I am feeling adventurous, so let’s have an EDR mud fight [pillow fight?] – kernel or userland agent?
|Top Pros||Top Cons|
|Kernel mode EDR agent||
|User mode EDR agent||
As a quick side note, some EDR vendors’ agent code include both kernel and userland components, and while this helps with some cons of the “pure” kernel agent, it does not really mitigate the higher chance of stability problems issue.
To summarize, this is (IMHO) a fight between “Higher chance of system stability problems” vs “Higher chance of being subverted or avoided by the attacker.”
Add your own? Debate? Throw mud or a pillow?
Blog posts related to our current EDR research:
- Using EDR For Remediation?
- EDR Research Commencing: Call To Action!
- Where Does EDR End and “NG AV” Begin?
- Reality Check on EDR / ETDR
- My Paper on Endpoint Tools Publishes (2013)
- Endpoint Threat Detection & Response Deployment Architecture
- Essential Processes Around Endpoint Threat Detection & Response Tools
- Named: Endpoint Threat Detection & Response
- Endpoint Visibility Tool Use Cases
- On Endpoint Sensing
- RSA 2013 and Endpoint Agent Re-Emergence
- All posts tagged endpoint
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.