Reality Check on EDR / ETDR

How exciting is Endpoint Detection and Response (EDR) technology? — Sorry to piss on your parade, but for many organizations it is NOT exciting at all.

Look, it is hard for me write this since personally I am super-excited about EDR / ETDR [hey, I came up with the original name]. Also, given the open source EDR-like options (GRR, MIG, El Jefe and the new one, Lima Charlie [updated Jan 2016]), the level of excitement is clearly high enough for some organizations to write and open-source their own. Also, there are now dozens (!) of vendors that promise EDR tools, EDR-like functionality, etc [some are new, some are “intruding” on the security domain from system management domain; even some SIEM tools that have flexible collection agents can sometimes be used in a pinch as a “toy EDR”]

Still, despite all this e-x-c-i-t-e-m-e-n-t, I see a lot of snoozing faces in the crowd … and why is that?

What are some of the EDR / ETDR headwinds:

• Agent-based approach of most EDR tools: while we are seeing a bit of a revival of the agents, a lot of organizations hate security-focused agents with such passion that nothing (literally – not metaphorically, BTW!) will make them deploy yet another agent. You may have the smallest, safest, “effective-est” EDR in the galaxy … yet your prospective customers will still hate you with a passion [only because some stupid fat agent killed their dear Excel or slowed the system to a crawl 5 years ago]. Of course, I am watching the attempts to create a decent “agentless EDR” with much elation …
• Woeful immaturity of monitoring and IR practices at many organizations: given the fact that EDR tooling makes certain tasks (like checking what is running on all your machines, etc) easier, there is an implication that there is a desire to perform those tasks and that there is somebody to actually do those tasks…
• It seems like there are more skilled network security analysts than – eh … see, there isn’t even a name for it – “endpoint security analysts”: lots of people can say “this packet looks weird”, but much fewer can credibly say “this process looks weird” [I dunno…this one may be a stretch. What do you think?]

As I said to somebody “focus on the endpoint” may be a trend, but it does not mean it is operationally feasible for a lot of companies.

Finally, what about the stinking elephant in the room? The ANTI-VIRUS. My recent EDR-related clients calls (and there, BTW, very few of those) seem to be all about the blocking/prevention/mitigation features of the EDR tools, so the clients were not looking for endpoint visibility and better situational awareness, but for a less-abominable AV.

To me, that is nice, but entirely separate, and (IMHO) we need both:

• Better AV, “NG AV” that focuses on better prevention (e.g. see this excellent GTP document), but also …
• Better endpoint visibility, “EDR proper” that focuses on knowing what the hell is happening on your endpoints.

Yes, there will be some cross-over and hybridization, but the needs ARE separate. If you deploy an EDR tool while secretly hoping for a “better AV” tool, you are going to FAIL TWICE.

FYI, all Gartner papers on EDR / ETDR are listed below [2 require Gartner access and 1 requires Gartner GTP access]:

• Competitive Landscape: Endpoint Detection and Response Tools, 2014
• Market Guide for Endpoint Detection and Response Solutions
• Endpoint Threat Detection and Response Tools and Practices

Enjoy!

Possibly related posts on EDR / ETDR:

• The Future Is Here … And It Is … Network? Endpoint?
• My Paper on Endpoint Tools Publishes
• Endpoint Threat Detection & Response Deployment Architecture
• Essential Processes Around Endpoint Threat Detection & Response Tools
• Named: Endpoint Threat Detection & Response
• Endpoint Threat Indication & Response?
• Endpoint Visibility Tool Use Cases
• On Endpoint Sensing
• RSA 2013 and Endpoint Agent Re-Emergence
• All posts tagged endpoint