topic Re: Is EDR the new AV? in Tech Talk

Is EDR the new AV?

the_admin — Mon, 02 Mar 2020 15:16:02 GMT

Hi all,

I wanted to reach out to get your opinion on the above mentioned question.

We are looking for an alternative for our current endpoint protection product which is of course more than AV alone but has multiple additional modules which mostly seem to have been added by acquiring other vendors and their products. I had a short presentation by one of the interesting vendors for replacing our current solution recently who seem to have developed their solution from scratch. They are officially an EDR vendor (also listed in the appropriate Gartner quadrant chart) while our current solution is in the endpoint protection Gartner quadrant. However the EDR vendor told me that other customers have replaced their AV solution with their product. Do you think there is really a (sharp) distinction between EDR, AV and EPP at all? To me it seems it is like this:

AV: A deprecated and old expression for securing endpoints, servers etc.

EDR: The modern expression for AV with extended functionality

EPP: Formerly known as AV, now EDR.

Using these statements one has to answer the initial question with "Yes". What do you guys think?

PS. Sorry for my bad english as I'm a german native speaker.

Re: Is EDR the new AV?

JKWiniger — Mon, 02 Mar 2020 15:29:43 GMT

I think you are getting caught up in the name game! Forget what they are calling things and look just at what they can and can not do. Look at what functions they offer and what you feel you need to protect against. Names change so fast lately it makes my head spin. So if you drop or hide all the names and look just at functionality and things like that what do things look like?

Every vendor will claim their product is the best and can do it all, until you want to see it done!

John-

Re: Is EDR the new AV?

the_admin — Mon, 02 Mar 2020 15:34:17 GMT

Thanks, John. That definitely makes sense.

Re: Is EDR the new AV?

Beads — Mon, 02 Mar 2020 16:34:18 GMT

When in doubt a "cook off" to compare finalist against one another usually provides the best answer for your organization. Generally with any A/V, EPP or EDP solution, developers are generally shown to be the most difficult internal group to please. Start there, see if they find the solution acceptable and make your final decision with regard to the effectiveness of the control.

As for naming conventions? Most of us have seen plenty of product name changes, particularly with regard to marketing. Take new names with a grain of salt but evaluate based on what is most effective for your organization.

- b/eads

Re: Is EDR the new AV?

Caute_cautim — Mon, 02 Mar 2020 20:55:42 GMT

@the_admin A very interesting topic, depending on which vendor you go to:

Example famously Microsoft will tell you - you can have defender "free", which is AV, but if you want NGAV - New Generation AV - you have to purchase ATP, which depending on which type of organisation either comes with a steep discount for Government or a higher price for the Private Sector. You get what you pay for etc.

AV alone is insufficient, you need the wider collaborative intelligence to ensure any chance of protecting the organisation, looking at weaponisation, priorities and focus of the perpetrators. New AV is just another term for New Generation AV - a market terms, as our colleagues point out - more hype than hype.

If you follow the NIST cyber security framework, and the trends currently hitting organisations, EDR, EPP are no longer appropriate. Many times the organisation has been compromised months previously without being aware it has occurred. So there is a swing towards MDR - Managed Detect & Response, which means Incident response, Forensic Investigation, Triage processes being invoked. Many MDR services are now cloud based i.e. Crowdstrike, Carbon Black are good examples. Given that it can take up 260 plus days before an organisation actually realises they have been compromise, and the costs of an Incident reaching 8 or more times over time. End Point is a misnomer as well. Given that these days it means Mobile, BYOD, Laptops, Workstations, Virtual Machines, Servers and practically anything linked with a user or privileged user.

So definitely see the swing towards Response, to potentially reduce the impact of the inevitable.

Regards

Caute_cautim

Re: Is EDR the new AV?

rslade — Tue, 03 Mar 2020 19:41:53 GMT

Answer: yes. EDR is, quite literally, the new AV.

