How exciting is Endpoint Detection and Response (EDR) technology? — Sorry to piss on your parade, but for many organizations it is NOT exciting at all.
Look, it is hard for me write this since personally I am super-excited about EDR / ETDR [hey, I came up with the original name]. Also, given the open source EDR-like options (GRR, MIG, El Jefe and the new one, Lima Charlie [updated Jan 2016]), the level of excitement is clearly high enough for some organizations to write and open-source their own. Also, there are now dozens (!) of vendors that promise EDR tools, EDR-like functionality, etc [some are new, some are “intruding” on the security domain from system management domain; even some SIEM tools that have flexible collection agents can sometimes be used in a pinch as a “toy EDR”]
Still, despite all this e-x-c-i-t-e-m-e-n-t, I see a lot of snoozing faces in the crowd … and why is that?
What are some of the EDR / ETDR headwinds:
- Agent-based approach of most EDR tools: while we are seeing a bit of a revival of the agents, a lot of organizations hate security-focused agents with such passion that nothing (literally – not metaphorically, BTW!) will make them deploy yet another agent. You may have the smallest, safest, “effective-est” EDR in the galaxy … yet your prospective customers will still hate you with a passion [only because some stupid fat agent killed their dear Excel or slowed the system to a crawl 5 years ago]. Of course, I am watching the attempts to create a decent “agentless EDR” with much elation …
- Woeful immaturity of monitoring and IR practices at many organizations: given the fact that EDR tooling makes certain tasks (like checking what is running on all your machines, etc) easier, there is an implication that there is a desire to perform those tasks and that there is somebody to actually do those tasks…
- It seems like there are more skilled network security analysts than – eh … see, there isn’t even a name for it – “endpoint security analysts”: lots of people can say “this packet looks weird”, but much fewer can credibly say “this process looks weird” [I dunno…this one may be a stretch. What do you think?]
As I said to somebody “focus on the endpoint” may be a trend, but it does not mean it is operationally feasible for a lot of companies.
Finally, what about the stinking elephant in the room? The ANTI-VIRUS. My recent EDR-related clients calls (and there, BTW, very few of those) seem to be all about the blocking/prevention/mitigation features of the EDR tools, so the clients were not looking for endpoint visibility and better situational awareness, but for a less-abominable AV.
To me, that is nice, but entirely separate, and (IMHO) we need both:
- Better AV, “NG AV” that focuses on better prevention (e.g. see this excellent GTP document), but also …
- Better endpoint visibility, “EDR proper” that focuses on knowing what the hell is happening on your endpoints.
Yes, there will be some cross-over and hybridization, but the needs ARE separate. If you deploy an EDR tool while secretly hoping for a “better AV” tool, you are going to FAIL TWICE.
- Competitive Landscape: Endpoint Detection and Response Tools, 2014
- Market Guide for Endpoint Detection and Response Solutions
- Endpoint Threat Detection and Response Tools and Practices
Possibly related posts on EDR / ETDR:
- The Future Is Here … And It Is … Network? Endpoint?
- My Paper on Endpoint Tools Publishes
- Endpoint Threat Detection & Response Deployment Architecture
- Essential Processes Around Endpoint Threat Detection & Response Tools
- Named: Endpoint Threat Detection & Response
- Endpoint Threat Indication & Response?
- Endpoint Visibility Tool Use Cases
- On Endpoint Sensing
- RSA 2013 and Endpoint Agent Re-Emergence
- All posts tagged endpoint