cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
the_admin
Newcomer I

Is EDR the new AV?

Hi all,

 

I wanted to reach out to get your opinion on the above mentioned question.

 

We are looking for an alternative for our current endpoint protection product which is of course more than AV alone but has multiple additional modules which mostly seem to have been added by acquiring other vendors and their products. I had a short presentation by one of the interesting vendors for replacing our current solution recently who seem to have developed their solution from scratch. They are officially an EDR vendor (also listed in the appropriate Gartner quadrant chart) while our current solution is in the endpoint protection Gartner quadrant. However the EDR vendor told me that other customers have replaced their AV solution with their product. Do you think there is really a (sharp) distinction between EDR, AV and EPP at all? To me it seems it is like this:

 

AV: A deprecated and old expression for securing endpoints, servers etc.

EDR: The modern expression for AV with extended functionality

EPP: Formerly known as AV, now EDR.

 

Using these statements one has to answer the initial question with "Yes". What do you guys think?

 

PS. Sorry for my bad english as I'm a german native speaker.

13 Replies
JKWiniger
Community Champion

I think you are getting caught up in the name game! Forget what they are calling things and look just at what they can and can not do. Look at what functions they offer and what you feel you need to protect against. Names change so fast lately it makes my head spin. So if you drop or hide all the names and look just at functionality and things like that what do things look like?

 

Every vendor will claim their product is the best and can do it all, until you want to see it done!

 

John- 

the_admin
Newcomer I

Thanks, John. That definitely makes sense.

Beads
Advocate I

When in doubt a "cook off" to compare finalist against one another usually provides the best answer for your organization. Generally with any A/V, EPP or EDP solution, developers are generally shown to be the most difficult internal group to please. Start there, see if they find the solution acceptable and make your final decision with regard to the effectiveness of the control.

 

As for naming conventions? Most of us have seen plenty of product name changes, particularly with regard to marketing. Take new names with a grain of salt but evaluate based on what is most effective for your organization.

 

- b/eads

 

Caute_cautim
Community Champion

@the_admin   A very interesting topic, depending on which vendor you go to:

 

Example famously Microsoft will tell you - you can have defender "free", which is AV, but if you want NGAV - New Generation AV - you have to purchase ATP, which depending on which type of organisation either comes with a steep discount for Government or a higher price for the Private Sector.   You get what you pay for etc.  

 

AV alone is insufficient, you need the wider collaborative intelligence to ensure any chance of protecting the organisation, looking at weaponisation, priorities and focus of the perpetrators.  New AV is just another term for New Generation AV - a market terms, as our colleagues point out - more hype than hype. 

 

If you follow the NIST cyber security framework, and the trends currently hitting organisations, EDR, EPP are no longer appropriate.  Many times the organisation has been compromised months previously without being aware it has occurred.   So there is a swing towards MDR - Managed Detect & Response, which means Incident response, Forensic Investigation, Triage processes being invoked.  Many MDR services are now cloud based i.e. Crowdstrike, Carbon Black are good examples.   Given that it can take up 260 plus days before an organisation actually realises they have been compromise, and the costs of an Incident reaching 8 or more times over time.   End Point is a misnomer as well.  Given that these days it means Mobile, BYOD, Laptops, Workstations, Virtual Machines, Servers and practically anything linked with a user or privileged user.

 

So definitely see the swing towards Response, to potentially reduce the impact of the inevitable.

 

 

 

Regards

 

Caute_cautim

rslade
Influencer II

Answer: yes. EDR is, quite literally, the new AV.

Please, people, don't get caught up in whatever new marketing terms the sales
department comes up with to try and convince you that their "new thing" isn't
really just the same old, stuff, repackaged.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
QA Engineer walks into a bar. Orders a beer. Orders 0 beers.
Orders 999999999 beers. Orders a lizard. Orders -1 beers. Orders
a sfdeljknesv. - https://twitter.com/sempf/status/514473420277694465
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
ericgeater
Community Champion

I came here to ask about EDR, et voilà!  The thread is already waiting for me.  Thanks, everyone!

 

Back to Caute's response, we just added Carbon Black as an endpoint defense, and I was curious to know if anyone in the room feels like leaving SEP and Carbon Black Defense on the same computer is overkill.

 

Edited to add: we had an incident in February, and Symantec made us aware on several computers that a threat was found... but that was all it noticed.  Meanwhile, a second ongoing other threat which SEP never observed, caused some PC data loss on the same machines. 

 

We now have little faith in SEP, added CB Defense, and are doubling down on the backup plan which saved our bacon.

--
"A claim is as good as its veracity."
Caute_cautim
Community Champion

@ericgeater    An interesting experience:   Remember Symantec has lost its integrity due to the fact it was purchased and then subsequently sold again.

 

https://investors.broadcom.com/news-releases/news-release-details/broadcom-completes-acquisition-sym...

 

Then flipped it to Accenture:  https://www.scmagazine.com/home/security-news/company-news/broadcom-flips-symantec-to-accenture-secu...

 

EDR or even MDR is the new AV these days, watching user behaviour and other characteristics from the cloud.

They do this by using all the many customers intelligence building up Use Cases and collaborating with many others to provide a universal picture of what is going on in the real world.

 

Especially during the world situation at the moment, this is vitally important.

 

Others may use Crowdstrike.  

 

Do you need another on the hosts, servers - I believe so - something like TrendMicro Enterprise Security - provides a good package of controls, but ensure performance configuration is worked at.   Plus also remember the other factor now :  Containers and images - look up Red Hat 10 layers of security for Containers.

 

The prime issue with Containers are that they are immutable, you have to create a new image for a change.

 

However, if the attacker gains access to a Container, then all of them must re-created - they are most probably all compromised.

 

There is also another element, if you have lots of containers, micro-segmentation and segregation and application gateways, as to who have authorised access, and what applications can legitimately communicate with.  

 

Regards

 

Caute_cautim

 

 

 

 

 

 

 

 

 

 

ericgeater
Community Champion

I don't fully understand the concept of containers yet.  We're not currently using them in our enterprise.

 

Are you suggesting that doubling up AV / EDR defense on our servers may be a good idea, as opposed to just letting the user PCs leverage only the CB services?

--
"A claim is as good as its veracity."
JKWiniger
Community Champion

@ericgeater with containers one just runs one program and you choose what network addresses and ports the container can access, as well as storage. With static storage being held outside of the container it allow the container to be deleted and redeployed with no impact. This makes it so that if a program in a container gets compromised it is simply deleted and a new contained is deployed. There is actually a software called Falco which will monitor the security of the containers and if a change is detected from the deployed image it will automatically delete it and deploy a fresh one.

 

Hopefully that made some sense... I need coffee!

 

John-