Back in the day, companies would hire incident response teams to investigate security breaches for them. In parallel, some more technical enterprises had begun to invest in visibility tools like Facebook’s osquery and other ways to see into networks.
That opened up a new category which could detect and respond to threats through endpoints, which added to the overcrowded market of cybersecurity and many new solutions were created as a result. The sector was called “EDR” by Gartner, and their analyst Anton Chuvakin used the term to describe this family of new tools focused on visibility, and from prevention to detection for the endpoint.
With that revolution, the inherent problems of EDR started raising their heads. You needed a highly skilled crew to manage these solutions as they provide so much data, and most of that lacked context. Enterprises hired more bodies to solve this problem, despite the investment in technology and the success of EDR as a sector, barely a month goes by without yet another high-profile data breach.
The other critical problem was “dwell time”, the time from the infection to the discovery of the malicious activity. Even ten seconds is much too long: attackers can run their code, execute their attack, and clean themselves out in a matter of just a few seconds. Any solution that is not detecting in real time is too late in the game.
The threat of malicious phishing documents and lateral movement techniques such as EternalBlue led to the need for EDR, however, dwell time is still a huge and ongoing problem in detecting threats. This means, that with the slow response time, data breaches are all too common. Cybersecurity firms have tried to solve this problem in several ways:
1. Create a Hunt Chat Bot
In an attempt to simplify the life of the security analyst, one strategy will want the professionally-trained SOC analyst to converse with a chat bot. Getting a chat bot to understand exactly what you mean can often be more challenging than simply writing a SQL query that you do every day, particularly for an experienced threat hunter.
2. Rely On a Custom SOC
If you have a SOC, that’s great! It will allow you to see more and do more to maintain business security. Instead of laboriously trying to piece together the pieces of the picture, SOC analysts should be working from already-contextualized data that gives them the attack storyline to begin with, so they can use their skills to decide on additional action beyond merely stopping the attack.
3. Provide a Service on Top of the Technology
If you had a technology that could see everything that is happening in real time, an on-device AI that could immediately take the needed remediation action, then the problem of dwell time ceases to exist. Just real-time detection and response.
So what’s the future? In using an on-device AI that could immediately take the needed remediation action against threats, organizations can eliminate dreaded dwell times and improve their overall management of EDR in the future so threats can be thwarted quicker.
Next steps
EDR, as it is known today, requires cloud connectivity, and as such will always be late with protecting endpoints. If the solution is not on the device, there will inevitably be some dwell time. As organizations play a cat and mouse game with attackers, EDR technology needs to adapt to respond faster to threats in order to lessen the burden on already stretched out IT security teams.
In light of this, the future of EDR lies in an automated response that relies on AI to take the burden off the SOC team. It should allow security teams to quickly understand the story and root cause behind a threat. The technology must autonomously attribute each event on the endpoint to its root cause without any reliance on cloud resources.
Such capability will revolutionize enterprise security. It can be used by businesses regardless of resources, from advanced SOC analysts to novice security teams, providing them with the ability to automatically remediate threats and defend against advanced attacks. The automated response defends regardless of delivery vectors and whether the endpoint is connected to the cloud or not, meaning that defenders may at last have a winning edge.