EDR, why Endpoint Detection and Response is not enough anymore

Risks are hidden everywhere, among desktops, laptops, and smartphones. The devices used in the workplaces- increasingly in hybrid mode between home and office - represent the first critical line of defense when it comes to IT security. According to a study conducted by the Ponemon Institute, 68 % of companies experienced one or more endpoint attacks that have compromised the company's data and IT infrastructure. 

The same percentage of respondents reports a growth in attacks directed specifically at endpoints and an increasingly difficult detection. More than half of the organizations admits that detecting threats has become a problem today, as the endpoint protection solutions they adopted are not sufficient in detecting advanced attacks on time.

On the other hand, between phishing, social engineering and software misconfigurations, attackers have multiple choices when it comes to finding a way into corporate systems. With the increase in remote working, the spread of Internet of Things (IoT)-based devices, and the multiplication of network-connected devices available to employees and customers, the number of endpoints has grown by leaps and bounds, and with it the number of vulnerabilities to be remediated and threats to be repelled.

EDR, advantages and disadvantages

To protect endpoints, companies rely on antivirus and patch management, and increasinglyu on Endpoint Detection and Response (EDR) solutions to detect the first signs of attack and block them. These solutions are designed to detect threats directed at endpoints through continuous endpoint monitoring: they log all device activity via agents and, in some cases, are able to provide internal analysts within the organization with the information they need to respond to the threat.

In particular, an EDR can detect unknown threats through tools capable of detecting anomalous behaviour and, against such advanced threats, offer security teams and SOC analysts context-enriched information and data for remediation.

However, EDR solutions provide security teams with a necessarily partial view. In dynamic, resource-intensive cloud environments, this kind of coverage becomes less and less effective. By focusing their efforts on prevention strategies, many companies have lost all visibility into attacks perpetrated through the network, because they are unable to detect lateral movements and unknown threats.

EDR limitations

One of the major limitations of endpoint security concerns the amount of data to be managed. Even EDR solutions that proactively search for threats face challenges in managing and analysing huge amounts of data. The result is a high number of false positives, which increases the detection difficulties for the analysts in the Security Operation Centre (SOC), who have to juggle continuous alerts in search of a real signal of an attack to be averted.

This leads to the other critical issue: costs. For each individual endpoint, for the tool itself, for the equipment required for the enormous amount of data to be processed and, of course, for the labor costs related to the many security figures to be employed. Even if it were an MSP providing the service, the final cost for the company requiring its services would be further increased.

Last but not least, EDR does not provide network visibility, because threats that creep onto the endpoint can move laterally through the network. Through 'clandestine' contacts, a remote C&C server, they can affect other portions, undetected and unrestrained. Of course, the EDR cannot affect basic cyber hygiene measures that are typically left to staff and their behavior.

Also, according to the Ponemon Institute study, over the past two years more than half of all companies have replaced their endpoint security solution as it was deemed inadequate or too complex. 64 % of companies consider EDR to be ineffective against new or unknown threats, and 61 % admit that they do not have the necessary personnel to support such solutions. EDR, in short, needs to evolve to keep up with new business priorities.

The role of Managed Detection and Response (MDR)

Today, traditional IT perimeters are expanding and becoming more and more permeable. Threat detection has become essential to ensure the security of organizations. This is why the cybersecurity paradigm is shifting from a prevention-based model to a detection-based model, capable of ensuring a rapid and automatic response should an attack succeed. We are talking about a necessary transition from an EDR-based model to Managed Detection and Response (MDR), a holistic approach by a provider that takes care of the entire cybersecurity of the client company.

When an attack is underway, it is not enough just to put up barricades in front of the front doors. A modern protection system cannot be limited to endpoint security alone, but must rely on detection and response solutions extended to all areas and levels of the infrastructure, preferably with Artificial Intelligence.

Choosing an MDR service allows you to protect not only devices, but also applications, databases, storage, networks and workloads in the cloud, thanks to a competent team available 24 hours a day, supported by the latest technology. This is the only way to overcome the limitations of traditional endpoint protection and project the organization into a future where cyber attacks are no longer a threat, or rather: no longer scary.