EDR and Adequate SecurityEndpoint
Detection and Response (EDR) is a term that in security world unifies
automatic protection solutions. They attempt to recognize attacks and
once recognized - act to prevent them.
Consider a program that automatically determines all possible attacks
on your computer and prevents them. If it indeed protects reliably,
that would be ideal. However, studies show year after year that more
and more security solutions appear, but attacks launched and succeeded
are also more and more. How come?
The main problem with automated detection systems is that they miss.
They miss in both ways - produce false alarms and miss attacks.
Sometimes you may read that some EDR system succeeds to prevent 80 or 85% of attacks. What does this mean?
In probability theory in mathematics there is a notion of "improbable event". It's not that probability is zero - the event may
happen, but likelihood of it occurring is low enough to assume that in
a single experiment it won't happen and take the respective risk. So how little is low enough?
It depends on application. Imagine that you accepted a new and exciting
job, and it's important for you to succeed. Among other tings you need
to care to be in time at work and at home after work. So you study
railway's stats and find that its train may arrive late once in
1000 travels. Is it OK for you to use the train?
Probably yes. You may be prepared to explain your lateness at work or
at home once in two years due to train and be calm, assuming that for
your practical purposes train's late arrival is an improbable event.
Now you need to take a business trip to another country. You study
airlines and aircraft models and find that an airline has a crash rate
of one in 1000 flights. Is it OK for you to use the airline?
Most likely no. In reality airlines bear probability of one incident in
1 to 7-8 millions of flights, and an airline with incident rate of 3 or
more in one million flights already raises safety concerns.
The higher is the value at stake, the lower is acceptable probability
of an "improbable event" of failure that allows taking the risk.
If an EDR was enough experimented with and showed attacks prevention
rate of 85%, apparently it means that when you are attacked, you have
chance of 0.15 to be hit. Is it low enough to rely on the EDR?
It again depends. If you manage a large enterprise network of
computers, each of which doesn't hold particularly high value, and need
to report quarterly about 85% of prevented attacks, then yes. But if
you keep on your PC a patent that you were working on for two decades
and it's not yet registered, you probably can't tolerate a risk of 15%
that the information will be stolen in a single attempt.
The EDR is actually a game program that plays without knowing all the
rules. When you are attacked, the hacker knows it for sure and you
would know for sure if you knew what happens with your computer. EDR
detects an attack by analysing behavior - sequence of accesses, actions
attempted on your computer. When certain access pattern is matched, it
concludes that you are attacked.
But there may be that you and the hacker make very similar access. For
example, you may search many files for some important information,
because you forgot where it is exactly. The hacker may get remote
access to your computer and also search many files for important
information because he wants to steal it. You know the difference and
the hacker knows it, but behavior is the same and automatic detection
software will not be able to see the difference.
Automatic EDRs are designed to protect against zero-day attaks. But
most protection rates are measured with attacks by methods known to
developers when the protection was designed. How well they will do
against brand new attacks that use methods and patterns not known by
the time that the EDR was released, is likely an information that will
always be missing. And automatic detection is extremely helpless
against manual or dedicated attack that may take only a couple of
actions to steal your data.
If you have high-value information on your computer, automatic
protection will not be enough - you will need dedicated protection that
can enforce your specific rules set to prevent exactly 100% of attacts.