Please, people, don't get caught up in whatever new marketing terms the sales
department comes up with to try and convince you that their "new thing" isn't
really just the same old, stuff, repackaged.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
QA Engineer walks into a bar. Orders a beer. Orders 0 beers.
Orders 999999999 beers. Orders a lizard. Orders -1 beers. Orders
a sfdeljknesv. - https://twitter.com/sempf/status/514473420277694465
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Is EDR the new AV?

ericgeater — Fri, 12 Jun 2020 19:53:53 GMT

I came here to ask about EDR, et voilà! The thread is already waiting for me. Thanks, everyone!

Back to Caute's response, we just added Carbon Black as an endpoint defense, and I was curious to know if anyone in the room feels like leaving SEP and Carbon Black Defense on the same computer is overkill.

Edited to add: we had an incident in February, and Symantec made us aware on several computers that a threat was found... but that was all it noticed. Meanwhile, a second ongoing other threat which SEP never observed, caused some PC data loss on the same machines.

We now have little faith in SEP, added CB Defense, and are doubling down on the backup plan which saved our bacon.

Re: Is EDR the new AV?

Caute_cautim — Sun, 14 Jun 2020 06:30:58 GMT

@ericgeater An interesting experience: Remember Symantec has lost its integrity due to the fact it was purchased and then subsequently sold again.

https://investors.broadcom.com/news-releases/news-release-details/broadcom-completes-acquisition-symantec-enterprise-security

Then flipped it to Accenture: https://www.scmagazine.com/home/security-news/company-news/broadcom-flips-symantec-to-accenture-security/

EDR or even MDR is the new AV these days, watching user behaviour and other characteristics from the cloud.

They do this by using all the many customers intelligence building up Use Cases and collaborating with many others to provide a universal picture of what is going on in the real world.

Especially during the world situation at the moment, this is vitally important.

Others may use Crowdstrike.

Do you need another on the hosts, servers - I believe so - something like TrendMicro Enterprise Security - provides a good package of controls, but ensure performance configuration is worked at. Plus also remember the other factor now : Containers and images - look up Red Hat 10 layers of security for Containers.

The prime issue with Containers are that they are immutable, you have to create a new image for a change.

However, if the attacker gains access to a Container, then all of them must re-created - they are most probably all compromised.

There is also another element, if you have lots of containers, micro-segmentation and segregation and application gateways, as to who have authorised access, and what applications can legitimately communicate with.

Regards

Caute_cautim

Re: Is EDR the new AV?

ericgeater — Sun, 14 Jun 2020 13:13:15 GMT

I don't fully understand the concept of containers yet. We're not currently using them in our enterprise.

Are you suggesting that doubling up AV / EDR defense on our servers may be a good idea, as opposed to just letting the user PCs leverage only the CB services?

Re: Is EDR the new AV?

JKWiniger — Sun, 14 Jun 2020 13:25:30 GMT

@ericgeater with containers one just runs one program and you choose what network addresses and ports the container can access, as well as storage. With static storage being held outside of the container it allow the container to be deleted and redeployed with no impact. This makes it so that if a program in a container gets compromised it is simply deleted and a new contained is deployed. There is actually a software called Falco which will monitor the security of the containers and if a change is detected from the deployed image it will automatically delete it and deploy a fresh one.

Hopefully that made some sense... I need coffee!

John-

Re: Is EDR the new AV?

ericgeater — Sun, 14 Jun 2020 13:35:17 GMT

So a container is created just for one program or process? Does a container run/operate within a VM, or in the guest RAM / processor cycles?

Re: Is EDR the new AV?

JKWiniger — Sun, 14 Jun 2020 14:47:27 GMT

Think of it as a VM runs an operating system. A computer can run multiple VMs, but a VM can run only one operation system. Now scale it to the application level and you have that one VM can run multiple containers. I have only run one program per container, but it is probably possible to run a few in one, but I don't think this is advisable. It would depend on how you build the image. Containers run purely in memory, which makes sense since they are processes.

Imagine a web server. In the world of VMs if you need more capacity to handle requests you would need to deploy and spin up more VMs, which can take a little time. Since the container is just the process it is light weight and can be brought up and down very quickly compared to the VM, and in reality you only need the more processes to handle your requests and not the full operating system that you get from a VM.

