It seems that already half a year has flown by since my last article. The frequency of my articles might suggest that I don’t work as much anymore. However, the opposite is true. This past year has been busier than ever. We’ve been helping rescue encrypted companies, investigate “unfinished” attacks, and also conducting audits.
Especially, there have been many audits. Initially, I perceived them as a diversion from office work and a form of excursion. Eventually, it became a non-stop rush and stress to get everything done. I want to discuss audits in the next article. I would like to share our insights and recommendations on what to check in your network. Hopefully, this will help as many interested people as possible, and also free up some time for me. 😊
Now, back to today’s topic. That is “Endpoint Detection and Response”, or EDR.
What is EDR
It is an application that runs on an endpoint device (“Endpoint“) and collects information about its activities. It monitors which programs are launched, what network connections they make, what subprocesses they launch, how they communicate with other processes, which files and registers they access, what system calls they use, and with which parameters they were launched.
In the collected information, it looks for signs of malicious behavior (“Detection”) and allows the administrator to intervene (“Response”). For instance, isolating the device from the network, terminating a process, or blocking an application.
Essentially, it is a “sibling” of antivirus. EDR collects and stores information about the system’s activities. It detects malicious activities based on suspicious behavior in the collected information. It does not try to understand the programs (their code) running on the device (it observes them from outside).
In contrast, antivirus does not collect and store much information. Its goal is to check the data accessed by the endpoint device and the code it is about to execute (it checks programs from inside). Its detection results in the discovery of malicious code (malware – programs intending harm).
Obviously, both applications (EDR and Antivirus) are related, and some of their functionalities overlap. Hence, antivirus companies commonly develop both antivirus and EDR. The combination of these two “functionalities” in one product yields the best results – thanks to their mutual correlation (evaluating harmful behavior based on a larger amount of data leads to better results).
Is EDR just another buzz word?
If you attend partner events or sponsored webinars, you must have encountered the acronym EDR. It is another technology where everyone feels it could be an additional source of 💵.
And we, the administrators, wonder… Is this technology sensible? Or a trap? Will it bring nothing much and its operation will cost a lot of time of experienced people? We had this debate in our company as well. 😁
Recently popular technologies like SIEM or sandboxing didn’t excite me much. Not because they are bad, but they are expensive (acquisition and operation) and suitable only for large companies (at least several hundred devices). I’ve written more about this in “Exaggerated Expectations from Security Technologies”.
However, EDR is a different story. It is a technology that significantly improves security with small acquisition costs and minimal maintenance costs. Basically, once a company has someone who looks into the antivirus console, the operation doesn’t change. It is suitable for all companies, from a few computers upwards.
Why I believe in EDR
Those who know me are aware that I usually hack without using malware (see my YouTube channel). This is so I don’t have to deal with whether my hacking is detected by antivirus or not. Instead of malware, I use tools that are standard parts of the operating system (i.e. “Living off the Land” – LotL) or behave like a “normal” administrator. Similar behavior is observed in attackers.
Both I and attackers (and many others 😊) deliberately hack out of the “sight” of regular antivirus.
And EDR is the way to detect hackers like me and others. EDR adds “visibility” where there was darkness 🔦. Antivirus along with EDR greatly increases the likelihood of detecting an attacker in the network.
Additionally, when an incident occurs, you have significantly more information about what and how it happened. Thanks to EDR, you know when and from where the backdoor/malware came, which servers it communicated with, and what commands/applications it launched on the compromised device. All this from the information that EDR collects. In other words, EDR partly also substitutes “log management”.
Choosing right EDR
That is a million-dollar question! Over the past few months, I’ve had the opportunity to work with several EDRs while investigating real incidents that we addressed in the attacked companies. We have also been using ESET’s EDR – ESET Inspect in our internal network for several years.
Every EDR has its strengths and weaknesses. Below you will find my experiences and thoughts regarding the individual products. It is a somewhat specific case, as I am looking for a solution that we could deploy to all our customers. My experience with the products is rather fleeting. I haven’t had years of experience or a large number of investigated incidents with any of them.
Which EDR is the right and best one, I have no idea. 🤔 Yet, for several months, I have been trying to choose a solution that we could deploy for all our customers to enhance security.
I would be very pleased if you also shared your experiences. It will help me choose our company’s EDR.
Regardless, I believe that whichever of the well-known EDR systems is chosen, it will always be a step forward.
ESET – ESET Inspect
We have been long-term partners of ESET and have their antivirus solution deployed to all customers (as part of our standardization principle). Therefore, it would make sense to also use their EDR.
ESET’s EDR product was initially called ESET Enterprise Inspector (EEI). As the name suggests, it was primarily intended for large organizations. In 2022, they renamed it to ESET Inspect, probably to show that it is also suitable for “smaller” companies.
ESET offers it in both cloud and on-prem versions. If you decide to deploy it, you will need another reasonably powerful server (where the server part of ESET Inspect will be deployed) and install another application (ESET Inspect Agent) on all clients. Personally, I would prefer to use the cloud version (where ESET Protect and ESET Inspect are hosted by ESET).
We swear by ESET Antivirus. We have been very satisfied with it over the years – detection coverage, minimum false positives, stability, performance requirements. However, ESET Inspect did not impress me much. The clarity of the interface is a generation behind compared to Bitdefender or Microsoft Defender.
Another thing is the way events are evaluated. ESET Inspect relies on rules that are evaluated independently (they do not correlate with each other, with a few exceptions). So, you will have thousands of “events” in the console each day. Tuning the rules will therefore require days of work. In the end, you still have a product that will require a lot of time and manual work every day.
