Top 5 Endpoint Detection and Response (EDR) Platforms
In today’s ever-shifting and constantly evolving landscape of cyber threats, traditional protection tools can no longer defend enterprises against the multitude of dangers that surround them. Malicious actors and Advanced Persistent Threats (APT) have a virtually endless cache of attack vectors and methods to target you. This is the general idea behind Endpoint Detection and Response (EDR) solutions, an emerging generation of security tools that are focused on detecting, investigating and mitigating suspicious activities and possible attacks on hosts and endpoints beyond the customary signature-based approach used in older security tools. There is general consensus in the cybersecurity industry that EDRs are a necessary supplement to current security solutions used in enterprises. But differences arise where the scope and definition of EDRs are concerned. There are about 30 to 50 different vendors that classify themselves as EDR providers, and each use different technologies and approaches, based on their vision and definition of EDR.
Which solution best fits your needs depends on the size and type of your organization, and whether you’re focused on detection and prevention, or investigation and incident response.
Here are the top 5 EDR vendors:
Secdo offers a platform focused on automated alert validation, investigation and response and provides the widest set of features for incident response teams. Secdo’s “preemptive forensics” approach helps security operations teams eliminate false positives and automatically investigate those alerts which were identified as more likely to allude to security breaches. This helps security analysts investigate and respond to breaches at a much faster rate and on a broader scale.
Secdo captures endpoint events at the fine grain level of threads (each process in an operating system is constituted of one or several threads) and stores them on the Secdo server for later analysis and digestion. Data can be transferred to Secdo’s server or stored on the customer’s on premise servers. Consolidating endpoint information enables Secdo to analyze attack patterns that are better concealed and often bypass other security solutions.
Secdo also has great integration features and can import data from other security tools such as Security Information and Event Management (SIEM) systems and uses its proprietary endpoint activity monitoring and causality analysis to investigate and validate them, and to root out real threats.
One of the features of Secdo is the automatic generation of alert timelines, which enable analysts to further investigate and look into the events that led to an alert, a feat that is near-impossible when done manually. Secdo is used to prioritize alerts and point out to incidents that need immediate attention.
When threats and breaches are discovered, Secdo offers surgical and immediate remediation, including isolating the host at the kernel level, freezing execution trees in memory and providing reverse shell into the machine in question through Python and command line.
All of these features and functionalities are compiled into a set of visual tools that give you ample visibility into the attack chains and enable you to quickly trace alerts to their root cause.
Secdo is ideal for security operations and incident response teams that are flooded with alerts and need to cut incident investigation and response time, increase the team’s productivity, improve investigation quality and accuracy, reduce the amount of investigations and eliminate alert fatigue. Secdo does that with automated, continuous endpoint forensics, causality analysis, automatically investigation and remediation.
Carbon Black offers both an EDR and antimalware solution packed in one product. Whereas Secdo is focused on investigation and response, Carbon Black has centered its platform on detection and prevention.
Carbon Black uses traditional reputation-based threat detection techniques, which compares information such as attachment names, files, IPs and other information against threat intelligence sources, such as the IOC (Indicator of Compromise) database offered by VirusTotal.
The advantage of IOC-based threat detection is the wide in its array of threat intelligence that helps root out threats. But the downside is that endpoints are analyzed at the process level, which makes is less effective in handling advanced threats.
Information gathered from endpoints is stored on the Carbon Black server. Clients can use the firm’s cloud or use their own on premise servers. However, since the platform comes with little automated investigative features and historical correlation, you’ll need deep analytical experience in order to trace back threats indicators to their root.
Carbon Black offers a command line interface that enables analysts and administrators to remotely investigate, isolate and cleanup endpoints.
Given its easy integration with other security tools, Carbon Black can be a good solution if you already own several threat intelligence feeds and want to focus on threat detection and prevention.
Crowdstrike is essentially a managed, cloud-based service for endpoint protection. The platform uses a combination of techniques including IOCs, malware detection, file attribute analysis and “Indicator of Attack” behavioral analysis to protect nodes in a network against attacks and malicious activity.
However, at the containment level, the platform is a bit limited, offering little more than network isolation of infected or compromised endpoints. Remote cleanup is non-present, and visualization capabilities for manual investigation leave a lot to desire.
On the plus side, Crowdstrike does have a global threat intelligence service, which allows subscribers to share threat data and cooperate to fight back against emerging threats and patterns of attacks.
Crowdstrike might be a good option for smaller organizations that have limited internal security resources, want a simple solution, and have no problem sending their data to the cloud—since the platform doesn’t have an on premise option. However, it would be less appealing to companies with more advanced procedures and stricter security requirements.
Cybereason provides sensor applications that install on endpoints and continuously collect event information, which they subsequently send to an on premise or cloud server.
Cybereason is mainly focused on threat and compromise detection, which it accomplishes by searching for known malicious operations, and seeking out unknown threats through the detection of anomalous behavior.
While endpoint agents offered by other vendors operate as kernel-level processes, Cybereason’s agent executes at the user level, which makes it more exposed because it runs on par with resources at the disposal of potential attackers.
Cybereason’s response features include killing malicious or compromised processes, quarantining infected and suspicious files, and deleting registry keys used for malicious activities. Cybereason would be a good option for organizations that don’t have SIEM deployments and are looking for a detection solution that requires minimum involvement on their side.
The FireEye Endpoint Security Platform, dubbed the HX series, relies on a Windows agent backed by a cloud-based intelligence platform, FireEye’s own IOC database, to monitor endpoint activity and detect malicious activities and compromises.
The platform stores up to 48 hours of endpoint data on its server. This can become a bit problematic when you’re investigating long lasting compromises and persistent attacks that might span over longer periods.
All in all, the HX series is a good solution for organizations that have already invested in other FireEye products and wishes to add a basic EDR solution to the mix.