No, You Don’t Need EDR

By Daniel Petrillo , Director of Security Strategy, Morphisec

Endpoint detection and response (EDR) solutions, and their evolution — extended detection and response (XDR) platforms — are increasingly popular. To underscore that point, the market was valued at $1.81 billion in 2020, according to Mordor Intelligence, and looks to increase to $6.9 billion by 2026 for a CAGR of 25.6% over the next five years. This is huge as more companies start to look into adding EDR functionality, whether through buying software or buying managed services, into their security stack.

Vendors and industry analysts are paying attention, with Gartner expecting most endpoint protection suites to include EDR/XDR functionality in their platforms and more deals going toward blended solutions. Ultimately, the idea of detecting threats and responding quickly is now viewed as table stakes in cybersecurity. It goes along with the common idea that there’s no way to prevent a breach, so you’d better be able to quickly stop and remediate it to limit the damage.

Here’s the thing: this is no longer the case.

Most organizations cannot realize the full value of EDR solutions with their staff and budget, and the current market push among the vendor community does a disservice to resource-stretched IT and security teams. Outside of a few large companies with enough budget to staff up a security operations center, to be quite honest, EDR is even kind of useless. It also distracts from more effective and efficient ways to improve security.

Why EDR Became Important

Traditional antivirus solutions do one thing very well: block malware that has a known signature . What they don’t do is block in-memory attacks or fileless malware; if there isn’t a signature associated with it, traditional AV will be evaded. So-called “next-gen” AV that leverages machine learning is meant to close this gap, attempting to classify files as malicious or benign without the use of signatures. NGAV also doesn’t do that very well, but that’s a topic for a different article.

EDR/XDR tools are meant to add the extra layer needed to detect attacks that can’t be prevented. They do this through continuous collection and interrogation of endpoints telemetry (and more in the case of XDR). Theoretically, when the EDR solution delivers an alert, the security team can investigate and decide whether or not to respond. If a response is required, the idea is that most damage can be avoided even after initial access into a network. Seems like a good idea, right?

With that idea in mind, the market grabbed hold of EDR/XDR as a solution class and began pushing it as a critical need in the corporate security stack. The problem is that EDR doesn’t actually make your organization safer on its own; if anything, all it does is add more work for IT teams that are already overwhelmed and under-resourced.

Why EDR Won’t Make You Safer

EDR solutions are not enough to actually defend against the kinds of advanced cyber-attacks that threaten your organization every day. The market agrees too. Sixty-five (65) percent of the companies who lack an endpoint detection and response solution, according to Ponemon, said they don’t have one because it’s not effective against new or unknown threats. Consider that AV-TEST has collected more than 1 billion distinct types of malware and potentially unwanted applications as of early 2021. There is no way that any solution can detect every possible variant with any reliability.

Beyond that though, is the substantial time-investment required to make EDR work. The average EDR/XDR solution generates 11,000 alerts every day. Each of those alerts can take upwards of 10 minutes to investigate and determine whether it’s a false positive or not. Basic back-of-the-envelope math means that you’d need to hire 229 L3 analysts to work 8 hour shifts each day just to clear all those alerts.

EDR vendors recognize this, which is why managed detection and response (MDR) is now becoming more prominent. It’s also a large enough issue that separate product categories, like security orchestration automation and response (SOAR) are often added to the stack, as a means of dealing with an overwhelming number of alerts. Not every company that wants to access EDR capabilities has the budget to pay for the software and then staff up a security operations center of highly paid analysts to investigate alerts all day. So they hire a managed service provider.

This doesn’t do anything with the volume of alerts though. It’s still 11,000 alerts to sift through and determine which of them are real attacks and which are false positives. This creates security alert fatigue, a growing problem when 70% of IT leaders have seen the volume of security alerts they receive more than double since 2015.

