A Short History of EDR

By SentinelOne

30 June, 2020

Endpoint detection and response (EDR) was born to compensate for the lack of ability in endpoint protection platforms (EPP) and legacy antivirus (AV) security solutions to prevent every attack. In this post, you’ll learn about the kinds of threats that triggered the birth of EDR, how it came to be, what problems it faces today, and where its future lies.

The threat landscape evolved

During the early 2010s, both defensive security and offensive operations realized how to run malicious code without installing any software—by using an executable to evade both network and legacy antivirus software. There are a few common ways to achieve execution of code without bringing anything that defenders can scan into the infected system. Let’s take a look at two pervasive threats that led to the need for EDR.

1. Malicious Documents: Phishing Heaven

Many users believe an application can execute code but a file like Microsoft Word, Excel, PowerPoint, or a PDF can’t—it can only be read or written. This isn’t exactly true, but because of the misunderstanding, most users are willing to open a Word document sent by a well-architected phishing campaign. Convincing a user to open what they expect to be a harmless document is much easier than getting someone to double-click an executable they know will run code (although this does happen, too).

Given the widespread perception of document files as harmless containers of content, malware authors soon found easy ways to infect targets through these kinds of files. The most well-known way to run code from documents is by using macros, which were built to automate frequent tasks in documents but are now often weaponized to compromise an end-user’s system.

Many security-minded people might say, “So, what’s the problem? Just don’t allow macros and you’re safe!” Technically, that’s correct. However, it overlooks two important realities about the way modern enterprises work and how security fits into the business model.

Macro-based malware files are still out there and are successful, in part, because enterprises still use macros to get their work done. They were invented to increase productivity and they do a good job at it. As a result, for many users and businesses, disabling macros is a productivity sacrifice they’re not willing to make. From VBA macros in Excel (used to extract data from other systems or automate calculations) to Word macros (used for inserting a letterhead or creating custom styles and formats), macros have become essential time-saving tools. It’s simply unrealistic for many businesses to block them.

The second reason why infected documents are still out there is because it’s easier for attackers to place them onto devices than, say, a malicious binary or application that could be scanned by a security solution. With just a small amount of personalization, the chances of getting a recipient to open a document from a phishing email increases exponentially. Send someone a CV, payment request, or an invoice, and if you hit the appropriate person such as a recruiter or someone in accounts payable, your chances of getting the “click” might be fairly high (especially compared to sending an executable file).

2. EternalBlue: lateral movement comes to play

Lateral movement techniques are ways attackers spread attacks across a network. These are not new to most sysadmins, but thanks to a leak of NSA hacking tools, it turns out some operating system protocols have had vulnerabilities in them for many years that allow attackers to achieve stealthy lateral movement. One notable example is what we now know as “EternalBlue.”

EternalBlue exploits the server message block (SMB) protocol used for file sharing over the network. This makes the protocol highly attractive to adversaries. EternalBlue was leaked by the Shadow Brokers hacker group in 2017 and was used as part of the WannaCry ransomware attack and NotPetya cyberattack in the same year. Neither AV nor next-generation EPPs could effectively prevent exploitation using EternalBlue at the time.

Fileless malware and system vulnerabilities are just two ways attackers can bypass traditional AV (and also more than a few “next-gen” endpoint solutions). So if your company reputation is on the line and you can’t guarantee protection, what can you do? You find ways to make sure you’re aware of what’s going on with your assets—the new name of the game is detection.

From prevention to detection: EDR is born

Back in the day (and to some extent even today), companies hired incident response teams to come in and investigate security breaches. In 2013, the most reliable among these was Mandiant. They offered security professionals that were always ready to jump in and find out what happened. And they were not cheap.

In parallel, some more technical enterprises began to invest in visibility tools like Facebook’s osquery and other ways to see into networks. That opened a new category for the overcrowded market of cybersecurity, and many new solutions were created as a result. These often fell under the umbrella term “EDR” (originally endpoint threat detection and response).

With that revolution, the inherent problems of EDR solutions started to show. You needed a highly skilled crew to manage these solutions as they provide so much data (most of which lacked any context). Enterprises found themselves hiring more and more bodies to solve this problem, but the past couple of years have seen barely a month go by without the news headline of yet another high-profile data breach.

The other critical problem of EDR revolved around “dwell time.” Dwell time represents the time between infection and discovery of the malicious activity. The 2019 Ponemon Cost of a Data Breach Report found the average time to identify a breach was 206 days. In some cases, even 10 seconds is too long—attackers can run their code, execute their attack, wrap up, and clean up in a matter of a few seconds. Any solution that can’t detect in real time is too late in the game.

Cybersecurity firms have tried to solve this problem in several ways.

1. Create a hunt chat bot

To simplify the life of the security analyst, one strategy includes having the professionally-trained security operations center (SOC) analyst to converse with a chat bot. Getting a chat bot to understand exactly what you mean can often be more challenging than simply writing a SQL query that you do every day, particularly for an experienced threat hunter.

2. Rely on a custom SOC

If you have a SOC, it will allow you to see more and do more to maintain business security. With that said, throwing more uncorrelated data at your team without true context creates alert fatigue and an unhappy team. SOC analysts have advanced skills and should be doing the advanced work. Instead of laboriously trying to piece together the pieces of the picture, they should work from already contextualized data that gives them the attack storyline to begin with—so they can use their skills to decide on additional action beyond merely stopping the attack.

3. Provide a service on top of the technology

This is becoming popular and it’s a good, sometimes necessary, move—many enterprises don’t have the staff with the necessary skillset to hunt and understand the data seen on their own network. Even as valuable as these services can be, there are still aspects of their work you should automate, like real-time response—because waiting for a service powered by people may take too long if you don’t. If you have a technology that can see everything that’s happening in real time and an on-device AI that can immediately take the necessary remediation action, then the problem of dwell time significantly reduces. There’s simply real-time detection and response.

SolarWinds EDR

Imagine if you had a SOC analyst on each endpoint, transforming massive amounts of data into attack stories and raising high-quality, prioritized alerts when threat behavior is observed. That’s the goal of SolarWinds^® Endpoint Detection and Response, powered by SentinelOne. At machine speed, SolarWinds EDR can help prevent, detect, and respond to advanced attacks regardless of delivery vectors, whether the endpoint is connected to the cloud or not. The solution can help teams gain the context to not only understand what is found, but to autonomously block attacks in real time.

Learn more about SolarWinds EDR and how it can help your MSP business today by visiting the site today.

Note: This article has been reprinted and slightly modified with permission from SentinelOne.