.
In recent years, EDR became yet another cyber defense tool in a series of defenses. Organizations deployed it so that if and when an attacker accessed an endpoint, they would be able to record their activity and stop them. But this misses the broader view of the entire kill chain, which goes far beyond endpoints.
XDR extends the concept of EDR. Instead of just recording what happens on an endpoint, it enables the organization to record the entire kill chain. It can provide complete visibility into all phases of the attack, enabling the organization to automatically stop the attacker, or launch a manual investigation and response, at every stage.
With XDR, security teams can monitor any change to the environment, regardless of where it originates. The IT environment is growing in complexity, with employees using smartphones and personally-owned computers, a huge proliferation of cloud-based infrastructure and services, and container-based systems that launch huge distributed clusters, in which each individual container can be compromised. XDR makes it possible to pick up suspicious activity in any of these locations and “connect the dots” to other activity at the network or endpoint level.
Here is how XDR can improve operational efficiency of security teams, and by extension, help them identify and respond to incidents faster and more effectively:
- XDR implements the kill chain model in today’s complex IT environment, going beyond traditional endpoints, to combine data from all possible data sources.
- XDR is a unified platform, rather than a medley of tools that need to be integrated and operated separately. This makes it easy to deploy, update, scale, and manage.
- XDR reduces the need for in-depth training and additional certification for security teams, because it consolidates multiple security capabilities in one unified interface and workflow.
- XDR creates a broad view that allows the entire security organization to identify bad actors in real time, across multiple layers of the IT environment. It enables them to respond in an agile manner to the attacker’s current stage in the kill chain. Unlike EDR, analysts can respond to threats before the attacker reaches an endpoint, or after they have compromised the endpoint and moved on.
This article discussed how EDR tools help identify and respond to threats on endpoints, but are limited because of their narrow view of the security environment. XDR can take the EDR concept one step further, giving organizations a unified view of security events across multiple layers in the IT environments, and responding to attackers wherever they are, at any stage of the kill chain. XDR also introduces operational efficiencies, because it is not yet another tool for analysts to integrate and manage separately, but a unified platform that consolidates investigation and response activity in one interface.
Author Bio: Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.
Gilad is a guest blogger. All opinions are his own.