EDR, or Endpoint Detection and Response, is a modern replacement for Antivirus security suites. For decades, organisations and businesses have invested in Antivirus suites in the hope of solving the challenges of enterprise security. But as the sophistication and prevalence of malware threats has grown over the last ten years, so the shortcomings of what is now referred to as “legacy” Antivirus have become all too apparent.
In response, some vendors re-thought the challenges of enterprise security and came up with new solutions to the failures of Antivirus. How does EDR differ from Antivirus? How and why is EDR more effective than AV? And what is involved in replacing your AV with an advanced EDR? You’ll find the answers to all these questions and more in this post.
What Makes EDR Different from Antivirus?
In order to adequately protect your business or organisation against threats, it is important to understand the difference between EDR and traditional or “legacy” Antivirus. These two approaches to security are fundamentally different, and only one is appropriate for dealing with modern threats.
Features of Antivirus
Back in the days when the number of new malware threats per day could comfortably be counted in a spreadsheet document, Antivirus offered enterprises a means of blocking known malware by examining – or scanning – files as they were written to disk on a computer device. If the file was ‘known’ to the AV scanner’s database of malicious files, the software would prevent the malware file from executing.
The traditional Antivirus database consists of a set of signatures. These signatures may contain hashes of a malware file and/or rules that contain a set of characteristics the file must match. Such characteristics typically include things like human-readable strings or sequences of bytes found inside the malware executable, file type, file size and other kinds of file metadata.
Some antivirus engines can also perform primitive heuristic analysis on running processes and check the integrity of important system files. These “after-the-fact” or post-infection checks were added to many AV products after the flood of new malware samples on a daily basis began to outstrip AV vendors’ ability to keep their databases up-to-date.
In light of growing threats and the declining efficacy of the Antivirus approach, some legacy vendors have tried to supplement Antivirus with other services such as firewall control, data encryption, process allow and block lists and other AV “suite” tools. Generically known as “EPP” or Endpoint Protection Platforms, such solutions remain based at-heart on a signature approach.
Features of EDR
While the focus of all AV solutions is on the (potentially malicious) files that are being introduced to the system, an EDR, in contrast, focuses on collecting data from the endpoint and examining that data for malicious or anomalous patterns in real time. As the name implies, the idea of an EDR system is to detect an infection and initiate a response. The faster an EDR can do this without human intervention, the more effective it will be.
A good EDR will also include capabilities to block malicious files, but importantly EDRs recognise that not all modern attacks are file-based. Moreover, proactive EDRs offer security teams critical features not found in Antivirus, including automated response and deep visibility into what file modifications, process creations and network connections have occurred on the endpoint: vital for threat hunting, incident response and digital forensics.
Pitfalls of Antivirus
There are many reasons why Antivirus solutions cannot keep up with the threats facing enterprises today. First, as indicated above, the number of new malware samples seen on a daily basis is greater than the number any human team of signature writers can keep up with.
Secondly, detection via Antivirus signatures can often be easily bypassed by threat actors even without rewriting their malware. Since signatures only focus on a few file characteristics, malware authors have learned how to create malware that has changing characteristics, also known as polymorphic malware. File hashes, for example, are among the easiest of a file’s characteristics to change, but internal strings can also be randomised, obfuscated and encrypted differently with each build of the malware.
Thirdly, financially-motivated threat actors such as ransomware operators have moved beyond simple file-based malware attacks. In-memory or fileless attacks have become common, and human-operated ransomware attacks like Hive–along with “double-extortion” attacks such as Maze, Ryuk and others–that may begin with compromised or brute forced credentials, or exploitation of RCE (remote code execution) vulnerabilities, can lead to a compromise and loss of intellectual property through data exfiltration without ever triggering an Antivirus signature-based detection.
Benefits of EDR
With its focus on providing visibility to enterprise security teams, along with automated detection responses, EDR is much better equipped to cope with today’s threat actors and the security challenges that they present.
By focusing on the detection of unusual activity and providing a response, EDR is not limited to only detecting known, file-based threats. On the contrary, the primary value of the EDR proposition is that the threat does not need to be precisely defined in the way that it does for Antivirus solutions. An EDR solution can look for patterns of activity that are unexpected, unusual, and unwanted and issue an alert for a security analyst to investigate.
Moreover, because EDRs work by collecting a vast range of data from all protected endpoints, they offer security teams the opportunity to visualise that data in one convenient, centralised interface. IT teams can take that data and integrate it with other tools for deeper analysis, helping to inform the organisation’s overall security posture as it moves to define the nature of potential future attacks. The comprehensive data from an EDR can also enable retrospective threat-hunting and analysis.
Perhaps one of the greatest benefits of an advanced EDR is the ability to take this data, contextualise it on the device, and mitigate the threat without human intervention. Not all EDRs are capable of this, however, as many rely on transmitting EDR data to the cloud for remote (and, therefore, delayed) analysis.
Upgrading Your Security with EDR
Once we see the clear advantages of an EDR system over Antivirus, what is the next step? Choosing the right EDR requires understanding the needs of your organisation and the capabilities of the product being offered.
It’s also important to conduct tests, but to make sure those tests have real-world application. How will this product be used by your team in day-to-day operations? How easy is it to learn? Will it still protect your company when any cloud-services it relies on are offline or unreachable?
It’s important to consider deployment and rollout, also. Can you automate deployment across your fleet? What about platform compatibility? Does your chosen vendor give equal importance to Windows, Linux and macOS? Every endpoint needs to be protected; the ones that get left behind can provide a backdoor into your network.
Next, think about integration. Most organisations have a complex software stack. Does your vendor offer powerful but simple integration for other services you rely on?
Threat actors have long moved beyond Antivirus and EPP and organisations need to consider that such products are no match for the threats that are active today. Even a cursory look at the headlines shows how large, unprepared organisations are being caught out by modern attacks like ransomware even though they have invested in security controls. The onus is on us, as defenders, to ensure that our security software is not only fit for yesterday’s attacks, but today’s and tomorrow’s.
If you would like to learn more about how Edge7 Networks can provide advanced protection for your organisation, contact us today and request a free demo or consultation call with our security analysts.