Understanding today’s threat landscape
In our most recent 2023 threat hunting annual report, our threat hunters reported that the observed interactive intrusions volume – intrusion activity where a threat actor operates with hands-on-keyboard in a victim environment – increased by 40% year-over-year. The report also showcases a drop in breakout time – the time it takes for an intruder to begin moving laterally within the network – to just 79 minutes, down from the previous all-time low of 84 minutes in 2022.
In the 2023 Threat Hunting Report, CrowdStrike’s Counter Adversary Operations team exposes the latest adversary tradecraft and provides knowledge and insights to help stop breaches.
2023 Threat Hunting Report
In the 2023 Threat Hunting Report, CrowdStrike’s Counter Adversary Operations team exposes the latest adversary tradecraft and provides knowledge and insights to help stop breaches.Download Now
The increase in the velocity and volume of attacks may be attributed to several factors including:
- The COVID-19 pandemic and stay-at-home orders, which dramatically increased the amount of time people spent online;
- The shift to remote work (an existing trend that was rapidly accelerated due to COVID-19), which increased the attack surface for organizations;
- The proliferation of connected devices and Internet of Things (IoT) technology, which provide a plethora of entry points for cybercriminals;
- The shift to the cloud, which requires a fundamentally different security strategy as compared to traditional on-premises networks;
- 5G technology which is further fueling the use of connected devices; and
- The availability of hackers “as-a-service” which makes ransomware and other malware attacks available to those who lack the technical expertise to carry out such an attack personally.
These trends, coupled with increasing sophistication among adversaries and a constantly advancing set of tactics, techniques and procedures (TTPs), makes it necessary for organizations to develop and deploy a comprehensive cybersecurity strategy and tooling. Further, organizations need to ensure that key lessons are learned from cyber threat detections, and attacks can be attributed to likely adversaries and tactic classifications.
In this article we review two of the most critical elements to every cybersecurity architecture – endpoint detection and response (EDR) and next-generation antivirus (NGAV) – and the points organizations should consider when selecting these tools and integrating them within the broader cybersecurity strategy.
Overview: Endpoint Detection and Response (EDR)
Endpoint Detection and Response (EDR) is a cybersecurity solution that detects and mitigates cyber threats by continuously monitoring endpoint devices and analyzing endpoint data.
EDR solutions work by providing continuous and comprehensive real-time visibility into what is happening across all endpoints. Behavioral analysis and actionable intelligence is then applied to endpoint data to prevent an incident from turning into a breach.
A true EDR tool should have the following capabilities:
- Incident data search and investigation
- Alert triage or suspicious activity validation
- Suspicious activity detection
- Threat hunting or data exploration
- Stopping malicious activity
Overview: Next-Generation Antivirus (NGAV)
Next-Generation Antivirus (NGAV) is a cybersecurity tool that leverages a combination of artificial intelligence (AI), behavioral detection, machine learning (ML) algorithms, and exploit mitigation to anticipate and prevent both known and unknown threats.
Unlike traditional antivirus solutions, NGAV is cloud-based, which allows it to be deployed more quickly and without over-burdening the endpoint. In addition, it eliminates or significantly reduces the burden of maintaining software, managing infrastructure, and updating signature databases.
A NGAV solution has the following capabilities:
- Detection of known/unknown threats and fileless attacks
- Cloud-based architecture that does not impact endpoint performance or require additional hardware or software
- Fast and simple implementation and updating
What is the difference between NGAV and EDR?
EDR and NGAV share a common purpose of helping organizations reduce risk by preventing cyberattacks. However, they differ in terms of when they are used and how they work.
NGAV is the prevention component of endpoint security, which aims to stop cyber threats from entering a network. While the NGAV is an important first line of defense for the organization, it is not foolproof. No solution, no matter how advanced, can offer 100% protection.
When threats circumvent an antivirus of NGAV solution, EDR detects that activity and allows teams to contain the adversary before they can move laterally in the network. To continue the analogy, if the NGAV is a first line of defense, then the EDR is a safety net which catches any threats that may slip past.
