Skip to main content
SolarWinds MSP
  • Login
  • Support
  • Partnerships
    • Partnerships Overview
    • Solution Provider Program
    • Technology Alliance Program
    • Distributor Program
SolarWinds MSP
  • Products
    • SolarWinds N-central Automate what you need. Tackle complex networks. Try this remote monitoring and management solution built to help maximize efficiency and scale.
    • SolarWinds RMM Start fast. Grow at your own pace. Try this powerful but simple remote monitoring and management solution.
    • SolarWinds EDR Defend against ransomware, zero-day attacks, and evolving online threats with Endpoint Detection and Response
    • SolarWinds Backup Manage data protection for servers, workstations applications, documents and Microsoft 365 from one SaaS dashboard.
    • Mail Protection & Archiving Protect users from email threats and downtime.
    • Password Management Easily adopt and demonstrate best practice password and documentation management workflows.
      • Passportal Demo
    • PSA & Ticketing Manage ticketing, reporting, and billing to increase helpdesk efficiency.
    • Remote Support Help support customers and their devices with remote support tools designed to be fast and powerful.
  • Solutions

    I'm looking for...

    • Security Solutions
    • Monitoring Solutions
    • Efficiency Solutions
  • Resources
    • Blog
    • Webcasts & Events
    • Ask the N-central Experts
    • Daily Live Demos
    • RMM Foundations Training
    • Upcoming Events
    • Upcoming Webcasts
    • Resource Center
    • COVID-19 Resources
    • Resource Library
      • Case Studies
      • Product Information
      • eBooks
      • White Papers
      • Infographics
    • SolarWinds MSP Free Tools
    • GDPR Resource Center
    • Security Resource Center
    • MSP Institute Webinar Series
    • MSP Advice Project
  • About
    • Contact
    • Customer Success
    • Worldwide sales and support
    • Careers
    • Awards and Recognition
    • Get A Quote
    • Newsroom
      • Press Releases
      • In The News
      • Media Contacts
      • COVID-19 Response
    • Leadership Team
    • Legal
      • Cookie Policy
      • Privacy Notice
      • Software Services Agreement
      • Terms of Use
      • Backup Fair Use Policy
    • Security
      • SolarWinds Security Statement
      • Vendor Data Protection Requirements
    • Support
  • IT Departments
  • Contact Sales
    • Get A Quote
    • General Inquiry
  • TRY NOW
    • SolarWinds RMM
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Passportal
    • SolarWinds N-central
    • SolarWinds Mail Assure
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
  • Request a Quote
  • Try Now
    • SolarWinds RMM
    • SolarWinds N-central
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Mail Assure
    • SolarWinds Passportal
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
Request quote
Filter Blogs
  • Filter by:
  • MSP Business
    • Automation
    • Backup & Disaster Recovery
    • Security-series
    • Best Practices
    • Business
    • Business Growth
    • Business Risk
    • Cloud Computing
    • Customer Service
    • Cybersecurity
    • Cybersecurity Awareness Month
    • Data
    • GDPR
    • Internet of Things
    • IT Support
    • ITSM
    • LOGICcards
    • Machine Learning
    • Mail
    • Managed Services
    • Marketing
    • Mobile
    • Networking
    • Operations
    • Podcast
    • Product
    • PSA
    • Remote Management
    • Research & Trends
    • Risk Intelligence
    • Security
    • Security Vlog
    • Service Desk
    • Services & Support
    • The Head Nerds
    • Tips & Advice
    • Training
Home Blog MSP Business Security A Short History of EDR
Security

A Short History of EDR

By SentinelOne
30 June, 2020

Endpoint detection and response (EDR) was born to compensate for the lack of ability in endpoint protection platforms (EPP) and legacy antivirus (AV) security solutions to prevent every attack. In this post, you’ll learn about the kinds of threats that triggered the birth of EDR, how it came to be, what problems it faces today, and where its future lies.

The threat landscape evolved

During the early 2010s, both defensive security and offensive operations realized how to run malicious code without installing any software—by using an executable to evade both network and legacy antivirus software. There are a few common ways to achieve execution of code without bringing anything that defenders can scan into the infected system. Let’s take a look at two pervasive threats that led to the need for EDR. 

1. Malicious Documents: Phishing Heaven

Many users believe an application can execute code but a file like Microsoft Word, Excel, PowerPoint, or a PDF can’t—it can only be read or written. This isn’t exactly true, but because of the misunderstanding, most users are willing to open a Word document sent by a well-architected phishing campaign. Convincing a user to open what they expect to be a harmless document is much easier than getting someone to double-click an executable they know will run code (although this does happen, too).

