The concept of endpoint detection and response (EDR) was introduced in the early part of the 2010s as coined by Anton Chuvakin of Gartner. It has since become one of the staples of modern cyber defenses. Still, there is a lot of room for it to grow as threats continue to evolve.
With the evolution of computer and internet technology, it has become inevitable to change approaches and employ new methods to address emerging endpoint threats. The growing adoption of cloud computing and IoT, in particular, has created new attack surfaces that make it necessary to establish more defenses.
The state of EDR
Is there anything wrong with the current EDR solutions? To say that there is none would be grossly inaccurate. However, saying that current EDR technology is mostly ineffective would also be a stretch—a disservice to the cybersecurity experts who continue to develop and improve the solutions available at present.
The current state of EDR security, just like cybersecurity in general, can be characterized as capable of meeting existing needs and in need of continuous improvements to keep up with the evolution of threats. At least when it comes to the leading EDR solutions, there exists the ability to bring about improved security visibility, rapid investigations, remediation automation, and contextualized threat hunting.
EDR solutions that come with incident triaging flow, threat hunting, multiple response options, data aggregation and enrichment, and integrated response components are capable of handling all existing endpoint risks. They may also be effective in anticipating emerging threats. However, the need for constant evolution to meet more sophisticated and aggressive attacks persists. EDR technology and approaches cannot stagnate, lest more ingenious and highly-coordinated attacks overwhelm them.
Endpoint security has become even more important in the past couple of years because of the rise of online activities with businesses going online, the heightened prominence of the remote work setup, and the greater use of web-enabled devices in general. More devices connecting to the internet and communicating with each other means more possible attack surfaces. The failure to secure these devices or endpoints is a significant blow to cybersecurity.
Envisioning close-to-ideal EDR security
Forrester recently released a report called “The Future of Endpoint Management,” which offers valuable insights and practical suggestions for CISO’s on securing their endpoints. These are summarized below.
The points discussed in the following list, however, presume that multifactor authentication is already being implemented. As Forrester Senior Analyst and author of the report Andrew Hewitt wrote, ”the best place to start is always around enforcing multifactor authentication. This can go a long way towards ensuring that enterprise data is safe.
Unified. Organizations are already using a multitude of devices including BYOD units. It is impossible to ensure one by one that they are secure. It is advisable to have a unified endpoint management platform for managing multiple devices and apps. It is also important that this platform supports self-healing endpoints and can scale across the devices owned by the organization and those classified as BYOD. Self-healing endpoints refer to systems that are capable of autonomously correcting themselves after confronting external threats and going through the usual software decay.
Cloud-based. Endpoint security can be provided by cloud-based solutions, and cloud-centric options appear to be preferred. This is because they are faster to implement, maintenance-free, and better when it comes to remote support. On-premise endpoint management solutions are more tedious to work with because of the need for several corporate image configurations with which all devices should be configured. It is the complete opposite of cloud-based options, which are considerably easier to use because they can be configured with cloud APIs and conveniently drop-shipped to endpoint devices.
Self-service excellence. Self-service capabilities, as the Forrester report says, are sought after by organizations that use EDR solutions, particularly those in the IT help desk and security support teams. Endpoint security platforms are considerably easier to use if they do not require frequent communication with the technical support team. More organizations are likely to adopt EDR security platforms that excel at self-service.
Contextual awareness. Forrester says that endpoint management solutions are preferably less device-driven and more contextually aware. Endpoint defenses work well when they are in proximity to the endpoints they are supposed to protect. However, this does not mean that they should be centered on the technical specifications of devices. Instead, they should progress with data generated based on user activity, which drives the customization and application of configurations as well as the adjustment of policies to be in line with the specific threats and deemed “regular behavior” of specific endpoints.
Automated configuration and deployment. The configuration, reconfiguration, and deployment of devices take significant amounts of time. In the process, admins may commit lapses or errors that can create security vulnerabilities. It is possible to automate device configuration and deployment not only to expedite processes but also to achieve consistency and minimize the possible errors (and repetition of such errors) that can make endpoints susceptible to cyberattacks. Automation usually uses AI to know when to apply security patches and software updates as well as to enable self-healing.
Analytics-driven. Endpoints can be useful sources of telemetry data, which helps in improving user experience management. Forrester says that modern endpoint management platforms can take advantage of this data to benchmark the operational health, performance, and security of endpoints. This benchmark can then be used to detect possibly anomalous or dangerous activities. Analytics allows endpoint security platforms not to be too reliant on threat identities and be capable of identifying potential threats based on activities or behaviors.
Towards ideal endpoint security
IT technologies and environments change and so do the threats. Hackers and cybercriminals never run out of ideas on how to defeat endpoint defenses. Endpoint security needs to evolve in response to the changing technological infrastructure and threat landscape. It’s reassuring to know that EDR security providers are also ceaselessly improving their solutions to keep up with the changing risks to provide not only prevention but also mitigation and remediation functions.
Ideal endpoint security is a pipe dream. However, it is not a futile construct for organizations to dismiss. The attributes that make for excellent endpoint defense, as listed above, exist to guide organizations to move closer to what is ideal and strengthen security posture when it comes to endpoints.