Today, Endpoint Detection and Response (EDR) is approached as an essential part of EPP. Central to EDR is the detection of attackers that evaded the prevention layer of an EPP solution and are active in the target environment.
In this article, we’ll provide an overview of the endpoint security market and offer insight into EDR security capabilities. We’ll also address 6 top EDR tools, covering their solution scope, delivery, and EDR features.
The Endpoint Security Market
According to Gartner:
“An Endpoint Protection Platform (EPP) is a solution deployed on endpoint devices to prevent file-based malware, to detect and block malicious activity from trusted and untrusted applications, and to provide the investigation and remediation capabilities needed to dynamically respond to security incidents and alerts.”
In 2018, the endpoint security market was valued at $11.18 billion, and it is predicted to reach a value of $19.69 billion by 2024. The market is characterized by:
- Enterprise adoption of SaaS-based or cloud-delivered endpoint security solutions is growing—benefits attracting companies, including computing scalability, reduced costs, and low maintenance demands.
- More endpoints with more sensitive data—the number of enterprise endpoints is growing, and with increased connectivity, collaboration and data sharing, there are much higher changes an endpoint will contain sensitive organizational data.
- Endpoints are a gateway for attackers—in the past two decades organizations invested major resources in safeguarding the network perimeter. Attackers have found it is much easier to penetrate organizations by sidestepping network defenses and directly penetrating endpoints.
- Endpoint agent consolidation—while in the past, multiple security tools were installed on endpoints, today the trend is towards consolidation, where one platform with a single software footprint is installed on an endpoint, providing multiple security solutions, and enabling central management of security functions.
- Consolidation of EPP and EDR—Endpoint Protection Platforms (EPP) and Endpint Detection and Response (EDR) tools are no longer considered two separate systems, but are not offered together. The term Endpoint Protection Platform has been expanded to include EDR as well.
EDR Security Capabilities
Endpoint Detection and Response (EDR) is today considered an essential part of EPP. EDR focuses on detecting attackers that evaded the prevention layer of an EPP solution—legacy antivirus and Next-Generation Antivirus—and are now active in the target environment.
EDR can detect an attack has taken place, take immediate action on the endpoint to prevent the attack from spreading, and provide real-time forensic information to help investigate and respond to the attack.
EDR tools have three key mechanisms:
- Endpoint data collection—aggregates data from endpoints including process execution, communication, and user logins.
- Detection engine—uses behavioral analytics to understand what represents normal endpoint activity, discover anomalies, and determine if they are severe enough to represent a security incident or attack.
- Data recording—provides security teams with real-time forensic data about security incidents on endpoints, which they can use to investigate and respond to an incident. EDR tools also provide a central management console which lets security teams see information about endpoints and threats across the enterprise.
Top 6 EDR Tools
Below is a quick review of our top 6 endpoint protection tools that include an EDR component: FireEye, Symantec, RSA, CrowdStrike, Cybereason, and our own Cynet Security Platform. For each vendor we explain the context of the EDR module within the broader security solution, and list EDR features as described by the vendors.
1. Cynet 360 Security Platform
Solution scope: The 360 Security Platform is an integrated security solution that goes beyond endpoint protection, offering NGAV, EDR, UEBA, deception, network monitoring and protection.
Delivery: On-premise, cloud, hybrid
- Correlation—leverages the integrated security platform, provides visibility into network traffic and user activity, together with endpoint-specific activity
- Validation—correlation of all activity signals enables strict validation on any suspicious behavior, reducing false positive
- Alert—provides full context for rapid and efficient triage, prioritization and onward steps on a single screen
- Deep investigation—instant access to data from all endpoints, with granular search filters to go beyond the local detected event and view all related malicious activity
- Remediation—enables control at the host, file and process level—from complete host isolation to surgical actions like scheduled task deletion
- Automation—enables custom remediation workflows that are applied automatically when a similar incident recurs
- Threat hunting—provides validated IOCs remediation actions, enabling analysis to hunt for threats across the environment and uncover hidden attack instances
The Need for a Holistic Cybersecurity Solution
EDR solutions exclusively pay attention to the process behavior that prompts alerts. Organizations can use EDR tools in response to specific parts of common Tactics, Techniques, and Procedures (TTP) attackers use. However, EDR products are blind to other forms of attacks.
Let’s consider the example of credential theft. The default method used by attackers involves dumping password hashes from memory using customized tools or an open source tool. The attack method includes anomalous behavior, thus an EDR tool should recognize these types of attacks. However, an attacker can obtain the same hashes by scraping the network traffic between two hosts, a process that doesn’t involve anomalous activity.
