EDR vs. corporate antivirus: What's the difference?
In eigener Sache
EDR, or Endpoint Detection and Response, is a modern replacement for antivirus security suites. For decades, organisations and businesses have invested in antivirus suites in the hope of solving enterprise security challenges. But with the increasing sophistication and proliferation of malware threats over the past decade, the shortcomings of so-called "legacy" antivirus solutions have become all too clear.
In response, some vendors have rethought the challenges of enterprise security and developed new solutions to the shortcomings of antivirus. How is EDR different from antivirus? How and why is EDR more effective than AV? And what to consider when replacing your AV with an advanced EDR? You will find the answers to all these questions and more in this article.
How does EDR differ from antivirus?
To adequately protect your business or organisation from threats, it is important to understand the difference between EDR and traditional or 'old' antivirus. These two security approaches are fundamentally different, and only one of them is suitable for dealing with modern threats.
Antivirus features
In the days when the number of new malware threats per day could be conveniently counted in a spreadsheet, antivirus offered companies a way to block known malware by examining - or scanning - files as they were written to a computing device's hard drive. If the file was "known" in the AV scanner's malicious file database, the software prevented the malware file from running.
The traditional antivirus database consists of a series of signatures. These signatures can contain hashes of a malware file and/or rules that contain a set of characteristics that the file must match. These characteristics typically include human-readable strings or byte sequences found in the malware executable, the file type, file size and other types of file metadata.
Some antivirus programmes can also perform primitive heuristic analysis of running processes and check the integrity of important system files. These "after-the-fact" or post-infection checks were added to many AV products after the flood of new malware samples daily outstripped the ability of AV vendors to keep their databases up to date.
In the face of growing threats and the declining effectiveness of the antivirus approach, some vendors have sought to supplement antivirus with other services such as firewall control, data encryption, process admission and blocking lists, and other AV "suite" tools. These solutions, commonly referred to as "EPP" or Endpoint Protection Platforms, are still based on a signature approach at their core.
Features of EDR
While the focus of all AV solutions is on the (potentially malicious) files that are introduced into the system, an EDR, in contrast, focuses on collecting data from the endpoint and examining that data for malicious or anomalous patterns in real time. As the name suggests, the idea of an EDR system is to detect an infection and initiate a response. The faster an EDR system can do this without human intervention, the more effective it is.
A good EDR system also has features to block malicious files, but most importantly, EDRs recognise that not all modern attacks are file-based. In addition, proactive EDRs provide security teams with important features not found in anti-virus software, such as automated responses and comprehensive visibility into file changes made on the endpoint, process creation and network connections: This is critical for threat hunting, incident response and digital forensics.
Pitfalls of antivirus
There are many reasons why antivirus solutions cannot keep up with the threats that businesses face today. First, as mentioned earlier, there are more new malware patterns every day than a human team of signature writers can handle.
Since AV solutions inevitably cannot detect many of these patterns, companies must assume that they will be confronted with a threat that the antivirus programme cannot detect.
Second, detection by antivirus signatures can often be easily bypassed by threat actors, even without rewriting their malware. Because signatures focus on only a few file characteristics, malware authors have learned to create malware with changing characteristics, also known as polymorphic malware. File hashes, for example, are among the easiest features of a file to change, but internal strings can also be randomised, obfuscated and encrypted differently with each build of the malware.
Third, financially motivated threat actors such as ransomware operators have moved beyond simple file-based malware attacks. Man-made ransomware attacks such as Hive, as well as "double extortion" attacks such as Maze, Ryuk and others that begin with compromised or forced credentials or the exploitation of remote code execution (RCE) vulnerabilities, can lead to compromise and loss of intellectual property through data exfiltration without antivirus signature-based detection.
Advantages of EDR
With its focus on providing visibility to enterprise security teams and automated detection responses, EDR is much better equipped to deal with today's threat actors and associated security challenges.
By focusing on detecting unusual activity and providing a response, EDR is not limited to detecting known file-based threats. On the contrary, the main advantage of EDR is that the threat does not need to be precisely defined, as is the case with antivirus solutions. An EDR solution can look for unexpected, unusual and unwanted patterns of activity and issue an alert that can be investigated by a security analyst.
