The internet is full of threats that are discovered each day and for years antivirus vendors were struggling to find and remove those threats before they hit their client’s machines. Unfortunately, the number of those threats is growing very fast, and this strategy has become inefficient. Therefore, Can an EDR replace the antivirus and its old strategy?
EDR will definitely replace the old antivirus. The new capabilities offered by the EDR solutions to stop unknown threats by analyzing their behavior is what companies need.
In this blog post, I am going to analyze the main differences between EDR and traditional antivirus to see what makes them better. So if you are interested just keep reading.
Why EDR will replace antivirus?
Detection scope
If you have just started in the domain of cybersecurity It might be hard to differentiate an EDR from an antivirus as many traditional antivirus vendors start to implements the EDR techniques to detect malware. However, you should know that in the traditional antivirus, the detection scope was limited to the computer of the end-user, with no view on email or other components.
Unfortunately, the new generation of malware, start to use even more advanced techniques and tunnels to infiltrate computers. Most modern malware uses emails and malicious macros to spread across the network. In addition, even more, the malware starts to avoid the creation of files in the victim machine, which made their detection even harder.
The EDR technology, got a wider view on the endpoint, by getting access to processes, emails, navigation and more, to identify malware. This view, give the EDR access to more information that can be correlated to identify unknown attacks and stop them before they get deeper into the network.
Detection techniques (behavior analysis)
To detect malware, traditional antivirus uses what we call signature-based detection techniques. The main idea behind this technique is to find some common elements in the malware file or structure to identify it whenever it goes.
For example, the first and obvious element that is used as a signature is the virus file hash itself. Which seems to be very logical as the first sign. However, this technique remains ineffective as a simple change in the file bits will change the whole hash and signature.
After this, traditional antivirus has evolved to use code blocks as signatures. In this technique, tools and experts knowledge are used to identify malicious static code components in the malware source code. For many years, this technique was very effective, and has a lot of malware has been identified as some malicious source code exploit and payloads do not change. Unfortunately, some security experts have discovered a new technique to bypass this by what we call polymorphic code.
In addition, all those signatures required that the antivirus company discover the malware and create their signature before their clients get infected. This requirement has made this technique inefficient regarding the growing number of malware on the internet.
Recently a new technique was discovered and implemented in the EDR technology that solves this issue by implementing what we call behavior analysis. This technique has been made possible due to the detection scope of the EDR technology that gives a much better view of the machine parts.
Response techniques
Responding to a malware attack by traditional antivirus was focusing on putting the malware file in quarantine. At that moment this technique was somehow effective when dealing with already identified malware with known signature. However, with the rise of unknown attacks, more response capabilities were needed, especially when a security operation center is in the game.
EDR solutions offer more than just detecting and putting a malicious file in quarantine, and here is a list of what it can do to respond to a malware attack:
Isolating the whole machine
Analyzing the file in a sandbox system
Analyzing statically the source code of the malware
Give more detailed information to be used in Forensics investigation
I guess the most important aspect and functionality that an EDR technology offer is the Forensics capacities. A data breach is and will continue to be the nightmare of all companies that’s something we all agree about. In addition, not knowing what data and when did that happens to make that nightmare even worst.
With traditional antivirus, searching the network to see what devices have been infected by malware would require manual actions performed by the Experts. In addition, moving in site to investigate the events on local machines will be required to perform those manual actions. Unfortunately, all those actions would take a lot of time to be done and usually with less efficiency.
Forensics capabilities, are for me the most important tools of the EDR technology. Performing investigation each time a suspicious activity happens is the daily work of a security operation center and it is usually performed using SIEM technology. However, this technology does not give the level of the details offered by an EDR and with the forensics tools, it gets even better.
Here is a list of some forensics capabilities that
Process execution three exploration
Remotely dumping running process
Remotely extract hard disk structures to look at individual files
Rapid triage and review of the whole company network
Is Windows Defender an EDR?
Microsoft Defender for Endpoint is a full solution that contains many technologies including an EDR. According to the Gartner ranking, this solution is today the best EDR solution in the market.
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH).
I hope you enjoy my articles :).
XSS and CSRF vulnerabilities are some of the most dangerous and the most popular vulnerabilities on the web. Fortunately, the CSRF vulnerability is getting rarer as modern programming technologies put ...
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
Post comments (0)