Another example involves the attack technique of lateral movement. In this scenario, the attacker may manage to compromise many user account credentials and logs, related to many hosts in the network. In this example, the anomaly is the user activity and not the process behavior. The EDR would thus not detect the attack at all or would see the attack but without sufficient context, thus triggering false positives. Therefore, process data is essential, but organizations cannot rely on it as the only source of their security data.
Another limitation of EDR tools is that they are limited to endpoints and cannot help mitigate attacks or restore operations at the network or user level.
Cynet 360 holistic cybersecurity solution
Cynet 360 platform is a comprehensive cyber solution that is created to run in the entire environment of an organization and not only its endpoints. To do so, Cynet 360 safeguards all attack surfaces by tracking the three planes; network traffic, process behavior, and user activity. Attackers often manifest themselves on one or several of these three planes.
Continuous monitoring to detect and stop threats across this triad offers increased threat visibility. Organizations can have the chance to monitor more stages in the attack’s lifecycle so they can more effectively identify and block threats.
Cynet 360 threat protection is not restricted to attack detection and prevention. Using Cynet organizations can proactively monitor their internal environment, including endpoints, files, network, and hosts. This can help them reduce the attack surface and the possibility of multiple attacks. The response of an organization to active attacks must work to enclose the capabilities of the attacker to eradicate the presence of the attacker entirely. This involves deleting malicious processes and files, disabling compromised users, isolating infected hosts and blocking traffic controlled by the attacker.
2. Symantec Endpoint Protection
Solution scope: Symantec’s endpoint solution includes legacy antivirus, NGAV with emulator for detecting hidden packages, memory exploit prevention, deception technology, device network firewall and intrusion prevention, and EDR.
Delivery: Virtual or physical appliance
- Targeted Attack Analytics (TAA)—combines local and global telemetry, artificial intelligence, and threat intelligence to expose attacks
- Enables searching, identifying, and containing impacted endpoints
- Allows analysts to investigating threats using on-premises and cloud-based sandboxes
- Rapidly fixes endpoints when malicious activity is detected
- Integrates with existing security tools and public APIs
3. RSA NetWitness Endpoint
Solution scope: RSA NetWitness Endpoint is a solution focused on EDR capabilities. Malware protection, network monitoring, log analysis and other capabilities are offered as part of the broader NetWitness Platform.
Delivery: Physical or virtual appliance
- Continuous Endpoint Monitoring—visibility into processes, executables, events and user behavior
- Rapid Data Collection—creates endpoint inventories and profiles in minutes, using a lightweight agent
- Scalable and Efficient—scales easily to hundreds of thousands of endpoints, storing data in a central database
- Behavioral Detection with UEBA—baselines “normal” endpoint behavior, detects deviations, and prioritizes incidents based on potential threat level
- Analyzes root cause and full attack scope
4. CrowdStrike Falcon Insight
Solution scope: Falcon Insight is an EDR module as part of the Falcon Endpoint Protection Enterprise solution, which also includes NGAV, threat intelligence, USB device protection, and threat hunting.
- Automatically uncovers stealthy attackers—applies behavioral analytics to detect traces of suspicious behavior.
- Integrates with threat intelligence—faster detection of the activities, tactics, techniques and procedures identified as malicious
- Real-time and historical visibility—hundreds of security-related events such as process creation, drivers loading, registry modifications, disk access, memory access, network
- Fast remediation and real-time response—isolates an endpoint under attack from the network; provides built-in remote execution commands including deleting a fill, killing a process, running a script, restart/shutdown
- Information collectors—enable analysts to explore file system, list running processes, retrieve Windows event lots, extract process memory, collect environment variables, etc.
- Remediation actions enable teams to take action to contain or remediate a threat with speed and decisiveness including:
5. Cybereason Endpoint Detection and Response
Solution scope: A module within the Cybereason Defense Platform, which also includes NGAV and Managed Detection and Response (MDR).
Delivery: Cloud or on-premises
- Threat examination—shows entire process tree, timeline, and all malicious activity across machines for each process
- Third party alerts—combines EDR data with alerts from firewall and SIEM tools
- Attack full scope—see all related attack elements, including root cause, affected machines and users, incoming and outgoing communications, attack timeline
- Customization—custom rules and behavioral whitelisting
- Guided remediation—execute commands from a complete remediation toolbox on the endpoint, enables access to remote shell
- Enterprise-wide remediation—responds to threats affecting many machines, by executing remediation actions on all affected machines in one step
6. FireEye Endpoint Security
Solution scope: Endpoint solution including an agent with four detection engines, NGAV capabilities, and EDR.
Delivery: Appliance or cloud
- Triage Viewer and Audit Viewer—enables analysis of threat indicators
- Enterprise Security Search—helps analysts find and contain threats
- Data Acquisition—in-depth endpoint inspection and analysis
- Exploit Guard—detects and alerts on endpoint exploit processes
Source: Top 6 EDR Tools Compared