Extended Detection & Response, or XDR, is a hot topic in the cybersecurity industry, but in the same breath, security specialists will also mention Endpoint Protection Platforms, Endpoint Detection & Response, and next-generation antivirus. What is all this technology, and why don’t we just refer to these platforms as antivirus like we have for the last 40 years?
The reality is that antivirus technology is now outdated. Let’s examine how it has changed over the years.
Legacy antivirus – platforms that have been in place since the late 1980s/early 1990s – perform the task of finding and removing malware in all its forms, including viruses, worms, trojans, and more recently, ransomware. They do this by searching for a unique identifier known as a hash or a signature. Once a new form of malware is identified, this hash is added to the signature database for the antivirus program, allowing it to quickly detect known malware when it enters your device.
However, there are now over one billion malware applications out in the wild, with over half a million never-seen-before variants being created daily. It is impossible for legacy antivirus to keep up with this.
(https://www.av-test.org/en/statistics/malware/)
Next-generation antivirus (NGAV) was initially used to describe newer approaches to antivirus as the software evolved, involving the use of Static AI to determine if an application contains malicious code, for example, and using more modern techniques such as sandboxing.
However, our adversaries are smart. They learned ways around this, coding in a delay, effectively forcing malware to act benign for a set period – generally long enough for a sandbox to give it the green light.
In addition, the way in which these adversaries attacked began to change. Sure, they continued to send massive amounts of malware out via email, because it always manages to catch some users by surprise, but over time, they discovered that there were better ways of gaining a foothold within endpoint devices, including the exploitation of software vulnerabilities, or by using stolen credentials, allowing them to enter the environment as a “legitimate user”.
As a result, security teams no longer search for malicious files within their environment, but malicious activities of all kinds.
As such, the term Endpoint Protection Platform (EPP) was created to better refer to security platforms that were more than just antivirus. Generally, an EPP will rely less on signature databases and more on artificial intelligence and machine learning to detect malicious activity within an environment.
These platforms are still designed to be somewhat “set and forget” however. Once they are installed, they monitor endpoint devices for any malicious activity, and either mitigate directly, or report back through their management portal. This is great when the platform does manage to detect activity, but what about those advanced threats that may be difficult for an EPP to detect?
Enter Endpoint Detection & Response (EDR). The idea here is that although EPPs were a valid evolution of the NGAV and Legacy AV platforms, there was often a lot of activity that could go unnoticed.
EDR enables security teams to not only have access to threat data, such as that reported within EPP management portals, but to all data, allowing analysts to find and uncover malicious threats on their own – a process known as threat hunting.
This can be challenging, but it’s not quite like searching for a needle in a haystack. The more organised adversaries become, the more process driven they are. A specific threat group’s attack generally follows a strict process. Once security analysts know and understand this process, they can look for signs of this activity within an environment, thwarting malicious attacks before adversaries are able to deliver their payload.
There is a lot of value in EDR, and for larger organisations, it is virtually a must-have technology in the face of modern-day threats, but it comes with a large overhead in terms of resourcing requirements, leading to many businesses choosing to outsource this activity.
What, then, is XDR? XDR is a new approach to detection and response, and an extension of previous technologies that were focused on one aspect of the infrastructure, such as the Network or Endpoint. Utilising the existing Detection & Response platform, information can be ingested from external sources, providing more insight and context to the threats as they are uncovered. This allows organisations greater coverage over their infrastructure, and more value from solutions they have implemented.
Lenovo’s ThinkShield security portfolio protects our customers whenever and wherever they work. Our ThinkShield XDR platform can provide native Detection & Response across your endpoints, servers, cloud workloads, Kubernetes containers, Identity, and Mobile devices, while ingesting data from many third party sources. If resourcing is a concern, talk to us about ThinkShield MDR – let our team manage your threats for you.
Talk to your Lenovo representative today and ask to speak with a security specialist or contact Aditi Bansal e: [email protected] M: 0410 380 608.