Endpoint detection and response (EDR/XDR): the new normal

It has been a long time since endpoint antivirus or antimalware has been considered a default. Microsoft Windows for one, has included its Defender detection capabilities since many years. Simply speaking, both business and home users have come to expect detection as a basic part of the "service" (Your Windows or Apple operating system is now a service, remember).

A decade or so ago, it has become clear that the traditional pattern based approach to detect malware is not effective: malicious actors can simply produce so many malware variants that any attempt to detect them via known detection patterns is bound to fail. The malware market has matured so much that actors can now deliver state-of-the-art attack infrastructure, from DDoS to sophisticated attacks based on latest rootkits and vulnerabilities - enter malware-as-a-service.

Antimalware vendors have responded in many ways to this malware proliferation - from behavior monitoring to real time checks against a cloud based security service almost in realtime.

However, even this near real-time approach is now obsolete in at least two important ways.

First, getting warned about detections in files does not give any context: has this detection occurred across several other endpoints? If yes, which are those endpoints? Is the detection accompanied by known attack methods and techniques (for ex. modifyng registry settings, dropping additional files, etc)? Has the detection been preceded by email delivery of a certain type (a donwload link) to a set of users? Are those users affected also? And the list of questions continues... to answer them, IT administrators are typically left manually searching multiple log sources, perhaps with custom made scripting tools (powershell scripts, etc.). It is easy to see how this approach is not scalable when managing tens, hundreds or thousands of endpoints.

Second, if the IT administrator finally concludes this is a valid malicious attack against the organization, it is crucial to thwart it quickly by responding remotely across a wide range of affected endpoints. This includes actions such as isolating the device by blocking all network connections, or restoring a particular file, reverting registry entries, and so on. Again, all this can be done by using remote administration tools (Active Directory managed endpoints allow for all of this), but it quickly becomes burdensome and requires lots of skills to deploy properly across the endpoint population. Skills and time is a scarce resource in organizations when it comes to IT.

Antimalware detection is the default commodity service one should probably expect to be built into the endpoint operating system. Having operational visibility on how risky each detection really is and then being able to quickly respond - that's what organizations need to focus on, as malicious actors try to stay hidden in the environment and move both vertically and laterally across organization IT assets.

Fortunately, the solutions on the market are now firmly established as Endpoint Detection and Response or Extended Detection and Response