How Should We Think About Endpoint Security? Along with promoting Zero Trust Architecture for , I see more and more discussion about EDR, MDR, and XDR. But before going into details about the pros and cons, I want to set the common field and introduce the basics about their differences. cybersecurity In May, the US government released that requires federal agencies to deploy endpoint detection and response (EDR) tools. Apart from that, on the 8th of October, the Office of Management and Budget (OMB) from the Whitehouse that clarifies how agencies should move forward on deploying EDR tools. an executive order issued a memo The memo was not just beneficial for federal agencies. It also helps organizations to assess their current endpoint capabilities. Then, as agencies adopt EDR, we could use them as a reference for other industries and explore the possibility and necessity of extending the EDR to XDR. But, first, let’s go through the basics — The definition of EDR, MDR, and XDR. What is EPP — Endpoint Protection Platform? According to a on McAfee Enterprise, a long-term endpoint solution provider, post “An endpoint protection platform provides a framework for data sharing between endpoint protection technologies. This provides a more effective approach than a collection of siloed security products that lack the ability to communicate.” Endpoint protection platforms aim to prevent traditional threats like known malware and advanced threats like fileless attacks, ransomware, and zero-day vulnerabilities. An EPP detects malicious activity using several techniques: — detecting threats using known malware signatures Signature — analyzing binaries and searching for malicious characteristics before execution using machine learning algorithms (also known as “ ”) Static analysis pre-execution analysis — EPP solutions can determine the baseline of endpoint behavior and identify behavioral anomalies, although there is no known threat signature (also known as “ ”) Behavioral analysis post-execution analysis — blocking access or only permitting access to specific IP addresses, URLs, applications, and processes. Allowlisting and blocklisting — testing for malicious behavior of files by executing them in a virtual environment before allowing them to run Sandbox EPPs typically provide employing the following tools: passive endpoint protection Data encryption, potentially with some data loss prevention capabilities Antivirus and Next-Generation Antivirus (NGAV) Host-based firewall protecting the endpoint Extra: Desirable EPP Characteristics According to , robust EPP solutions are allowing the continuous monitoring and collection of activity data, along with the , whether the endpoint is on the corporate network or outside of the office. Gartner primarily cloud-managed, ability to take remote remediation actions In addition, these solutions are cloud-data-assisted, meaning the endpoint agent but can check a cloud resource to find the latest verdicts on objects that it cannot classify. does not have to maintain a local database of all known IOCs What is EDR — Endpoint Detection and Response? Anton Chuvakin suggested the term “EDR” at to describe emerging security solutions that detect and investigate suspicious activities on hosts and endpoints, using a high degree of automation to enable security teams to quickly identify and respond to threats. Gartner This name reflects the endpoint (as opposed to the network), threats (as opposed to just malware and officially declared incidents) and tools’ primary usage for both detection and incident response. While some may argue that “endpoint” label may be seen as applicable to workstations and not to servers, this minor loss of precision seems acceptable for the sake of brevity (others will say that four words is already too long). Also, according to the , EDR platforms combine: OMB memo “ (for example, networked computing devices such as workstations, mobile phones, servers) ” real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities. The primary functions of an EDR platform are: Continuous monitor and collect activity data from endpoints that could indicate a threat, Analyze this data to identify threat patterns, Automatically respond to identified threats to remove or contain them, Notify security team or SOC team when threat is recognized, and Act as a forensics and analysis tool to research identified threats and search for suspicious activities. With that in design, EDR provides increased visibility compared with traditional cybersecurity solutions and responds to advanced forms of cyber-threats, such as: Polymorphic malware, Fileless Attack, Advanced persistent threats (APTs), and Phishing or Social Engineering Attack. Extra: New Capabilities of EDR EDR is also recognized as an “essential component” for transitioning to . “No blindspot” is one of the reasons organizations deploy EDR to ensure they can monitor activities running inside workloads. zero-trust architecture Additionally, new investigative capabilities in some EDR solutions can in an investigative process. These new capabilities can learn an organization’s baseline behaviors and use this information with various other threat intelligence sources to interpret findings. leverage AI and machine learning to automate the steps Another type of threat intelligence is . It is a knowledge base and framework built on the study of millions of real-world cyberattacks. An EDR can correlate these common behaviors to identify threats that may have been altered in other ways. the MITRE ATT&CK framework Comparing EPP and EDR Solutions Traditional EPP tools provide essential security capabilities like anti-malware scanning, while EDR tools implement more advanced security incident detection and investigation features. However, EDR requires active investigation and analysis by security experts to respond to threats appropriately. In contrast, EPP software runs with minimal supervision needed after its initial installation and configuration. EDR does not make EPP an unnecessary tool, although people may think EDR is more powerful. Instead, organizations that need robust endpoint security measures should take a holistic approach covering traditional and advanced security threats. Nowadays, the endpoint protection market has become somewhat problematic. For example, EPP vendors add EDR capabilities to their products and vice versa. Those products’ offering blurs the line and makes it the customer more challenging to distinguish between them. Luckily, we now have the to help organizations map product capabilities into a MITRE D3FEND Framework common language of “countermeasure techniques.” EPP and EDR require characters of each other to be considered a holistic endpoint security solution. These two