There is no way to sift through all of those alerts to find the attacks that are real, and in fact threat actors are likely banking on that problem. It’s incredibly easy to confuse even the best machine learning algorithms, and even so-called “predictive” analytics software still needs to be updated with signals from existing attacks. A true zero day is likely to bypass these detection-centric tools just as much as it sails past traditional signature-based antivirus programs based on file scanning.

What to Do Instead of EDR

EDR is a great idea, but honestly most companies don’t need one. They don’t have the budget to fully staff up a SOC, or even hire dedicated security staff, and MDR services are pricey to access and offer limited value. What then is a company with limited budget for security — e.g., everyone outside the Fortune 500 — to do when they must protect themselves from fileless attacks, exploits, supply chain, and other living off the land attacks that regularly bypass antivirus?

What most companies need to do first is focus on the basics of IT hygiene: deploying patches on all their critical software, applying the principles of least privilege, leveraging native OS tools to secure their endpoints, and ensuring that they’re training employees on security awareness.

A strong patch/vulnerability management program can mitigate 14 techniques in the MITRE ATT&CK framework, spread throughout phases like Initial Access, Defense Evasion, and Lateral Movement. This is more than double the six techniques mitigated by NGAV/AV technologies, and more effective by far than trying to detect attacks in progress — especially when most modern attacks include a defense evasion component.

It’s also a common pathway for attackers. A study from 2019 found that in 60% of the attacks examined, adversaries took advantage of a vulnerability that could have been patched … but wasn’t. There are a lot of reasons why companies don’t patch as frequently as they should; the reality is that getting better at patching still improves your security far more than any detection tool.

More interesting though is that 30 techniques in the MITRE framework are mitigated solely by applying the principles of least privilege. Estimates suggest that nearly 80% of all attacks use privilege escalation in some capacity. What this means in practice is that you could put substantial barriers in the way of a high number of cyberattacks just by ensuring that admin privileges are suitably limited within the organization.

But reduced risk of privilege escalation isn’t the only benefit of careful privileged account management. Using MITRE’s free ATT&CK Navigator, privileged account management can mitigate dozens of techniques across most tactics, including initial access, execution, persistence, and more. The best part about this is that privileged account management is a free action that every company can take right now.

Security awareness training and leveraging native OS tools are the other two big free actions that companies can take right now. For Windows users, Microsoft has spent $1 billion a year since 2016 improving their cybersecurity capabilities. Many of those are already built into Windows 10, and they’re as good as the third-party solutions that you pay for. They even already include behavior-based analysis and machine learning, meaning they have feature parity with other solutions too.

There are some diminishing returns in security awareness training, unfortunately, with some reports saying that 3% of your employee base will click on a phishing link no matter how much training they have. That doesn’t mean don’t do it though. You can still substantially cut down on the risk of initial access with a regular education program on how to recognize scam emails and having an informed user base.

Final Thoughts

EDR/XDR platforms are great tools for the companies with enough budget to staff them correctly or hire someone else to do it for them. They’re not a silver bullet — nothing in cyber is, really — and in most cases they’re not even necessary for better protection. Honestly, buying an EDR tool without having the resources to properly use it is like purchasing a yacht when you don’t have the money to hire a crew for it.

Sure you own a yacht now, but without a skilled crew it’s not doing anything other than sitting in drydock. What most companies need is to go back to basics and ensure they’ve done the fundamentals. Then and only then can they go for the next phase and seek out protection from evasive modern attacks through extending their zero trust strategy fully to the endpoint (a topic for another article).

About the Author

Dan Petrillo is the Director of Security Strategy for Morphisec. Dan’s years of experience in cybersecurity strategy began when he was the Product Manager for an Industrial IoT company that needed to figure out a way to secure the IoT devices and software that remotely controlled the lighting and machinery for manufacturing facilities. This eventually led him to work for Cybereason just before taking his current position with Morphisec. Dan attended Northeastern University for his bachelor of science degree in Electrical Engineering. Dan can be reached on LinkedIn and at our company website www.morphisec.com