Endpoint detection & response (EDR) security has been hailed by analysts and the industry alike as the “next big thing” in malware detection. In many enterprise networks, EDR has effectively replaced archaic anti-virus solutions providing enterprises with improved visibility and better malware detection.
As a result of massive marketing hype, many organizations have implemented EDR solutions, making endpoint malware detection one of the fastest growing categories in cybersecurity. However, despite their superiority to legacy anti-virus solutions and others, EDRs are far from flawless. In fact, the primary functionality in malware detection that made EDR a success is now being questioned.
EDR was supposed to offer a deterministic mechanism for the detection of malicious files that find their way onto enterprise endpoints. As such, EDRs were expected to greatly reduce the threat of common cyberattacks such as ransomware and advanced stealthy cyberattacks such as APTs. However, threat actors have witnessed the rapid adoption of EDR solutions and have not sat idle. These threats have incorporated new mechanisms to support their malicious operations, often avoiding detection by EDR solutions.
Types of Malware that EDR Misses
The first of these mechanisms is the file-less malware. The Ponemon Institute found that file-less malware attacks accounted for approximately 35 percent of all attacks in 2018, and are up to 10 times more likely to succeed than more traditional file-based malware attacks. This is because file-less malware does not write any part of its activity on the computer's hard drive thereby increasing the difficulty to detect.
Similar in nature to file-less malware, living-off-the-land (LotL) attacks leverage pre-installed software, with no additional binary executables installed onto the system by the attacker. Many legitimate processes, such as windows software updates, use these mechanisms and as such, becomes impossible to block and detect for the same reason, meaning that files aren’t not left the local computer’s hard drive.
Another type of undetectable malware for EDRs is malware that lives in the endpoints’ Basic Input/Output System (BIOS). It leverages several tactics to download the actual piece of code and install it in ways such as a firmware update that are seemingly legitimate. This “imposter” will then replace the existing firmware with a version that's infected and nearly impossible to find or remove.
Devices left Vulnerable to Malware Attacks
An additional challenge for EDRs relates to the fact that they only run on traditional IT endpoints (laptops, desktops, servers). As such, they completely neglect all the commonly connected “non-IT” assets that today’s enterprise houses, such as printers, security cameras, access control panels and many more. Typically, these devices are connected to the enterprise network without EDR agents installed on them, therefore exposing the network to external threats.
Similarly, a “smart” connected device like a smartphone or an Alexa, left to charge using a USB cable or connected to the local WiFi network, can expose the entire network to external threats. Making matters worse, these devices are often not even known to the cybersecurity personnel.
Securing EDR's Gaps
Therefore, the solution to detect all these stealthy threats can only be based on network analysis. Continuous network analysis of the communication between infected machines and the outside world based on sophisticated cluster-based machine-learning algorithms accurately indicates seemingly innocent processes such as downloading software updates as an attempt to download malware.
Another advantage of network-based detection is that it does not rely on software agents, thereby compensating for EDR “gaps”. These gaps occur in new endpoints that have been connected to the network without proper EDR agents installed or a “rogue” device which is, by definition, unknown to an IT department and remains unprotected.
EDR is a welcomed technology and a great leap forward from legacy solutions of signature-based detection mechanisms. However, it is far from bulletproof, and requires additional means to ensure maximal detection of malicious activities, namely to add network analysis, detection and response.