Today’s sophisticated cyberthreats require new, advanced approaches to prevention and defence. Endpoint Detection and Response (EDR) is one such tool which is helping to keep organisations secure. Here, Bogdan Carlescu, Acting Cybersecurity Professional and Product Marketing Director at Bitdefender, highlights how CISOs can make EDR a key component of their overall cybersecurity strategy, as well as why they should prioritise this.
Tell us about the level of sophistication we see in today’s threat landscape, particularly when it comes to the endpoint?
If we look at the early reports of 2021, or review the key incidents, there are a few key words that will quickly surface: ransomware, phishing attacks, Business Email Compromise (BEC), supply chain attacks, data breaches or data exfiltration.
We can group these attacks into two key categories: fast-evolving attacks and slow and stealthy attacks. Both can be very aggressive, both can be targeted and both can cause massive impact for any organisation in the world.
Without minimising the importance of fighting off ransomware and other aggressive fast-evolving attacks, I will focus on the slow and stealthy type of attacks. Here we include the likes of supply chain attacks, phishing for company or state secrets and exfiltration of entire databases during months of undetected malicious activity.
The prevalence of these complex threats increased dramatically over the last few years and a question worth asking at this point is – who is affected by this class of attacks? You might think that it only applies to large organisations. These are the notorious cases that make it to the media. But this couldn’t be further from the truth.
Smaller organisations are increasingly facing advanced cyberthreats, either to become a gateway towards a larger target during a supply chain attack or by being a collateral victim in a larger attack. The advanced attack techniques are so prevalent today that no organisation should consider itself safe.
Let’s talk Endpoint Detection and Response (EDR) – how has this historically been used as part of advanced threat prevention?
Historically, cyberdefences relied mostly on the prevention capabilities that are built into endpoint protection platforms and this approach provided acceptable results for many years.
As the attacks increased in sophistication, the security paradigm had to evolve. Security experts realised that 100% prevention is not possible. By acknowledging the real possibility of being breached, many organisations adopted EDR solutions to complement prevention capabilities and to increase the resilience of organisations faced with advanced cyberattacks.
EDR relies on continuous monitoring of endpoint events across the entire infrastructure, providing extended threat detection, incident investigation and effective response.
Why, given the changes to the working environment we have seen over the last year, has EDR become an even more important cybersecurity tool?
The global pandemic had a very strong influence on cybersecurity through significant changes both in the threat landscape and in the attack surface.
We discussed the increased sophistication and volume of attacks and, to a large extent, this was fuelled by the forced ‘work from home’ setups. In the early days, most organisations rushed into working from home and the attack surface available to various attackers in the world increased significantly.
With endpoints leaving the relative safety of corporate networks and being scattered across employees’ homes, security teams required more advanced threat detection capabilities and, more importantly, better visibility to avoid costly cyberbreaches.
EDR is the perfect instrument in this setup as it’s focused on the endpoint and the location of the device is less relevant.
How does EDR bridge the cyberskills gap?
EDR is an interactive solution but to some degree security analysts are needed for an effective EDR ecosystem. By itself, EDR will not do too much good to an organisation – a high volume of alerts, fragmented visibility and false positives are increasing the pressure on security teams. This isn’t helping to cope with the skills gap.
So, when looking to adopt EDR, an organisation should consider a few things. First is the ability to detect complex threats, as well as ease of use, accuracy, context information and guided response. But secondly, organisations should also look for built in automation capabilities.
To help customers reducing the challenges due to the cybersecurity skills gap, Bitdefender focused on providing an EDR that has proven industry leading detection capabilities but is also easy to use and accessible to a wide range of organisations.
We also developed an MDR service that moves all the weight of security operations to highly-skilled Bitdefender SOC team analysts.
Why is it so important that CISOs and their teams have access to highly detailed reports and analytics, and how does a good EDR solution enable this?
I think it is hard to over-emphasise the importance of incident reporting and security analytics for security teams. Although there are quite a few reasons for having access to detailed reporting and analytics I will focus on three key use cases: incident investigation, forensics and compliance.
Effective incident investigation relies on two principles: knowing (in good time) that something is happening and understanding quickly what is happening. Forensics is similar, with the difference that time is not as critical as in case of incident investigation. Here the most important is to have access to untampered and accurate information. Compliance also relies on being able to provide authorities with detailed, reliable information on security incidents. Detailed reporting and security analytics are key all three use-cases.
With its detailed information on security incidents and reach context, EDR is an exceptional instrument to serve these use-cases. It collects detailed event data from all endpoints in the network and stores it for extended periods of time.
How can organisations make EDR a key component of their overall cybersecurity strategy?
A sound security architecture must cover all phases of the cybersecurity framework, that are identify, protect, detect, respond and recover. EDR (and XDR as an evolution of EDR) is instrumental for detecting and responding to advanced cyberthreats.
Depending on the availability of skilled security personnel in-house, an organisation can integrate EDR in their security architecture in two ways: as a product (EDR solution) or as a service (Managed Detection and Response).
Choosing the MDR service, an organisation moves from acquiring security technology (that is an excellent option for customers having an in-house security team) to directly acquiring security outcomes, allowing the IT organisation to focus on other key initiatives.
Making detection and response part of the security architecture is a must in 2021 and enterprises can choose between EDR as a product or MDR depending on what suits them better.
How does Bitdefender set itself apart from others in the EDR market?
One of our core aims at Bitdefender is to bring more benefits to customers while reducing adoption challenges.
Bitdefender has at least three differentiation points:
- Market-leading threat detection proven by independent test like MITRE evaluations
- Integrated extended detection and response capabilities that allow customers to enjoy enhanced detection of advanced threats that are affecting a larger portion of the organisation and unified visibility on security incidents. This enhancement of EDR was named eXtended Endpoint Detection and Response
- Integration with the other security capabilities offered by Bitdefender (risk analytics, hardening, prevention) into one single unified endpoint security solution that promotes both ease of use and operational efficiency