There are two main reasons why the Endpoint Detection and Response market is growing so rapidly. First, enterprises have come to understand that the conventional lines of defense they have implemented since the birth of the firewall and antivirus are not adequate. The second is that despite best efforts to fight sophisticated attacks at the gateway, endpoints are the largest attack surface and the most vulnerable.
The latest EDR solutions record detailed endpoint activity and centrally store the data for deep detection, analysis, investigation and forensics. Analytic technologies are used to continually identify suspicious activity and ongoing attacks, and to support automated containment and remediation.
The early adopters of these solutions report that one of the most important features of EDR is collection of endpoint activity data. Good quality endpoint data is the foundation for effective analysis. Automated detection, investigation and remediation are all important – but without enough data, and without the correct data, none of those other features can be delivered effectively.
For first responders, EDR solutions can significantly reduce the cost, complexity and time of both internal and regulatory investigations. At the same time, they can accelerate the identification of root causes and attack vectors of data breaches. For hunters, they can provide valuable leads by identifying suspicious activities and validating alerts from the SIEM. All of these capabilities depend on detailed endpoint activity.
In a recent post, we talked about what data is needed to provide real visibility. Today’s exploits are sophisticated. They hide within innocent host processes. They erase their tracks. They come and go. And they are always changing. So to hunt for attackers or investigate an alert, you must have a very detailed picture of the OS-level events that took place on every endpoint and server on your network, not just now, but over the course of at least a few months. That’s a tremendous amount of data – so you also need technology that can help you construct a meaningful forensic timeline.
To collect thread-level events, an endpoint agent is essential. While it’s tempting to think that an agentless solution could deliver effective EDR, the reality is that the only way to capture low-level OS events is to be deploy an agent. While concerns about performance and conflicts are historically justified, new technologies have been proven to scale.
The SECDO agent proactively records all endpoint events necessary to recreate the attack chain, down to thread-level resolution. Since at least 70% of advanced malware injects code rather than spawning a process, this resolution is essential. The technology is optimized for performance with a very lightweight agent/driver and data harvesting technology that processes, transfers and stores the information efficiently for over 100 days.