"The era of Anti-Virus is over!" was probably the most common sentence uttered in the security world at the beginning of this decade. At the time, you couldn’t get away from terms like “APT” and “0-day threats” which were commonly used to describe almost every security issue and in some cases, were used completely out of context. Back then, every common malware was an APT 0-day cyber-attack.
Security professionals understood that signature-based detection was simply not going to help against the exponential growth of new threats, polymorphism, environmental awareness, or the new infection methods used by attackers to infect and cause damage.
Vendors then started offering "signature-less", "next-gen", "2.0/3.0" detection methods that promised to reveal hidden threats and the attacks which the old Anti-Virus solutions failed to detect. This ushered in the Endpoint Detection and Response (EDR) era.
Many companies tested EDR solutions against one another using the "who can catch more threats" type of approach. And while some vendors did a pretty good job, many threats remained undetected. In many cases, these new detection methods left parts of the infection on the endpoints. Seems like a pointless exercise for the companies performing proof of concept with potential vendors if the threats remained undetected and on the endpoints.
CISO or SOC managers should not use a hefty part of their budget to buy expensive, “next-gen”, EDR solutions. Especially when the IT team does not want to deploy it on already agent-packed endpoints.
The PROBLEM OF DETECTION ISN’T A TECHNICAL ISSUE, THE PROBLEM IS THE SECURITY PROFESSIONALS’ STATE OF MIND.
The game has changed, yet we are still playing by the old rules. We want a solution that detects, prevents and mitigates without troubling us, and we’re ignoring the proven fact that something at some point will go past our defenses. We cannot get in front of every new threat before they have been created.
When something does get past our defenses, we’re left speechless and without the ability to understand what transpired. We cannot understand the scope of the breach to fully assess the damage, we cannot understand the exact root cause, and we cannot provide answers to management.
Companies already have too many security tools that generate alerts, and these alerts are mostly ignored because the security professionals responsible for investigating and understanding these threats cannot review all of the alerts fast enough. EDR solutions simply add more alerts into the existing alert queues.
EDR solutions are like using Aspirin to treat cancer... they may make the patient feel a bit better today, but in the long term the patient won't survive. One day we will look down at EDR like we do towards Anti-Virus solutions - draconian and irrelevant for today’s threat landscape.
Time to shift focus towards Incident Response
What security teams lack today is the ability to truly investigate and validate the existing security alerts - because this requires full visibility into activity on every endpoint and server.
Proper incident response (IR) is based heavily on scoping the breaches quickly, having the relevant data accessible, and responding efficiently and thoroughly. Next-gen IR platforms allow security teams to instantly and easily investigate any lead or alert from any source. They continuously collect endpoint activity, visualize the attack chain timeline and enable security teams to investigate all security alerts back to the root cause. Once a real compromise is found - security teams can perform a variety of containment, remediation and eradication actions in real time with minimum user impact.