types of endpoint protection systems complement and do not replace each other. Organizations should combine both in their cybersecurity strategy. What is MDR — Managed Detection and Response? EDR platform provides excellent insights and visibility to the security team to actively monitor what’s happening inside their infrastructure. However, security teams often spend too much time watching and validating alerts, limiting their ability to address other security needs. Even more concerning, when attacks happen, security analysts are limited by the tools and data available for analysis in their environment. Thus, adding a managed component to EDR, makes the captured data more robust. MDR — managed detection and response , ideally by a team of security experts. As notes on its website, MDR provides: extend a human component that augments EDR platforms VMware Carbon Black “24x7x365 continuous threat monitoring, detection and response activities — security experts proactively validate alerts and send email notifications, helping to assure that your team doesn’t miss the alerts that matter.” Although there are different types of MDR service offerings, some key capabilities should be in place, such as: Resource augmentation aids SecOps teams in tasks that require specialized skill sets, such as t hreat hunting, forensic investigations, and incident response Increased security maturity to proactive and available 24x7 threat management Faster time to value delivers a curated technology stack, security experts, and operational best practices to reduce detection and response times to days, not years Reduced mean time to detect (MTTD) and mean time to respond (MTTR) guarantee inside a fixed, time-based service level agreement (SLA) faster detection of and response to advanced threats XDR — Extended Detection and Response As the name hints, XDR tools represent Palo Alto Networks CTO, in 2018, XDR aims to break down conventional security silos and . an extension of traditional EDR platforms. Coined by Nir Zuk, deliver detection and response across all data sources As such, according to : Palo Alto Networks “XDR provides a far more robust view across networks, cloud workloads, servers, and endpoints. One of the limitations that we see with focusing solely on EDR (endpoints) versus XDR (endpoints, cloud, networks, etc.) is that it requires the security team to do the work manually that XDR automates.” While its competitor, defined XDR in on its website: Checkpoint, a post “XDR solutions integrate security visibility across an organization’s entire infrastructure, including endpoints, cloud infrastructure, mobile devices, and more,” “This simplifies security management and enforcement of consistent security policies across the enterprise.” single pane of glass visibility and management Palo Alto Networks and Checkpoint described XDR as an extension of EDR in an integrated operation. Interestingly, analytic firms look at XDR from another angle; described XDR as: Gartner “a SaaS-based, vendor-specific, security threat detection and incident response tool that ” natively integrates multiple security products into a cohesive security operations system. While described XDR as a more extensive way: Forrester Research XDR , such as NAV, email security, identity and access management (IAM), cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation. unifies security-relevant endpoint detections with telemetry from security and business tools All in all, XDR tools focus on security integration and aggregating data from across organizations to provide the context needed to detect sophisticated and distributed attacks. Still, XDR products are limited today on the capabilities they can deliver. Most of the solutions can extend their endpoint capabilities to varying extents, but in most cases, they cannot wholly replace security analytics platforms (SIEM or SOAR). That said, XDR is on a journey, and soon we will see XDR and analytics platforms collide. Final Words Endpoint security will exist as long as we use computers. But the definition would change — from EPP and EDR to a more hybrid and comprehensive set of capabilities to counter the constantly evolving cyber-threats. EDR was designed to provide improved the traditional method as it provided coverage for a primary component in an attack: endpoints. The result was proactive endpoint protection that covered many security gaps and blind spots from EPP. perimeter-wide protection for a system, However, effective use of EDR still requires collaboration with other tools and processes. It cannot protect your system on its own. It also cannot provide complete visibility of your system. Instead, it can provide limited visibility into what actions attackers are taking on your endpoints. If you want to know what happened throughout the attack, you need to bring in other monitoring and detection tools, such as network threat analysis (NTA) or network detection and response (NDR). This integration of detection systems helps us determine a more accurate picture of past attacks as well as attacks in progress which is especially critical as networks become more distributed and more external services are incorporated and provide system access. Therefore, the cybersecurity industries are looking into XDR, which was designed to fill this information gap. Unlike EDR, it can provide visibility into every phase of an attack, from the endpoint to the payload. By integrating XDR into your security platform, you can examine the information from across your systems. Thank you for reading. May InfoSec be with you🖖. Previously published behind a paywall here .

Identity and Access Management - IGA, IAM, and PAM Explained

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

2021 - HackerNoon Contributor of the Year - CULTURE

Support Me on Coil

2021 - HackerNoon Contributor of the Year - PERSONAL-DATA

Nominated for 2022 - HackerNoon Contributor of the Year - Cybersecurity

Nominated for 2022 - HackerNoon Contributor of the Year - Security

Nominated for 2022 - HackerNoon Contributor of the Year - Privacy

Nominated for 2022 - HackerNoon Contributor of the Year - Beginners Guide

Nominated for 2022 - HackerNoon Contributor of the Year - Containers

Nominated for 2022 - HackerNoon Contributor of the Year - Data Privacy

Too Long; Didn't Read

CTA: Download the FREE AI Productivity Shift report

Defining the Difference Between EPP, EDR, MDR & XDR

Defining the Difference Between EPP, EDR, MDR & XDR

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Agentic AI Are Cybersecurity Nightmare You Can't Ignore

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

Agentic AI Are Cybersecurity Nightmare You Can't Ignore

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps