EDR, MDR, XDR – which monitoring solution is right for you?

Navigating Cybersecurity: Choosing Your Defense Tools Wisely

As you establish defense layers for your SME, a critical question emerges: How do you select an effective monitoring solution? Think of it as installing an alarm system to catch a potential intruder attempting to breach your office premises. This software acts as your digital guardian, identifying and thwarting cyber attackers aiming to infiltrate your computers or internal network.

In the realm of safeguarding your network from potential threats, the landscape of available tools varies, one such tool is are monitoring solutions. Of the many options available, each presents a unique perspective on security of the different vendors. Amidst this diversity, we’ve identified two primary schools of thought taking shape. Before we look at these models, let’s get a bit familiar with the industry.

You’ll likely encounter the term “MITRE ATT&CK framework” soon, if you haven’t already. Virtually every monitoring solution we’ve assessed builds its defenses around this framework—a digital evolution in the world of anti-malware and anti-hacking solutions.

Malware and Viruses Defined: “Malware” is the overarching term for “malicious software,” designed to harm or exploit devices, networks, or users. It includes a range of malicious programs, with “viruses” being a specific type. Viruses are self-replicating programs that attach to legitimate files, spreading when those files are executed. They often carry a payload intended to cause damage or compromise the infected system. In essence, all viruses are malware, but malware encompasses various forms like ransomware, spyware, trojans, and more.

Evolution in Antivirus Solutions: Traditional antivirus software relies on databases of “signatures,” typically maintained by the antivirus vendor. In contrast, modern vendors leverage the MITRE ATT&CK framework—a game-changer. It offers a free database of adversary tactics, techniques, and common knowledge, contributed to by cybersecurity professionals worldwide. This includes researchers, vendors, government agencies, open-source communities, and incident responders. 

The Power of MITRE ATT&CK framework: Crafting a robust strategy to detect and apply mitigation rules defined by the MITRE ATT&CK Framework enhances defense solutions. Utilizing a shared collective of experiences from top cybersecurity professionals, these solutions become more in-depth and better prepared to detect and mitigate a broad spectrum of cyber attacks. So, you would not be surprised that all your solutions start with a similar level of quality when it comes to have a database of knowledge on what is known of attacks taking place in the world.

For those interested in a more rigorous understanding of this framework, or to learn more about this North American initiative and the great things they have done and continue to do, please visit the Mitre foundation at, https://www.mitre.org/

Navigating the Landscape of Antivirus (Cybersecurity monitoring) Software: A Deeper Look

As end users, we often assume a level playing field when it comes to software sharing the same name, such as antivirus software. However, true parity is achieved only when organizations like the Mitre Foundation play their part. What we make of the framework post-subscription, rests in the hands of the individual or organization subscribing. The efficiency and speed of searches, the accuracy of results—all stem from a common source of data, amplified by the engine delivering the promises. It’s crucial to scrutinize these promises for accuracy and reliability in your unique environment as the engines, built by differing vendors, is where you will find the differences.

Many (in our search all did) monitoring solutions harness the power of Artificial Intelligence (AI) to enhance their services. While we didn’t delve into specific AI technologies deployed by vendors in our review, we assumed a level playing field, focusing instead on the effectiveness of the implemented strategies used. Our aim is to empower you, the reader, with insights that lie within your control when selecting a monitoring solution for your organization.

In our evaluation, we considered:

  1. Algorithmic Soundness: Assessing the algorithm’s robustness for delivering services.

  2. Self-Protection: Ensuring the software guards against easy compromise, preventing unauthorized shutdown by potential hackers.

  3. Response Time: Testing the effectiveness of the Security Operations Center (SOC) when welcomed, as we wanted to evaluate their commitment to vigilance and responsiveness.

  4. Resource Impact: Paying attention to the software’s impact on device performance, considering the burden it adds to the device and the organization.

Navigating the Impact of Your Selection on Your Environment

In our investigation, we’ve uncovered two primary strategies are used—distinct schools of thought—embraced by cyber-monitoring vendors as they grapple with the challenges of safeguarding your digital realm.

Each solution we reviewed commenced with the following fundamental step:

Establish a Baseline: Install the monitoring agent onto the PC, allowing it time to learn the end user’s working habits. This involves creating a working profile, identifying patterns such as email habits, working hours, and preferred applications, establishing a baseline behavior for “the user” at “this terminal.”

What they did once this baseline was establish depended on how the vendor looked at your environment.

Strategy 1: “Supervisor in the School Yard”

  • In protect mode, this strategy focuses on detecting and reacting to any suspicious activity.
  • The ATT&CK framework serves as a security database for profiling applications within the protected environment.
  • Upon detecting suspicious activity, the agent can shut down the offending application, preventing the spread of the attack and notifying support.
  • A live person is involved throughout the remediation step.

Strategy 2: “Guard at the Gate”

  • In protect mode, this strategy learns which software applications are authorized to execute on your computer and requests authorization for any new application.
  • Pre-identified software is allowed to execute uninhibited. Any abnormal behaviors trigger quiet blocking, with support or the user potentially notified.
  • New attempts to load software require the user to request permission for installation.
  • A person is notified to respond and review the installation request. If the software is deemed non-threatening, the installation is permitted, and the user is notified to retry.

Conclusion:

  • “Supervisor in the School Yard” allows applications to work normally but monitors for suspicious activity, responding when unwanted behavior is detected.
  • “Guard at the Gate” tags all authorized applications and blocks any unauthorized application from executing, requiring approval before a user can install the new application.

Fine-Tuning Cybersecurity Strategies: Pros and Cons

Supervisor in the School Yard:

Pros:

  1. Minimal Interruption: Ideal for busy environments with diverse application usage or frequent tool installations.
  2. Automation-Driven: Relies on automated detection of suspicious activity, reducing dependence on human intervention.
  3. Uninterrupted User Work: Users can continue working unless a malicious actor is detected.

Cons:

  1. Automation Dependency: Vulnerable to disruptions if automations fail. Vendor strategies for handling automation breakdowns need investigation to avoid a false sense of security.
  2. SOC Response Time: Relies on the Security Operations Center (SOC) for timely response; prolonged deactivation can result in idle employee time.
  3. Potential Weakness: As automation of detection depends on knowing the application behaviour as they execute,  “Zero-day” exploits must be handled as a special case.

Guard at the Gate:

Pros:

  1. Silent Operation: Thrives in environments with a consistent application stack and minimal introduction of new software.
  2. Automated Prevention: Default prevention of any unauthorized application, reducing the need for vigilant human monitoring.
  3. Uninterrupted User Routine: Users experience no interruptions in their normal workday as device deactivation is not required; only unapproved applications are halted.
  4. Shadow IT Deterrence: Effectively discourages unauthorized software installations.

Cons:

  1. Potential Disruption: Can be disruptive in environments with regular use of different software tools, leading to potential confusion.
  2. Scheduled Installations: Predictable schedules for new software may cause delays due to the constant approval process.  Further, installation delays, especially in busy periods, may lead to stressful experiences for employees as everything must be authorized.

General Observations:

  1. On the concepts of Algorithmic Soundness and Self-Protection the applications reviewed all passed our benchmark for what a security agent should be.
  2. On response time, some vendors refused to have their team’s response quality tested.
  3. One vendor failed response testing, with significant delays in detecting an attack.
  4. Poor customer support led to the failure of one other vendor.
  5. From a resource impact perspective, some solutions were deemed cumbersome in terms of technology stack a client will have to deploy.
  6. Weakness in protecting mixed environments, especially involving MACs, was observed, reflecting the immaturity of the industry at the time of publishing this article.

Special Mention: A unique solution targeting ransomware was reviewed, this solution did not use Mitre’s framework. The application is specifically to protect against ransomware. The strategy involves dropping files with random data on the disk, then monitoring for access, and isolating applications accessing these files. While innovative, its vulnerability to code manipulation raises concerns about its robustness.

In conclusion, cybersecurity solutions in this evolving landscape are complex and may pose challenges in configuration. Relying on vendors for configuration support is crucial. Notable challenges include industry immaturity and a learning curve as new strategies emerge. With all solutions using AI and no current benchmarks to test the robustness, accuracy and correctness of the applications, one must trust in the AI developers to not make mistakes.

Again, our goal was not to help you select a solution but to arm you with insights to what you should be questioning and investigating when selecting a solution.

All AI applications are not written perfectly, all security operation centre (SOC) teams are not 100% on the ball as they watch alerts flowing in.

 

Last point, EDR – End Point Detection and Remediation.  MDR – M****** Detection and Remediation, XDR – Xtra***** Detection and Remediation.  Ask the vendor, they will have a great reason why their solution is more than endpoint detection and remediation. Its all in the marketing.

    Request a Call Back