Given the widespread perception of document files as harmless containers of content, malware authors soon found easy ways to infect targets through these kinds of files. The most well-known way to run code from documents is by using macros, which were built to automate frequent tasks in documents but are now often weaponized to compromise an end-user’s system. 

Many security-minded people might say, “So, what’s the problem? Just don’t allow macros and you’re safe!” Technically, that’s correct. However, it overlooks two important realities about the way modern enterprises work and how security fits into the business model.

Macro-based malware files are still out there and are successful, in part, because enterprises still use macros to get their work done. They were invented to increase productivity and they do a good job at it. As a result, for many users and businesses, disabling macros is a productivity sacrifice they’re not willing to make. From VBA macros in Excel (used to extract data from other systems or automate calculations) to Word macros (used for inserting a letterhead or creating custom styles and formats), macros have become essential time-saving tools. It’s simply unrealistic for many businesses to block them.

The second reason why infected documents are still out there is because it’s easier for attackers to place them onto devices than, say, a malicious binary or application that could be scanned by a security solution. With just a small amount of personalization, the chances of getting a recipient to open a document from a phishing email increases exponentially. Send someone a CV, payment request, or an invoice, and if you hit the appropriate person such as a recruiter or someone in accounts payable, your chances of getting the “click” might be fairly high (especially compared to sending an executable file).

2. EternalBlue: lateral movement comes to play

Lateral movement techniques are ways attackers spread attacks across a network. These are not new to most sysadmins, but thanks to a leak of NSA hacking tools, it turns out some operating system protocols have had vulnerabilities in them for many years that allow attackers to achieve stealthy lateral movement. One notable example is what we now know as “EternalBlue.”

EternalBlue exploits the server message block (SMB) protocol used for file sharing over the network. This makes the protocol highly attractive to adversaries. EternalBlue was leaked by the Shadow Brokers hacker group in 2017 and was used as part of the WannaCry ransomware attack and NotPetya cyberattack in the same year. Neither AV nor next-generation EPPs could effectively prevent exploitation using EternalBlue at the time.

Fileless malware and system vulnerabilities are just two ways attackers can bypass traditional AV (and also more than a few “next-gen” endpoint solutions). So if your company reputation is on the line and you can’t guarantee protection, what can you do? You find ways to make sure you’re aware of what’s going on with your assets—the new name of the game is detection.

From prevention to detection: EDR is born

CTA Image

SolarWinds N-central

Try the powerful N-central solution for free.

Try It Free Learn More

Back in the day (and to some extent even today), companies hired incident response teams to come in and investigate security breaches. In 2013, the most reliable among these was Mandiant. They offered security professionals that were always ready to jump in and find out what happened. And they were not cheap.

In parallel, some more technical enterprises began to invest in visibility tools like Facebook’s osquery and other ways to see into networks. That opened a new category for the overcrowded market of cybersecurity, and many new solutions were created as a result. These often fell under the umbrella term “EDR” (originally endpoint threat detection and response). 

With that revolution, the inherent problems of EDR solutions started to show. You needed a highly skilled crew to manage these solutions as they provide so much data (most of which lacked any context). Enterprises found themselves hiring more and more bodies to solve this problem, but the past couple of years have seen barely a month go by without the news headline of yet another high-profile data breach.

The other critical problem of EDR revolved around “dwell time.” Dwell time represents the time between infection and discovery of the malicious activity. The 2019 Ponemon Cost of a Data Breach Report found the average time to identify a breach was 206 days. In some cases, even 10 seconds is too long—attackers can run their code, execute their attack, wrap up, and clean up in a matter of a few seconds. Any solution that can’t detect in real time is too late in the game.

Cybersecurity firms have tried to solve this problem in several ways.

1. Create a hunt chat bot

To simplify the life of the security analyst, one strategy includes having the professionally-trained security operations center (SOC) analyst to converse with a chat bot. Getting a chat bot to understand exactly what you mean can often be more challenging than simply writing a SQL query that you do every day, particularly for an experienced threat hunter.

2. Rely on a custom SOC

If you have a SOC, it will allow you to see more and do more to maintain business security. With that said, throwing more uncorrelated data at your team without true context creates alert fatigue and an unhappy team. SOC analysts have advanced skills and should be doing the advanced work. Instead of laboriously trying to piece together the pieces of the picture, they should work from already contextualized data that gives them the attack storyline to begin with—so they can use their skills to decide on additional action beyond merely stopping the attack.