There are so many things in an operating system that need to be updated and secured, while in the container you have one process, which is restricted to what it can access when it is deployed. It's just simplifies things.

I have not tried it but I did see that VMware Fusion on the Mac now supports containers so it could be something interesting to look at. Or you can always just install docker and manage things with portioner.

John-

Re: Is EDR the new AV?

Caute_cautim — Sun, 14 Jun 2020 21:21:44 GMT

Hi @ericgeater

I like to think of it in layers: Networks, Servers, Operating Systems in traditional systems

Then moving to virtual systems on VMware or others - have their own Operating Systems and applications sitting on top, with their own resources.

On VMware you are dependent on the underlying VMware environment, ESX gateways, but they are always accessible to the VMWare Administrator.

Containers, as our colleague states is the next realm, they do simplify everything, they don't use as much resources, and you can literally containerise your applications into specific areas or within Cloud environments distribute them, so you can keep control of them. You can control who has access to them.

Often Containers are used for DevOps environments, where lots of software development is being used and using Agile development techniques, but remember the SecDevOps.

Here is a quick explanation with graphical depiction:

https://blog.netapp.com/blogs/containers-vs-vms/

Containers and Microservices explanation:

https://searchitoperations.techtarget.com/definition/container-containerization-or-container-based-virtualization?_ga=2.96474268.263681440.1592169169-979963156.1591513038

Many Cloud services offer free or even Opensource vulnerability tools such as JFrog and many others, so as you create an new container, they are automatically scanned for vulnerabilities and rates in terms of impact of the discovered vulnerabilities at that point in time. It is part of the microservices, reducing environments into the smallest necessary to run them, isolating them and literally containing them.

A lot of cloud architects, tend to think this makes their lives easier, but they have to think through the entire SDLC lifecycle including DevOps, and now SecDevOps as well.

Servers, as my colleague states - have many aspects go along to Cloud Internet Security (CIS) to review their benchmarks on hardening for Operating Systems, etc.

Often McAfee, Symantec, TrendMicro, Sophos offer services above an beyond normal AV these days for hosts, servers and operating Systems - things such as host based Firewalls, Host based IDS/IPS, File Integrity, Web Reputation, Log monitoring etc.

Carbon Black or Crowdstrike use a different approach monitoring end points i.e. servers or desktops, laptops etc, looking for user behaviour or actions which may constitute a compromise or attempt to compromise files, hosts, servers etc. It is far more holistic.

However, you still have traditional needs, these have not gone away even in cloud environments.

My personal take is VMware does a great job, but I like some independence rather than depending on a single vendor, especially in shared or multi-cloud environments.

I like some of the Container solutions like Twistlock and Illumio

https://www.twistlock.com/

Only caveat I have, economic as long as you have 100's of containers.

https://www.illumio.com/lp/illumio-asp-micro-segmentation-overview?gclid=CjwKCAjwlZf3BRABEiwA8Q0qq9MlANpp3vPs_vrfFQcBuNkUxDMSztSytOT3d3YSZ3M0KmKI7-lwrRoCdGEQAvD_BwE

There are others such as Aqua

https://www.aquasec.com/

Regards

Caute_cautim

Re: Is EDR the new AV?

Shannon — Mon, 15 Jun 2020 09:04:25 GMT

@ericgeater, with regards to containers, you're essentially packaging the application processes --- with some isolation --- & this increasing the efficiency / manageability, & perhaps also enhancing security to some extent.

That being said, the use of containers can't take the place of an EPP / EDR solution. As @Caute_cautim had mentioned, they can be compromised. We used Docker in our organisation. This link gives you some info on the security concerns with that.

At the end of the day, you should have a good EPP / EDR solution to safeguard the infrastructure, & it shoud not consume to much resources either.

Providers tend to change the names of their solutions even if there's little change in the features, so it's best to check on the features & test the solution with a PoC to ensure you're satisfied with it.

An example: we use a Virtual Desktop Infrastructure (VDI) for which the EPP provider was asked to facilitate an agent-less mode to ensure minimal performance impact --- but went on to try to convince us to use their agent-based mode for added features. Our engineer tested an instance and found that it consumed way too many resources, after which the provider relented.