EDR : Beyond the hype

Gone are the days when CISOs could rely solely on traditional IDS/IPS systems. In today's scenario, they must navigate complex technical and regulatory environments to select more advanced and effective cybersecurity solutions.

Florian Thebault
September 27, 2022
LinkedIn LogoX logo

The landscape of cybersecurity is rapidly evolving, facing increasing demands and stringent requirements. This change is driven by various factors such as the prevalence of sophisticated cyber threats (like DDoS attacks and ransomware), advancements in technology standards (25/50/100 Gbit/s), and the need to comply with evolving legislation (such as NIS2 and the Cyber Resilience Act).

This has had an impact on the solutions market. Once a vector of major innovations, it has become bogged down in fads and rearguard battles and has allowed press releases and bought articles to outweigh the reality of declining technological advances.

Each year the media ecosystem looks for its new champion and over time the focus has shifted from IDS to IPS and from UTM then to SIEM. Recently, development efforts have focused on the endpoint and around end users (UBA - User Behavior Analytics). Thus, EDRs, and more recently XDRs, have been put under the spotlight by the commercial narrative. Those who seek to see more clearly are confronted with a plethora of comparative articles that attempt to separate the best players on the market through a very fine analysis grid, even though their technological principles are identical.

The common feature of these products, all of which are excellent, is that they have significantly enhanced their threat detection and endpoint protection capabilities through the deployment of software agents. However, this machine-centric approach to cybersecurity provides only partial protection and still has large grey areas and, in any case, will only work for known threats, on an identified pool of machines capable of supporting an agent.

Agents as champions of cyber security solutions?

The reason why agent deployment is so widespread is because it addresses a growing need for improved visibility across all endpoints. EDR solutions are also well suited to detect and protect your IT assets against some of the advanced forms of threat (malware, APTs, phishing attempts, etc.) that have never been more prevalent than since teleworking became widespread.

However, to carry out their mission, agents are constantly requesting privileged access to your resources and systems. Some may, for example, send the contents of your email databases unencrypted to a cloud, over which you have no visibility, others to apply NLP (Natural Language Processing) algorithms. Some will periodically scan the RAM of your machines and your entire file system to be able to fight against threats that are becoming increasingly sophisticated to evade EDR detection techniques.

The changing nature of threats requires increased resources to counter them. However, the deployment of agents in a computer park is a committing act. In some cases, agents can become privileged access points to all your information systems (# SolarWinds).

Once an EDR/XDR is subverted or a NIDS bypassed, the ability to be notified that a network is being invaded and that data may be exfiltrating is significantly reduced. Furthermore, while EDRs work well on machines running traditional operating systems (Mac OS, Windows, Linux), their effectiveness is questionable in more exotic environments such as IoT, industrial equipment (SCADA) or BYOD environments.

Why is EDR still the big favorite of CISOs?

If the deployment of agents continues to multiply exponentially, it is both because it is simple: one machine-one agent, and because the intensity of the sales pitch can give the illusion that this is enough to protect the whole IT infrastructure.

This is compounded by the inability of known network security players to provide technically powerful and affordable solutions that offer granular visibility into the network.

Solutions such as NDR (Network Detection and Response) exist but are unable to keep up with network changes. Indeed, to hide their obsolescence, they mostly use technical shortcuts, incompatible with a Zero Trust approach (such as packet slicing, packet sampling, exclusive_over_IP, FPGA, etc.), while having a very high physical footprint and financial cost.

The traditional approach to network analysis has not been able to cope with several important developments:

  • Continuous increase in speeds (25Gbit/s, 50Gbit/s and now the widespread deployment of 100Gbit/s);
  • Diversification of uses (BYOD, IoT, etc.);
  • Increasing complexity of networks (encryption, increasing virtualisation, GSM over Ethernet, etc.);
  • Hybridisation: core to edge, edge to cloud, edge to edge

This is how EDRs naturally became, both technically and commercially, THE solution. In other words, the only solution. Technically, because it allows the difficulties to be circumvented by shifting the responsibility for security to the end point, to the users, so to speak. And commercially, because selling many subscriptions at a low unit price is easier than convincing a company to invest in equipment that is more expensive, unit-wise, but which will enable it to obtain the full visibility it needs.

In a Zero Trust approach to cyber security, the EDR is of course still relevant, but it is only one brick in a larger architecture. It cannot therefore be the alpha and omega of the security policy of an information system. No cybersecurity solution can or should claim to be...

EDR is a necessary tool, but it is not the whole package...

An NDR yes! But in Zero Trust mode!

As mentioned above, network analysis and security solutions are already trying to solve certain cyber challenges that could be part of a Zero Trust approach, which poses the framework of not trusting anything outright: everything is checked, from infrastructure to usage, at all times, not just access rights.

Yet, network security solutions are generally all undermined using hardware and software shortcuts that require them to place total trust in elements that they do not control (e.g., such as settling for visibility only on certain protocols over IP) or to use statistical "tricks" to compensate for their inefficiency (sampling, slicing, etc.).

The mirage of statistics is a striking example. Some marketed solutions apply Machine Learning (M/L) processes for detection. The problem is that it is inaccurate and risky to base one's M/L on statistical values that are themselves derived from uncontrolled sampling, not to mention the toll high false positive rates has on SOC teams. In any case, it is not possible to comply with a framework inspired by Zero Trust (which is itself being increasingly abused for marketing reasons).

The use of Machine Learning to reinforce advanced detection and alerting capabilities and to warn the user of complex anomalies linked to the misuse of applications and processes is conceptually satisfactory, but only if its limitations are known. Based on fragmented data, it cannot claim to be exhaustive and to be able to observe the networks completely. The same is true if one confines oneself to network analysis over IP flows or even only over_TCP!

If observability is not complete, it is like analysing an iceberg by being satisfied with the emerged part: the submerged part remains in the shadow. By giving up this capacity, we allow networks blind spots to persist, which are constantly multiplying with the generalisation of virtualisation, Shadow IT, BYOD, etc...

In addition, even with very high-performance NDRs (such as Extrahop or VectraAi), the obligation to use specific hardware makes them, by definition, not very scalable and locks them into a very restrictive usage framework.

Unfortunately, the software version of their application suite, due to its poor performance (ratio of resources required to flows processed), causes an explosion in hosting costs. This very limited performance is pushing them further and further away from the Zero Trust they claim to be.

What should a CISO do to increase its protection, reduce and control its attack surface?

Obviously add an NDR to your suite to complete your EDR. But an NDR capable of Zero Trust Traffic Analysis (Z2TA), i.e. a complete analysis of each packet on all layers and capable of extracting all the necessary metadata (which excludes sampling-based technologies).

Z2TA forces us to start from a blank page in order to respond to all of the problems previously outlined and allows us to offer CISOs uncompromising visibility, i.e. without conceptual bias, of their networks. Z2TA is the solution of the future that allows to counter a set of threats that EDRs are not able to see, and of which they are sometimes the vector.

Zero Trust Traffic Analysis is an indispensable tool in the CISO's toolbox to meet the highest cyber security requirements.

Florian Thebault
September 27, 2022
LinkedIn LogoX logo

Ready to unlock
full network visibility?

More blog posts

Go to the blog