3. Provide a service on top of the technology

This is becoming popular and it’s a good, sometimes necessary, move—many enterprises don’t have the staff with the necessary skillset to hunt and understand the data seen on their own network. Even as valuable as these services can be, there are still aspects of their work you should automate, like real-time response—because waiting for a service powered by people may take too long if you don’t. If you have a technology that can see everything that’s happening in real time and an on-device AI that can immediately take the necessary remediation action, then the problem of dwell time significantly reduces. There’s simply real-time detection and response.

SolarWinds EDR

Imagine if you had a SOC analyst on each endpoint, transforming massive amounts of data into attack stories and raising high-quality, prioritized alerts when threat behavior is observed. That’s the goal of SolarWinds® Endpoint Detection and Response, powered by SentinelOne. At machine speed, SolarWinds EDR can help prevent, detect, and respond to advanced attacks regardless of delivery vectors, whether the endpoint is connected to the cloud or not. The solution can help teams gain the context to not only understand what is found, but to autonomously block attacks in real time.

Learn more about SolarWinds EDR and how it can help your MSP business today by visiting the site today. 

 

Note: This article has been reprinted and slightly modified with permission from SentinelOne. 

 

Additional reading

What is EDR (Endpoint Detection and Response)?
EDR vs. Managed Antivirus: What You Need to Know
Endpoint Detection and Response: Modern Weapons Against the Cybercriminals
You might also like...
Automation

What the Head Nerds Were Up to in 2020

Security

January 2021 Patch Tuesday: One Actively Exploited Vulnerability and a Few Likely to Be

Security

December 2020 Patch Tuesday—A quiet(er) finish to a busy year in vulnerabilities

Security

Documentation Management API and Why It’s Important for the MSP Business

Security

What Is FIPS-140-2 Standard and When Is It Required?

Security

Malware-as-a-Service: A Crucial Reason Why Security Has Grown More Complex

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a subscription.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site

Recent Posts
  • What the Head Nerds Were Up to in 2020
  • RMM and PSA Tools: How to Make the Most of Both
  • How to Empower an IT Help Desk Team for Success
  • Six Tips That Will Make Managing Your MSP Company Easier
  • January 2021 Patch Tuesday: One Actively Exploited Vulnerability and a Few Likely to Be
Categories:
  • Security (230)
  • Tips & Advice (122)
  • Best Practices (94)
  • Managed Services (86)
  • Backup & Disaster Recovery (83)
  • The Head Nerds (75)
  • Business Growth (75)
  • IT Support (42)
  • Business (39)
  • Automation (37)
  • Cybersecurity (37)
  • Operations (34)
  • Mail (33)
  • Remote Management (28)
  • ITSM (25)
  • Cloud Computing (21)
  • Networking (21)
  • Data (21)
  • Marketing (14)
  • Product (11)
  • PSA (11)
  • Service Desk (5)
  • Services & Support (5)
  • Mobile (4)
  • Risk Intelligence (4)
  • Internet of Things (3)
  • Customer Service (3)
  • Research & Trends (2)
  • Training (2)
  • GDPR (2)
  • Business Risk (1)
  • LOGICcards (1)
Show moreless
SolarWinds MSP

Products
  • SolarWinds RMM
  • SolarWinds N-central
  • SolarWinds Backup
  • SolarWinds EDR
  • SolarWinds MSP Manager
  • SolarWinds Mail Assure
  • SolarWinds Risk Intelligence
  • SolarWinds Take Control
  • SolarWinds Passportal
  • All Products Use Cases
Solutions
  • Security Solutions
  • Monitoring Solutions
  • Efficiency Solutions
  • Identify which RMM solution is right for me
  • Drive Efficiency with Automation
  • Manage my MSP Business More Efficiently
  • Manage my IT Department More Efficiently
  • Layered Security
  • Cross-Platform Support
  • Data-Driven Insights
About
  • About Us
  • Careers
  • Newsroom
  • Leadership Team
  • Upcoming Events
  • Subscription Preferences
  • SolarWinds
  • SolarWinds Trust Center
  • COVID-19 Response
Support
  • SolarWinds RMM
  • Solarwinds N-central
  • SolarWinds Backup
  • SolarWinds Mail Assure
  • SolarWinds Take Control
  • SolarWinds MSP Manager
  • Solarwinds Risk Intelligence
  • Solarwinds Threat Monitor
  • SolarWinds Passportal
  • SolarWinds Take Control Downloads
  • Backup & Recovery Downloads
  • Service Status

Footer 2

  • Legal Documents
  • Privacy
  • California Privacy Rights
  • Security Information
  • Sitemap

© SolarWinds MSP Canada ULC and SolarWinds MSP UK Ltd.
All Rights Reserved.