Endpoint devices such as desktop computers, laptops, and mobile phones enable users to connect to corporate networks and use their resources for day-to-day work. However, they also widen the attack surface and make the organization vulnerable to malicious cyber attacks and data breaches.
Why modern organizations need EDR
According to the Ponemon Institute’s 2020 Global Risk Report, smartphones, laptops, mobile devices and desktop computers are some of the most vulnerable entry points that allow threat actors to compromise corporate networks. Security teams must assess and address the security risks created by these devices before they can harm the organization. And for this they require Endpoint Detection & Response (EDR).
EDR solutions provide real-time visibility into endpoints and detect threats such as malware and ransomware. By continuously monitoring endpoints, they enable security teams to uncover malicious activity, investigate threats, and initiate appropriate responses to protect the organization.
The limitations of EDR
Modern enterprise networks are complex webs of users, endpoints, applications and data streams distributed across on-premises and multi-cloud environments. As EDR solutions only provide endpoint visibility, many security holes and challenges remain, significantly increasing the risk of cyber attacks going unnoticed.
- Malware that disables/abuses EDR agents: The rise of sophisticated hacker groups like Lapsus$ is another risk that EDR tools cannot handle. In late 2021, Lapsus$ hacked into several large companies by compromising remote endpoints and disabling their EDR tools. They were thus able to hide their malicious behavior on the infected endpoints and achieve their goal of stealing sensitive corporate data. Another problem is that threat actors can abuse the “hooking” technique that EDRs use to monitor running processes. This technique enables EDR tools to monitor programs, detect suspicious activity, and collect data for behavioral analysis. However, this same process allows attackers to access a remote endpoint and import malware.
- BYOD: In recent years, many organizations have moved to remote work models that allow employees and third-party users to access corporate resources via external networks and unsecured mobile devices. These devices are beyond the control of security teams and their EDR tools. Consequently, their security solutions cannot keep up with all these endpoints, much less protect them or the corporate network from malicious attacks.
- Unsupported devices: Also, not all connected endpoints may support EDR agents. This applies to legacy endpoints such as routers and switches, as well as newer IoT devices. Furthermore, with connected supervisory control and data acquisition (SCADA) and industrial control system (ICS) environments, some endpoints may be outside the organization’s control and thus outside the EDR’s security perimeter. Consequently, these endpoints and systems remain vulnerable to threats such as malware, DDoS attacks, and cryptomining.
- Maintain/distribute EDR: Finally, with agent-based EDR products, installing and maintaining agents on every endpoint across the enterprise network environment can be a huge burden for security teams.
Closing EDR’s security holes with network visibility and NDR
One of the most effective ways to close the security holes highlighted above is by adding Network Detection and Response (NDR) to your company’s cybersecurity stack for the following reasons:
- Unable to disable NDR: Since a log-based NDR like ExeonTrace collects data from several different data sources in the network (and is not dependent on specific devices), the detection algorithms cannot be bypassed. Therefore, even if an EDR is disabled by malware, NDR will detect it.
- Identification of shadow IT: An NDR solution not only makes it possible to monitor network traffic between known network devices, but also to identify and monitor as yet unknown devices and networks. And of course endpoints without EDR agents are also included in the network analysis (such as BYOD).
- Misconfigured firewalls and gateways: Improperly configured firewalls and gateways can be gateways for attackers – an NDR allows detection before exploitation.
- Secure data collection: Network-based data collection is more tamper-proof than agent-based data; ideal for digital investigation required by regulators.
- Complete visibility of the entire network: Since no agents are required, an NDR solution like ExeonTrace provides full visibility of all network connections and data flows. It thus provides greater visibility across the entire corporate network and any threats across it.
As organizations become increasingly complex and add more end-user devices to their networks, they require a reliable monitoring solution to protect their endpoints from potential threats. However, Endpoint Detection and Response (EDR) provides such endpoint protection only to a certain extent. There are many drawbacks to EDR that allow sophisticated cybercriminals to bypass their security perimeter and exploit network vulnerabilities.
|ExeonTrace Platform: Screenshot of Dashboard|
To fill the security gaps left by EDR solutions, organizations must strengthen their security defenses. Network Detection and Response (NDR) solutions such as ExeonTrace are a reliable and proven way to monitor network traffic and thus complement your company’s cyber security stacks. As EDR and NDR solutions are complementary, their combined detection capabilities can effectively protect organizations against sophisticated cyber attacks.
Order a free demo to find out how ExeonTrace can help you tackle your security challenges and make your organization more cyber-resilient.