Bitdefender and Microsoft cluster events into incidents and evaluate them accordingly (as a whole). Thus, it does not happen that one separate rule, which means nothing by itself, causes an “event”. Every day, you get one or two incidents (events). You can immediately see (without further searching) much more information about them. It is thus easier to decide whether it is a problem that requires your attention or has been automatically resolved (or was a false positive).
On the other hand, it is true that for a professional SoC team full of dedicated specialists, ESET Inspect may be a better choice. It allows them to write their own rules, exceptions, and freely access all collected events (threat hunting).
The last thing I want to mention is that I miss some vision at ESET (subjective opinion). In recent years, they have not come up with any real innovation. New major versions of antivirus seem more like service packs (no added functionality). Many partners and customers are leaving them for competitors (ESET reportedly doesn’t even care why😔). It feels like ESET is resting on the laurels of its past successes, and I am genuinely sorry about it.
Bitdefender – GravityZone Business Security Enterprise
If we were founding the company now and hadn’t selected (deployed) any product yet, I would probably decide on Bitdefender. I like how Bitdefender is advancing and the simplicity of its control. It seems like the developers understand how we, administrators, work and try to make our job easier.
The product consists of only one application, which is installed on the device. Depending on the type of license and configuration, the required security modules are installed. The product updates are then managed by the cloud console itself. The console looks clear, modern, and is pleasant to work with.
I really like the “Risk Management” module, which shows misconfigurations, vulnerabilities, and risky user behavior. Security is not just about catching hackers and detecting malware but making the network resilient to prevent any breaches. This, in my opinion, is the path AVs should follow (I believe that AV that only catches malware is an outdated concept).
Regarding detections, Bitdefender seems quite aggressive to me. Compared to ESET, we notice many false-positive detections. Especially with software/scripts it hasn’t seen before. This can particularly be a problem for development companies.
When a false positive occurs, the ability to create exceptions is not as powerful as with ESET. However, Bitdefender’s support is helpful and can reclassify things within global definitions (it just takes a bit more effort and time).
For smaller MSP companies (companies that care for other companies), this aggressiveness can be an advantage. Although sometimes it stops legitimate applications and needs to be addressed. But there is a much higher chance that it will stop an actual hacker attack on its own (I don’t have any statistics, just impressions and experiences from investigating incidents).
Bitdefender strives to be straightforward, revealing what it deems relevant information in the event of an incident. The drawback is that it’s not possible to access what it considers non-relevant, which complicates incident investigations.
Bitdefender is currently working on XDR. They have a connector to Azure Active Directory and the option of network probes. They also correlate data from individual endpoints and can show incidents across multiple devices (Microsoft Defender is also capable).
Microsoft Defender for Endpoint P2
If I were an internal administrator and our company had a M365 Business Premium license, this would likely be my choice. Within the aforementioned license, Microsoft Defender with EDR functionality is included in the price (just probably need to purchase a license for server OS).
Again, I really like the interface of this product. The amount of information that can be extracted while resolving an incident. The ability to do threat hunting.
Being a Microsoft product, there is also great integration with MS Azure, MS Office 365, and the on-prem environment (I would guess it’s probably the biggest there can be).
Since Microsoft Defender (AV in its current form) is a standard part of MS Windows 2016+ and Windows 10, I do not expect its use to cause complications (false positives, breaking applications).
For us, as MSPs (managing multiple companies), multitenancy is lacking (seeing what’s happening with all clients through one console without the need to switch between their environments) and the higher price is a deterrent if we wanted to convert all customers to it (currently Defender for endpoint plan 2 costs $5.20 per user/month). On the other hand, we see increasing adoption of O365 among customers, who are willing to pay extra for features.
We considered this EDR because FortiNet is also one of our partners from whom we already use a variety of products. Centrally, we have FortiEMS and FortiAnalyzer. In individual networks, we then deploy FortiGate, FortiSwitches, and FortiAP. Logically, it would make sense to use their product.
FortiNet also has tremendous vision and drive. What they plan makes sense. However, based on experiences with some products (especially FortiClient and FortiEMS), I feel that not everything is always “production ready.” Nevertheless, everything is progressing and improving.
Another disadvantage may be (if still valid) that FortiEDR has a minimum license purchase of 500. So it’s not possible to cover smaller companies (unless included in some MSSP program).
I haven’t had experience with this product yet, but I read online that it is supposed to be top-notch.😊 I included it in this list of potential candidates because we can acquire licenses as part of our N-able RMM monitoring system (formerly SolarWinds).
If anyone has practical experience with it, I would really appreciate their sharing.
Future is XDR
While EDR significantly expands the space where we can detect attackers, there are still blind spots. For example, last month, we dealt with a customer whose NAS was hacked and turned into a “proxy”, through which other devices in the network were attacked.
So, for our EDR system, it would be useful to add information from other network devices such as switches, routers, Wifi AP, cameras, printers, VoIP phones, NASs, mobile phones. And since many companies also use cloud services, logs from these services would also be useful (certainly at least Azure Active Directory).
This brings us to the term XDR (eXtended Detection and Response). This technology will most likely be the successor to EDR and again will enable us to have a better overview of our environment.
Some manufacturers are already introducing XDR technology. In my opinion, it’s more about vision and direction (some functionality is there, but most of the journey is still ahead of them). I’m certainly curious about the future. 🤗
For many companies, EDR means an opportunity to enhance security levels inexpensively, simply, and quickly. Usually, it will be enough just to purchase a higher edition of their AV product (that includes EDR) and reinstall the agent on end devices. The management, supervision, and maintenance of AV then remain the same.
What do you think? And what are your experiences with EDR solutions?
May your networks stay secure,