Traditional EDR won't cut it: why you need zero trust endpoint security

The early days of the internet when antivirus software was the only protection from online threats are long gone. New tools like Endpoint Detection and Response (EDR) have been developed to fill the gap as antivirus grew unable to stop newer forms of cyberattacks like malware. 

But even traditional EDR has its weaknesses — most notably that it only registers threats once they have penetrated your system. Your organization needs a zero trust endpoint security solution that stops threats before they execute in your environment. 

From antivirus to endpoint detection and response   

The development of EDR tools was the next step in cyber resiliency after antivirus began falling behind in its ability to stop malware.   

The struggle began when the rate at which new malware was created and distributed far outweighed the rate at which they could be logged and prevented from causing harm. The most logical step to take was to develop a cybersecurity tool that could identify malware by actions taken, not just by code.  

Cybersecurity experts are continuously working to improve EDR tools to better detect and respond to threats faster and more accurately, introducing strategies including, but not limited to:  

• Artificial intelligence (AI): The recent boom of AI has helped cybersecurity tools identify malware more frequently and with fewer false positives or negatives.  
• Automated incident response: Most traditional EDRs have automations in place to take action as soon as the EDR notices a potential threat.   
• Managed detection and response: Organizations can outsource the management of EDR tools to a product vendor. Vendors delegate an internal team to oversee alerts and take additional actions after any automated responses while also notifying the client.  

The problem with traditional EDRs 

Using malware obfuscation, threat actors can bypass EDR identification techniques like analyzing the behavior of malware scripted to act like an end user and recognizing malware signatures or characteristics compared to known malware.  

Additionally, cybercriminals are now using AI to streamline their malware generation process, creating malware at faster speeds and improving its ability to run without detection. 

Another crucial problem with traditional EDRs and other detection-based tools is that they do not act until the malware is already running in the environment, which leads them to fail customers and miss cyberattacks until it is already too late.  

This means that malware could cause immense damage before traditional EDR tools notice and act, if they notice at all, and that the best they can do is reduce the amount of damage incurred.  

Detection tools are not the future of endpoint security 

The next step in cyber resilience is “zero trust” controls that enforce the least privilege across applications, user access, data access, and network traffic.  

Take, for example, application blocklisting versus application allowlisting. Blocklisting aligns with antivirus strategies in that it makes a list of what is known to be bad, blocks everything on that list from running, and allows everything else.   

With application allowlisting, you create a list of the applications and software you trust and need and block everything else from running. Allowlisting is a zero trust method of application control that prevents known and unknown threats from running on your devices, preventing cyberattacks, like ransomware, from detonating.  

How ThreatLocker fills security holes left by EDR 

ThreatLocker is a zero trust endpoint protection platform that uses proactive controls to mitigate known and unknown cyber threats. The solutions that make up the ThreatLocker platform play a critical role in preventing cyberattacks from happening before an EDR can detect them:  

• Allowlisting: Allows only the software you need to run and blocks everything else. 
• Ringfencing: Places restrictions on what your allowed software can do, preventing the weaponization of trusted applications. 
• Elevation Control: Removes all local admin privileges from the end user. Admin privileges can be delegated automatically to applications through ThreatLocker policies.  
• Storage Control: Protects your data from unauthorized access or theft by setting granular policies over your storage devices. 
• Network Control: Gives you complete visibility and control over all network traffic, including dynamic ACLs that can automatically open and close ports on your server to ensure that only trusted devices access your network resources. 
• ThreatLocker Detect: Alerts you of indicators of compromise blocked by modules, such as when Allowlisting repeatedly blocks unknown software from running on your corporate device(s). 

Case study: ThreatLocker protects hospital from ransomware gang  

On January 15, 2024, an unnamed hospital was protected by ThreatLocker from a ransomware attack that would go on to devastate a second hospital that was still connected to the initial hospital’s network due to technological restraints.  

The attack began when the threat actor breached the hospital’s site with stolen domain admin credentials purchased on the dark web and entered the network through the corporate VPN. At the time, the hospital did not have two-factor authentication enabled for VPN connections into the network due to a lack of budget.   

Upon accessing the network, the ransomware gang attempted to install and run AnyDesk, a remote desktop application, which was immediately denied and blocked by default due to ThreatLocker application allowlisting. Understanding that they would not be able to run any malware in the environment, the threat actors moved laterally to attack the second hospital on the same network that was not protected by ThreatLocker.  

ARK Technology Consultants, the hospital’s Managed Service Provider (MSP) and a ThreatLocker partner, discovered that there was an attempted cyberattack when they identified that someone had tried to clear event logs. ARK was able to observe the threat actor’s attempted activities via the ThreatLocker allowlisting and Storage Control modules’ event logs recorded in the unified audit.  

The ransomware gang left behind a note claiming to have stolen terabytes of data from the first hospital, but the unified audit, with event logs from the Storage Control module, said otherwise. In reality, ThreatLocker Storage Control had blocked them from being able to read, write, or move the critical data, leaving the gang unable to steal anything of importance from the first hospital.  

In the end, despite the ransomware gang having stolen domain admin credentials and VPN access to the hospital’s network, they could not carry out their cyberattack because ThreatLocker’s application allowlisting blocked AnyDesk from running and prevented the attack from exfiltrating or altering the files in the database with Storage Control.   

Zero trust endpoint protection for the future  

A full security strategy calls for a detection tool like EDR and antivirus so that all bases are covered. These tools act as your last line of defense against cyber threats. But traditional EDR and other detection tools can no longer be relied on as a complete security strategy.  

ThreatLocker provides proactive security controls to prevent cyberattacks in the first place, not react to them after they are already happening. ThreatLocker places controls over applications, data, and user privilege, then alerts you of indicators of compromise via ThreatLocker Detect.  

ThreatLocker Detect is different from traditional EDR, which is typically the first line of defense for some organizations. ThreatLocker Detect, by contrast, is the last line of defense because the other ThreatLocker modules will already prevent most endpoint-based cyberattacks.  

On top of this, ThreatLocker Cyber Hero MDR combines ThreatLocker Detect’s capabilities with 24/7/365 managed response service, giving you expert support to investigate and respond to threats as they emerge.  

To learn more about how you can implement a proactive approach to securing your environment, book a demo with ThreatLocker today.