End-point detection and response or antivirus?

EDR vs Antivirus

What is the best option to protect your infrastructure?

With bad actors developing and conducting attacks at an alarming rate, companies are constantly strategizing for the best option to protect their organization. However, before this can be determined we must first understand the differences between EDR and AV software.

How Anti-Virus Works

Anti-virus software scans an operating system and file system for known malware such as trojans, worms, and ransomware. Once the activity is detected the software then removes the malware from the infected device.

How does an antivirus software detect malware? AV software compares binaries to known signatures, performing heuristic analysis or examining code for suspicious properties, and verifying if the detected malware has tampered with existing files on a machine. This solution is ideal for well-known attacks that have been identified by vendors along with security updates and patching. Unfortunately, this solution is not suitable for Zero-day attacks which can leave an organization vulnerable at a moments notice. New types of attacks may be invisible to antivirus; for example, fileless attacks that execute in memory without creating binaries in the file system, cannot be stopped by many antivirus programs. 

The limits of antivirus malware detection. Detection via antivirus signatures are often bypassed by threat actors without re-coding their malware. Typical signatures only focus on limited file characteristics and malware creators have learned how to create malware that has changing character tics known as polymorphic malware. Typically file hashes are the easiest to modify but internal strings can also be altered, obfuscated, and encrypted differently with each build of malware. As threat actors have become financially driven, they have moved beyond file-based malware attacks. File-less attacks have become more prominent along with brute force attacks that have led to compromised and loss of intellectual property without ever triggering an antivirus signature based detection.

How EDR Works

EDR software expands beyond scanning for known malware and signatures.  These deployed agents incorporate real-time analytics for rapid diagnosis of threats that do not quite fit pre-configured rules while searching for unique behaviors and patterns. Additionally, forensic tools are readily available for threat hunting or when conducting a post-analysis of an attack. Automated response has drastically set EDR apart from antivirus solutions.  This feature provides a plethora of options such as quarantining the device, rebooting, and rolling back the device pre-attack. Pre-Configured rules in an EDR solution can detect when incoming traffic indicates known type of security breach and triggers an automatic response.

Efficiencies in EDR vs AV

Now that we have a basic understanding of the differences between EDR and AV solutions, lets look at how organizations can protect their environment while remaining efficient with an EDR solution as opposed to traditional AV solutions.

  1. Whitelisting and Blacklisting:  Every environment has a different process, file, or application that seems malicious to one organization but may be looked as benign to another. Whitelisting, or allowing these applications that your business needs to operate, is essential to remaining efficient. On the opposite end of the spectrum, blacklisting, or blocking certain applications, allows organizations to jump ahead of known bad files and processes. The option to tailor both tasks is not available in AV solutions; one is simply relying on an active scan to recognize malicious signatures or hashes.
  2. Firewall Management:  Firewall management can now also be managed within EDR solutions.  Clients and MSP’s are able to create custom rules that block or allow traffic based on known malicious ports or addresses to prevent attacks. Threat files can also be downloaded from this solution and ran within a sandbox environment to further triage a potential attack. These files contain pertinent information that provide what kind of trojan, or worm was downloaded, DNS request made, and what port is associated with the attack as well. Remote shell commands can also be sent as well allowing deployment of software and other tedious tasks.
  3. AI to Manage Alerts:  With the abundance of settings and features in modern EDR solutions it is important to review how to sufficiently use these tools with your SOC teams. Teams become can become alert fatigued from mismanagement of EDR tools. The key in avoiding this fatigue is identifying what alerts don’t require human intervention that have been autonomously mitigated. Taking full advantage of machine learning and artificial intelligence additionally mitigates this issue as well.

Choosing an EDR Solution

Discovering which EDR solution best suits your organization is similar to deciding what car is best for your family.

  • What are the needs of the organization?
  • Are our users equipped to manage the EDR or do we need a MSSP?
  • Does this EDR solution give our company the best security while not limiting business production?

These are all questions that need to be addressed when choosing an EDR solution. It also important to conduct tests using real-world application. Based on the OS and endpoint, how the software will be deployed should be considered as well.

I have EDR, now what? How does it work? What can I expect during an incident?

Great questions that can keep an organization up late a night. Consider this typical scenario, a user opens a tab in Google Chrome, downloads a file they deem as safe and executes the file. The program turns out to be malicious and begins deleting local backups and begins to encrypt data on the disk. Active EDR has captured the event in real time and will kill all process associated with the attack within seconds. Based on the severity of the attack, the affected endpoint will be then automatically quarantined, specified users will be notified, and a course of action will be provided as well. Based on the EDR solution, specific steps will be noted within the event that need to be performed on the endpoint before it is reconnected to the network and the SOC team will be notified of the attack as well.

EDR - The clear choice to enhance your security posture.

In conclusion, threat actors have fully developed techniques that obscurely bypass even the most up to date antivirus solutions. While no EDR is full proof, active EDR solutions specialize in giving your organization the best playbook to derail attacks. Most importantly, if an attack is successful, EDRs are fully equipped to limit the damage and keep business downtime at a minimum. Give your organization the best fighting chance, EDR is fit for yesterday’s attack, today's, and tomorrow’s.

Leave a Comment