In addition to detecting threats, EDR also gathers data about the attack, including the TTPs being used. This delivers contextualized information to the security team that includes attribution where relevant, providing details on the threat actor and any other information known about the attack. This helps the team respond to threats quickly and address them with precision in order to limit damage. Once contained, the EDR tool will also help the team gather more details on how the attack occurred and spread, making it possible to prevent similar attacks in the future.
Does my organization need both NGAV and EDR?
Given the increasing sophistication of adversaries and their constantly advancing and evolving TTPs, it’s important for organizations to leverage both an NGAV and EDR solution to strengthen their defenses.
When prevention fails, your organization can be left in the dark by its current endpoint security solution. Attackers take advantage of this situation to linger and navigate inside your network.
Without proper threat detection tooling in place, silent failures allow attackers to move around the environment freely for days, weeks or even months. Hackers can use this time to create back doors that allow them to return at will in the future.
Should Businesses Combine the Power of EDR and NGAV
While most NGAV and EDR systems are separate solutions, they are certainly not stand-alone tools. Nor should they be deployed in isolation.
Rather, these tools should complement one another and be used in conjunction to strengthen the overall security posture. Further, these tools should be integrated within the organization’s overarching cybersecurity strategy and architecture, which should contain additional security capabilities, such as threat hunting, as well as clear and compelling policies regarding identity access and management (IAM), multi-factor authentication (MFA) and Zero Trust.
Since no single solution offers absolute protection, a multi-touch security strategy helps fill gaps and limitations associated with any individual tool, the likes of which are often prime points of exploitation by adversaries.
The Endpoint Protection Buyers Guide
Learn how to identify the critical features and capabilities organizations should look for when evaluating NGAV, EDR, and other elements within the cybersecurity toolset. View our in-depth assessment, which outlines required features, evaluation criteria and questions to ask when selecting a cybersecurity tool or partner.Download Now
How to Evaluate NGAV and EDR Solutions
The cybersecurity vendor landscape has become increasingly crowded in recent years, making it difficult for organizations to select a suitable tool for their unique needs.
Here we explore some of the most important criteria that businesses should look for when evaluating and selecting endpoint protection tools, such as NGAV and EDR:
Integration: One of the most important factors to consider when selecting a NGAV or EDR solution is how well it will integrate within the broader cybersecurity architecture without adding complexity or requiring any on-premises management infrastructure. Key considerations include:
- Integration with threat intelligence to enable the immediate assessment of the origins, impact, and severity of threats in the environment and provide guidance on how to best respond and remediate threats
- Availability of extensive application program interfaces (APIs) to connect various applications and ensure timely and efficient data sharing
- Integration with adjacent technologies, such as device control, firewalls, threat hunting and other security tools and solutions
Cloud-based solution: The only way to ensure zero impact on endpoints, while enabling real-time search, analysis and investigation, is by leveraging cloud technology. Cloud-native EDR and NGAV offers organizations faster deployment time, better endpoint performance and greater ease of operation for the IT team.
Advanced technologies: Both EDR and NGAV solutions should make use of innovative technologies, such as AI/ML, behavior protection and exploit mitigation to prevent the rapidly changing TTPs used by adversaries to breach organizations, including commodity malware, zero-day malware and even advanced malware-free attacks. For NGAV, relying solely on signature-based methods or indicators of compromise (IOCs) can lead to the “silent failure” that allows data breaches to occur. On the other hand, effective endpoint detection and incident response requires behavioral approaches that search for indicators of attack (IOAs), so the business is alerted to suspicious activities before a compromise can occur.
Online and offline prevention: Endpoints need to be protected whether they are offline or online. Solutions that support data processing and decision-making on the endpoint enables highly accurate detection and prevention and keeps the endpoint protected everywhere whether it is in use or not.
Immediate time-to-value: In today’s cybersecurity landscape, time matters. EDR and NGAV solutions that can be deployed and operational in hours, with no additional hardware or software and no tuning or configuration greatly enhance the organization’s security posture.