Many of the most sophisticated cyberattacks we have looked at in this blog could have been avoided with solutions that detect any type of known or unknown malware and which other, more traditional solutions, are unable to detect. One such example is Cytomic EDR, which thanks to the Zero-Trust Application service on which it is based, prevents any binary from running until classified as trusted. Yet that’s not all, this solution also provides cybersecurity teams with:
- Complete visibility of adversaries’ actions.
- Zero impact on devices and servers, as the agent is ultralight and the architecture hosted in the cloud.
- Detection of anomalous behavior on endpoints (IOAs) to block attackers.
- Remote containment capabilities from the console, such as isolating or restarting devices.
This solution can coexist with and complement perfectly traditional solutions. That said, over the last few months in the cybersecurity ecosystem, the concept of XDR has been gaining traction as an approach that extends the concept of Endpoint Detection and Response (EDR).
Extending the concept of EDR_
The IT analyst firm ESG defines XDR (Extended Detection and Response) as “an integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection and response”. John Oltsik, an analyst at ESG, clarifies that “XDR unifies control points, security telemetry, analytics, and operations into one enterprise system”.
Given this broad definition, it is valid to ask what this has to do with EDR. Cybersecurity expert Praveen Singh explains that, in recent years, organizations have based their cybersecurity strategies on different tools, with varying functions and objectives:
- Endpoint Detection and Response (EDR), as endpoints are in many cases the first line of defense
- Network Traffic Analysis (NTA/NDR).
- Cloud Application Security Brokers (CASB). A new way to protect SaaS applications like Office365, which cannot be protected by traditional firewalls.
- SIEM, which is still the backbone of security operations teams.
Each tool provides great benefits for cybersecurity in organizations but for CISOs and their teams, there are too many components, and this could impede the work of detecting, responding to, and remediating incidents. An ESG study indicated that 66 percent of cybersecurity managers believe that having so many tools makes them “less effective” and 76 percent claimed that detection and response to threats was “more difficult than two years ago”.
Singh argues that, as a response to such challenges, there is the idea of XDR as an extension to the concept of EDR, so that organizations have more pervasive visibility thanks to:
- Visibility into endpoints, networks, and SaaS applications like Office365, and cloud infrastructure like AWS/Azure VPC.
- Threat intelligence.
- Application, host, and user information, including geolocation.
- Vulnerability scanning results and next-generation firewall (NGFW) logs.
This underlines how Extended Detection and Response (XDR) is a model which, although leveraging EDR Endpoint Discovery capabilities, goes much further, also detecting incidents on networks, SaaS applications, cloud infrastructure and, in fact, any layer of an organization’s network or systems. It does this by additionally harnessing automation and machine learning techniques to root out potential threats that may evade SIEM or other traditional tools.
Cytomic EPDR maintains that same approach, integrating multiple preventive technologies in addition to EDR capabilities into a single solution and preventing malware from running not only on computers, but also on servers, virtual environments and other devices. It has all kinds of features, from firewall services to specific protection for Exchange Server.