Because EDRs collect a variety of data from all protected endpoints, they provide security teams with the ability to visualise this data in a convenient, centralised interface. IT teams can integrate this data with other tools for deeper analysis to improve the organisation's overall security posture and define the nature of potential future attacks. An EDR's comprehensive data also enables after-the-fact threat hunting and analysis.
Perhaps one of the greatest benefits of an advanced EDR is the ability to take this data, contextualise it on the device and mitigate the threat without human intervention. However, not all EDRs are able to do this, as many of them need to transmit the EDR data to the cloud for remote analysis (and thus with a delay).
How EDR Antivirus complements
Despite their limitations, when used alone or as part of an EPP solution, antivirus engines can be useful complements to EDR solutions, and most EDRs include an element of signature- and hash-based blocking as part of a defence-in-depth strategy.
By integrating antivirus engines into a more effective EDR solution, enterprise security teams can take advantage of the ease of blocking known malware and combine it with the advanced capabilities that EDRs offer.
Avoid alert fatigue with Active EDR
As we mentioned earlier, EDRs provide corporate security and IT teams with comprehensive visibility into all endpoints on the corporate network, which in turn brings a number of benefits. However, despite these benefits, many EDR solutions do not have the impact that corporate security teams had hoped for, as they require a lot of human resources to manage: Resources that are often unavailable due to staffing or budget constraints, or unavailable due to a shortage of cybersecurity professionals.
Instead of enjoying more security and less work for their IT and security teams, many companies that invested in EDR simply had to reallocate resources from one security task to the next: away from dealing with infected devices to dealing with a mountain of EDR alerts.
And yet, it doesn't have to be that way. Perhaps EDR's most valuable potential lies in its ability to autonomously mitigate threats without human intervention. By harnessing the power of machine learning and artificial intelligence, Active EDR takes the burden off the SOC team and is able to autonomously mitigate events on the endpoint without relying on cloud resources.
This means threats are mitigated at machine speed - faster than any remote cloud analysis - and without human effort.
What Active EDR means for your team
Imagine the following typical scenario: A user opens a tab in Google Chrome, downloads a file they believe is safe, and runs it. The programme uses PowerShell to delete the local backups and then starts encrypting all the data on the disk.
The work of a security analyst using passive EDR solutions can be hard. He is inundated with alerts and has to compile the data into a meaningful report. With Active EDR, this work is instead done by the agent on the endpoint. Active EDR knows the whole story and mitigates the threat on the fly, before encryption begins.
Once the threat is mitigated, all elements of that threat are taken into account, right down to the Chrome tab that the user has open in the browser. This is done by assigning the same storyline ID to each element in the story. These stories are then sent to the management console so that security analysts and IT administrators can easily identify and detect the threats.
Improving your security with EDR
Having identified the clear advantages of an EDR system over an antivirus programme, what is the next step? Choosing the right EDR system requires that you understand the needs of your business and the capabilities of the product on offer.
It is also important to conduct tests, but to ensure that these tests are applied in practice. How is the product used by your team in day-to-day business? How easy is it to learn? Will it still protect your business if all the cloud services it relies on are offline or inaccessible?
It is important to also consider deployment and rollout. Can you automate deployment across your fleet? What about platform compatibility? Does your chosen provider place the same value on Windows, Linux and macOS? Every endpoint needs to be protected. Those that are left behind can be a backdoor into your network.
Next, think about integration. Most companies have a complex software stack. Does your provider offer powerful but simple integration for other services you rely on?
More than EDR | XDR for maximum visibility and integration
While Active EDR is the next step for organisations that have not yet left antivirus behind, organisations that need maximum visibility and integration across their entire estate should consider Extended Detection and Response, or XDR.
XDR takes EDR to the next level by integrating all visibility and security controls into a complete, holistic view of what's happening in your environment. With a single raw data pool that includes information from across the ecosystem, XDR enables faster, deeper and more effective threat detection and response than EDR by collecting and aggregating data from a wider range of sources.
Conclusion
Threat actors have long outgrown antivirus and EPP, and businesses need to realise that such products are no match for today's threats. Even a cursory glance at the headlines shows how large, unprepared companies are caught out by modern attacks like ransomware, despite having invested in security controls. It is up to us as defenders to make sure that our security software is not only ready for yesterday's attacks, but also for those of today and tomorrow.
If you are interested in an EDR or XDR solution, we would be happy to advise you on the right solution for your business. Simply contact us by phone, email or our contact form. We look forward to receiving your enquiry.