Toggle Nav
Search
  • Sign In
My Cart
Menu
Account

It’s Time to Level Up with Endpoint Detection & Response

Endpoint Detection & Response

We’ve said it before, and we will say it again; as technology becomes more and more advanced, so do the bad people trying to exploit you and your business. Which brings me to my next point, antivirus software isn’t holding up as well as it used to and it’s time to level up. Endpoint Detection and Response (EDR) is the next evolution of antivirus software, and we field a lot of questions about it like:

  • What is EDR anyway?
  • Where did it come from?
  • Why do I need it?
  • Why is it so much more expensive than antivirus?
  • Is it worth the extra money?

The TL;DR here is: Yes, EDR is worth it and it’s critical. If we had to choose between an antivirus package and an EDR package, we would recommend EDR. Unless you have a dedicated security team and people watching for alarms 24x7 with the ability and authority to respond instantly to threats, then you should have a monitored solution. Does this seem a bit excessive to you? Then you’ll want to read the rest of this blog.

What is EDR & Where Did It Come From?

For this history to make more sense, I am using the term “virus” in the most generic sense of the term in the IT field. It is any automated program that executes any malicious task. A malicious task is any action performed without permission of the owner, where the intent of the creator was to destroy or steal data to make money or disrupt an organization’s operations.

Antivirus software has a definition file of known viruses. Those definitions started coming out several times per day and research organizations got better and faster at finding threats and neutralizing them. This meant that the hackers had to get better too and discovered the most success by avoiding it altogether. They started using standard tools legitimately used for IT monitoring and management. Antivirus platforms tried to adapt with a feature called heuristics, which look for specific commands or actions instead of the properties of the entire file. The problem is, as systems became more sophisticated, the commands available by default also became more powerful which made it easier for hackers to make viruses because the actions they were executing were “normal” and “legitimate” commands.

Experts finally realized the key was to look at behaviors. At first, behavior analytics were focused almost entirely on programs and gave rise to a family of products called “Next Generation Antivirus” (NGAV). While this was an improvement, the eventual target became the user. This is where Endpoint Detection and Response (EDR) comes in. There is still a blurry line between NGAV and EDR but the common element is behavior analytics. Most commonly right now, antivirus is still definition based, NGAV adds program-behavior analytics to catch programs performing “non-normal” actions that might be malicious. EDR is all of that, plus user-behavior analytics to catch actions being run as the user that are “not normal” for that specific user.

Like many things in our world, trying to set rules based on what is “normal” is difficult and there are false positives and false negatives. Antivirus was very good at catching everything known and rarely had a false positive. Unfortunately, it missed a lot. In a new security landscape, based on behavior pattern matching, there are a lot more false positives. However, a lot more viruses are caught than would have been otherwise. All these new false alerts raise a new challenge. You need people to look at these alerts, research them, and flag them as good or bad. You need a Security Operations Center (SOC) that can understand what the alerts mean and what to do about them. Someone needs to decide if the alert coming in is always good, good in that context, or bad. If it is bad, what actions should be taken, and can the action be taken or are additional permissions required?

The Bottom Line Is…

You need EDR and you need a SOC. What about your antivirus software? Do you need that anymore? The answer is both “it depends” and “no.” Most antivirus software these days is packaged into bundles called Endpoint Protection Packages (EPP). These bundles usually include other security software such as a firewall, DNS filter, and web content filters that integrate into the web browser. So, while you no longer need the antivirus software itself, you may still need the other security software, that is usually found bundled with your antivirus software. Many antivirus vendors are now adding EDR to their packages and you can simply “upgrade” to that package. Others don’t offer EDR at all and you might find yourself changing vendors, moving to a multi-vendor stack of products or a combination of both.

So, What EDR Product Do We Recommend?

Vista IT Group partners with one of the industry leaders and pioneers of the EDR space, SentinelOne, and we proudly use SentinelOne internally as well. SentinelOne It’s not just Vista that says SentinelOne is a leader, multiple Gartner Magic Quadrant reviews and MITRE Engenuity share the same opinion. There are also over a thousand reviews on Gartner Peer Insights from organizations ranging from under $50M per year to over $10B per year in both private and public sectors.

 

Need help identifying exactly what combination of products and services are right for your organization? We're here to help!

 

Technology Cybersecurity Endpoint Protection

Share:

Posted in Technology and Blogs