Blog & Newsletter

Discover insights from the minds of the Fraction Consulting team

February 04, 2021

CMI #6 - Endpoint Detection and Response (EDR)

Few frontiers in cybersecurity are as highly attacked and as highly defended as the computers and mobile devices we use in everyday life (like the one you’re on now). As a result, the cybersecurity product industry is a battlefield for the endpoint and a potential nightmare for buyers and investors. Let’s unpack the Endpoint Detection and Response (EDR) space and all it entails.

Terms You Might Hear

Problem Statement

  • Most compromises happen at the endpoint. Someone clicks a malicious link or opens a malicious attachment in an email, someone is served malware from a compromised ad network on a legitimate site, etc. The endpoint is the jump-off point for lateral movement, escalation of privileges, and subsequent attacks leading to further compromises.
  • Endpoints are fluid and can come on and off your corporate network. As such, keeping tabs on your corporate endpoint footprint from a security and operational standpoint is a huge challenge. The bigger or more distributed the workforce, the more fluid and complex this becomes.
  • Traditional endpoint security tools like anti-virus (Anti-virus has long been dead) and “next-gen” malware protection only give you a small piece of the puzzle regarding the overall state, health, and security of an endpoint. Companies have to use a host of other tools (often managed by non-security teams) to cobble together a complete picture of what’s happening, making detection, response, and containment a significant challenge on security teams.

Market Solutions

Enter the Endpoint Detection and Response (EDR) product market space.

  • EDR products combine both endpoint malware protection, file and integrity monitoring, and endpoint management solutions. They continuously or periodically scan or query, detect, inspect, or act on suspicious or malicious activity on endpoints. They focus on the devices employees use every day – think laptops, servers, and critical business devices.
  • EDR products give a real-time view of an environment and take remediation or proactive actions on endpoints. EDR products can give visibility into both the operational and security health of an endpoint.
  • EDR tools are excellent for cross-checking other security or manageability tools on systems and can often perform maintenance or health checks if there are breakdowns anywhere in the endpoint security stack.
  • EDR products let you take a more active and comprehensive approach to security. You can actively and passively scour your endpoints for Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTP) and take necessary actions.

We can’t talk about EDR without talking about Managed Detection and Response (MDR) in the same breath.

  • MDR sounds like just a managed version of EDR, but MDR is not a technology itself – it’s a service, a service focused on threat detection, remediation, and response. An MDR service will continuously monitor your network and endpoints to detect and respond to cybersecurity threats.

What if I told you

  • MDR is a collection of technologies (SIEM, IDS/IPS, Network Traffic Analysis, etc.) combined with people and technology to monitor and respond to alerts. Each vendor will have a slightly different set of capabilities similar to what the Managed Security Services Provider (MSSP) concept has promised.
  • Some vendors will offer a cloud-hosted and managed version of their EDR products, effectively making them “Managed Endpoint Detection and Response (MEDR)” players. See how complicated this product space can be?

Where does Extended Detection and Response (XDR) fit in?

  • XDR is an EDR or MDR platform that collects data from network security sources and correlates threat indicators. Think across email platforms and firewall or IDS/IPS devices to give you more accurate context and reduce the responding teams’ burden.

Players in the Space

EDR

MDR

XDR

Product Space Predictions

  • XDR capabilities will become a standard part of EDR platforms. Most EDR products already integrate with a few network security controls out of the box via API connectors, so extending these capabilities is an easy step. Deeper partnerships and alliances in the industry amongst network security players and endpoint security players will make acquisitions more likely.
  • Internet of Things (IoT) and EDR combinations will win out. It’s not just the managed endpoints you need to protect; it’s everything else on your smart/connected network that you need to worry about too. Armis is already doing this.

In the Pro version of the section above, we cover healthcare use cases, who has the best chance of winning in the XDR space, and more!

Product Space Opportunities

  • Combine EDR with anti-phishing workflows. Where do the two most impactful threat vectors originate? That’s right, on the endpoint and via email. Think of it as a lightweight SOAR platform without all the investment of time, money, and people needed to stand up and operate a SOAR platform. PhishBarrel comes to mind as a potential integration target.
  • Get rid of agent bloat and be more lightweight. Run agentless like Ansible and have less client impact. The fewer agents that go on and endpoint, the easier to troubleshoot and operate for tool administrators.

Say Small Footprint Again

  • Integrate or extend EDR with Mobile Device Management (MDM) platforms. MDM platforms are moving to provide more threat intelligence data, and the number of threats targeting mobile devices has only skyrocketed. Bring these separate houses together and check out the MITRE ATT&CK Framework for Mobile if you want a deep dive.

In the Pro version of the section above, we cover the evolution of MDR and more!

Key Insights

  • In Issue #3, we talked about how remote work is here to stay and how that has added additional burden to Security Operations Center (SOC) teams—having a mostly or fully remote workforce that once has complicated the endpoint detection, response, containment, and remediation process. Combine this with how COVID-19 brought about changes in cybercriminal activities, and you can’t afford to not have an EDR/MDR solution in place.
  • This is the land of giants. Looking at the players in the market, you can see that most are very late stage in the EDR space, leaving little room for new entrants into the market. The MDR space has the potential for disruption still in the race to capture the largely underserved mid-market, however, many EDR players are starting to offer MDR options as well.
  • The XDR concept is a new marketing spin on an existing capability set within EDR platforms in an attempt to stand out. Remember how crowded this market space is? This is an attempt to “extend” coverage to the network security side of the house. It triggers action on the network when there are endpoint events and vice versa.

Free Real Estate

In the Pro version of the section above, we cover one of the biggest implementation failures with endpoint products and more!

Pro subscribers also get an additional section covering who these products are right for, what makes a platform “good,” and more!

Extra Bits

The Cyber Plumber’s Handbook The definitive guide to SSH tunneling, port redirection, and bending traffic like a boss. Newsletter subscribers get 75% off!

The CyberLite Newsletter The most impactful news from the world of cybersecurity. Made quick, simple, and accessible.

References

  • EDR - and what you need to know about it.
  • MITRE - and the ATT&CK Framework for Mobile.
  • Mobile Device Attacks - and how much they have risen over the years.
  • Cybercrime - and its evolution during COVID times.

Want More?

Looking for more insights and analysis? Check out the Pro version of this newsletter, where you’ll find:

  • 4 Predictions for the product space (100% more)
  • 5 Opportunities for the market to capitalize on (67% more)
  • 5 Key Insights for players and buyers to win (67% more)

When you subscribe to the Pro version, you’ll get access to the pro version of this issue and all past and future issues.