Why EDR is not enough for endpoint security

How EDR products work

We all started with antivirus products that can only prevent known intrusions based on file digests known as virus signatures. Antivirus products relied on regular updates to their dictionaries of static virus signatures to stay current. Newly released malware, malware that changed its file signature, and attacks designed to be completely fileless regularly outpaced and subverted antivirus.

Increases in available computing power and memory allowed us to introduce EDR products that would continuously monitor endpoints. Instead of comparing new files to a list of virus signatures, EDR agents monitored system behavior heuristically. Newly executed processes, registry modifications, and network connection events are combined with shared telemetry collected from other endpoints to correlate system events into patterns of normal user behavior. Behavior that deviated from these patterns, such as abnormal RDP traffic or multiple failed login attempts, could be considered an indicator of compromise (IoC) and flagged for investigation or automated responses.

Later on XDR was introduced to extend detection and response beyond the individual endpoint. Suspicious events are correlated across multiple technologies, not just endpoint workstations. XDR solutions can ingest data from sensors across disparate devices and networks, enabling automated responses such as blocking suspected malicious network sessions or disabling compromised user accounts.

In any case, you see the pattern - XDR or EDR still depends on the approach of detecting first and reacting second. While EDR can tell you when something had happened, it can't stop it from happening in the first place.

The limits of detection-based security

When Endpoint Detection and Response (EDR) product is deployed, you are operating in a reactive mode. Security team can only respond to incidents after EDR identifies them and generates an alert, typically after an attack already happened (data exfiltrated or ransomware encrypting files). What is more, modern intrusions routinely subvert detection altogether by leveraging fileless malware and Living-off-the-Land (LOTL) techniques. Once deployed, malicious payloads can take seconds to profile and copy sensitive data or encrypt networks with ransomware.

As a result, application control or allowlisting alongside an EDR is now an operational necessity.

Attacks that can bypass EDR

Here are some examples of the attacks that can bypass EDR detection. With the rapid AI adoption and malware getting polymorphic and rewriting itself on the fly, evasions techniques will continue to get more sophisticated.

• LOTL attacks: Unlike antivirus software’s reliance on a static dictionary of file signatures, EDR could recognize dynamic attack patterns. Successful recognition, however, relied on identifying anomalous behavior within collected patterns of normal behavior. Attackers learned they could blend in with typical system behavior by leveraging trusted system applications, rather than writing malware as a standalone application binary.

• Fileless malware: EDR primarily scans for known malicious files on a computer’s hard disk. Fileless malware often operates entirely in memory or uses existing legitimate files, so there is no "malware" file for the EDR to scan or flag.

• Process injection: Malicious code can be “injected” into a running, legitimate process, so superficially, any malicious behavior appears to originate from that process. System processes are likely already included in an EDR's list of usual behavior patterns, so any malicious behavior performed by them may not appear abnormal and suspicious.

How prevention closes the detection gap

Defense against cyberattacks is an arms race. The more advanced the attack, the more advanced the detection method must become. The more motivated the attacker, the more bespoke the attack is written against the individual victim. Detection products marketed to respond against common attack patterns cannot protect against hyper-customized attacks from motivated adversaries.

Application control enables attack prevention by blocking any behavior that isn’t explicitly allowed. Technologies like application allowlisting and Just-in-Time (JIT) access inherently prevent malicious behavior by limiting actions and access in accordance with the principle of least privilege. Idemeum makes implementing allowlisting simple with minimal operational investment.

Today, organizations cannot rely solely on detection. EDR and XDR by themselves cannot keep a network secure against the adaptive threat landscape of today. Prevention must be enforced through application control to stop attacks before they can execute. Detection technologies must be combined with application control to build a comprehensive security ecosystem.