Endpoint Detection & Response (EDR) is the main mode of cybersecurity utilized by many organizations. Already recognized in 2012 as its own category, EDR was pushed as the ideal response to the rapidly changing threatscape that until then had been dealt with (though not so successfully) primarily through AV solutions. These threats included exploits, zero-day malware and fileless attacks.
Today, even as EDR is recognized as quite efficient against many of the advanced threats security professionals encounter, there exists a new and improved category of “Next-Gen EDR” solutions (learn more here). In addition to the usual EDR capabilities, these next-gen-type offerings include an added layer of security against major attack vectors (such as users and networks) that EDR does not.
“Frequently we see security professionals mixing two different things – endpoint protection and breach protection,” said Eyal Gruner, cofounder of the Cynet next gen EDR solution. “We know that the endpoint is the entry point for many attacks, and malicious files and process play a role, which means that traditional EDR is an ideal solution for those issues. But you have to remember that the attack surface is actually very wide, and securing your organization means protecting more than only your endpoints.”
Gruner, a world-recognized expert on attacker tools and techniques, got his start as a 15-year-old white hat hacker. He is also a founder of the largest cybersecurity consulting company in Israel, BugSec. “What we need to remember is that any time an attacker is active, there is an anomaly generated. This is the basic assumption we need to understand because the activities involved in compromising data and resources are not your run-of-the-mill activities. Being able to identify these activities is what enables security products – and threat analysts to do their job. They know something bad is taking pace and they know how to block it.”
According to Gruner, these anomalies take place in three main locations: process execution, network traffic or user activity. In one example, we can look at ransomware, which creates a process execution anomaly as it interacts with a large amount of files.
Then there is lateral movement, which can frequently include a network traffic anomaly visible as unusually high SMB traffic. Another example would be login to a critical server with compromised user account credentials, where a user behavior anomaly is visible. But in both of these cases, monitoring processes alone are not enough to detect the attacks.
“When it comes to process anomaly detection, EDR does a great job, because it is located on the endpoint and monitors process behavior. This means the organization gets pretty good coverage against these types of threats. But there is still a gap,” explained Gruner. “Network traffic and user behavior are also critical areas, and mainstream vectors can operate there without causing any signs of anomaly. EDR is almost totally blind to these types of threats.”
As we attempt to understand this issue, let’s try to play the attacker. After compromising an endpoint, he plans how he will gain further access into our environment, to identify, access and exfiltrate sensitive data. One way he can do this is through credential theft.
In order to access resources throughout the organizational environment, the attacker needs high privilege credentials. He might try to use a compromised endpoint’s memory to dump them. In this case, EDR would most likely catch it, because of the process anomaly it would create. But password hashes can be harvested also by utilizing techniques like ARP poisoning or DNS responder to intercept internal network traffic. This could only be detected if you were monitoring network traffic to pick up anomalies. Which means that EDR would miss this completely.
“Most attackers get better with time, and one of the things they pick up on is what defense measures are in place, and hot to react to them, Gruner said. “Say there is a decent EDR in place, the attacker will then shift their efforts to the network or user fields, getting in under the EDR detection. EDR is great if you want to protect your organization from process-based attacks like malware, exploits and the like. But if you want to be secured against breaches, you need to work broader, which is why we introduced Cynet 360.”
The Cynet 360 platform provides continual monitoring of processes, network traffic and user activity, which translates into full coverage of potential advanced attack vectors. The Cynet platform provides the capabilities of an EDR, together with User Behavior Analytics, Network Analytics and even Deception – allowing security professionals to plant decoy files, passwords, network shares, etc. tricking attackers into showing their presence.
If you ask Gruner, the big value of Cynet is its ability to detect the advanced attacks that other solutions miss. “It’s much more than just process-based threats and user-based threats and network-based threats,” explained Gruner. “Because advanced attackers are so skilled at hiding their activity, many attacks are essentially invisible if you only examine processes, traffic or user behavior. You have to integrate all of these into one picture in order to truly get a context that allows you to definitively say, ‘yes, there is something malicious going on.’ Cynet 360 allows the security team to automate the creation of this context, detecting the advanced threats that otherwise get through.”
Said Gruner, “No solution can promise one-hundred percent. But as a security practitioner, you need to secure all the main access points. Can attackers still get through? Probably, if they have the skills and determination. But by covering the main anomaly access points, you make them work harder – more than they usually want to.” Added Gruner, “As a security practitioner, EDR is a must-have. That is why it is part of the Cynet 360 offering. But we’ve known for a while that EDR alone is not enough. To truly achieve breach protection, it takes EDR – and more. That’s why Cynet 360 includes all the others.”