How EDR is moving beyond the endpoint

An emerging breed of detection and response offerings is going beyond endpoints to collect and decipher telemetry data from across the enterprise

Endpoint detection and response (EDR) technology needs to provide visibility of security-related events beyond the endpoint – if enterprises are to stand a chance of fending off cyber adversaries that may be lurking somewhere on their networks.

Traditional EDR technology collects telemetry data about events related to endpoints, such as application processes that connect to specific network addresses. But this data is often not fed to security information and event management (SIEM) systems, which could otherwise be overloaded with data.

Yet, this data is essential for analysis by machine learning algorithms and incident response teams to flag up signs of a cyber attack across different stages of the cyber kill chain.

That is the premise behind an emerging breed of EDR offerings called XDR, where X refers to the collection of a broader set of data related to the network, cloud and other parts of an enterprise’s IT footprint.

“Security vendors are all going to be working on XDR,” Eric Skinner, Trend Micro’s vice-president for market strategy, told Computer Weekly. “The key to doing XDR well is to deeply understand the data so you can derive insights and provide high-confidence alerts.”

The advancements in artificial intelligence (AI) in recent years has made the job a tad easier, with security vendors from Trend Micro and Carbon Black to Palo Alto Networks all leveraging machine learning to make better sense of XDR data.

Trend Micro’s XDR platform, for instance, aims to replace hundreds of SIEM alerts with a small number of high-confidence alerts generated by computer algorithms that perform correlation and synthesis of security events across an IT infrastructure.

“For example, we can see, say, a sequence of 85 different events across different places in your environment, and we're going to send one high-confidence alert to the SIEM,” Skinner said.

Compared to some EDR suppliers that focus solely on endpoint security, Skinner pointed to Trend Micro’s edge in providing all-round visibility via its portfolio of security products that protect corporate email systems, applications, servers and networks.

“We understand the telemetry from all of those systems incredibly well, so we’re able to derive deeper insights,” Skinner said. “We believe that will be an advantage for us in this market evolution towards XDR.”

Asked if Trend Micro’s XDR will work with other point security offerings through application programming interfaces (APIs), Skinner said: “In the early stages, we will have a blend of components for things like email, servers and network, and a limited set of third-party sources, including information from the operating systems”.

“The platform is certainly open to third-party integrations,” he said. “But for any vendor, it’s going to come down to how it derives sufficient intelligence from third parties. We can consume logs, but how well do we understand them? It’s going to depend on the prioritisation of those third-party sources.”

Even if XDR platforms can churn out priority alerts that are spot-on, it is still up to human security analysts and incident response teams to decide if and how they should be acted on.

MDR an ‘important evolution’

Nilesh Jain, Trend Micro’s vice-president for Southeast Asia and India, noted that adoption of EDR – and by extension, XDR – is still in its infancy for many organisations in the region.

“Outside of Singapore, governments and private sector companies are still evaluating EDR,” Jain said. “They have a lot of interest and they know the outcomes, but they’re still trying to understand how they can make EDR work in their organisations.”

For example, Jain said those that are already using endpoint security products are concerned with adding even more software agents to collect telemetry data, putting a strain on IT resources.

Faced with the complexity of EDR and the lack of incident response skills, not only in Southeast Asia, but also worldwide, more enterprises are now considering managed detection and response (MDR) services from managed security service providers.

“CISOs and security units simply don’t have the bandwidth to proactively wade through reams of EDR data hunting for threats and figuring out how to respond to them,” said Gartner vice-president and distinguished analyst Avivah Litan in a blog post on the EDR market.

Skinner said MDR services will be an “important evolution” because they help to offload very complex tasks to a dedicated team.

“But that doesn’t necessarily speak ill of customers’ abilities,” he added. “We have customers that have skilled incident response people; however, they like that somebody is doing it proactively for them round-the-clock.”

Read more about cyber security in APAC

Read more on Endpoint security

Data Center
Data Management