EDR is Dead. Long Live XDR!

True EDR security requires redefining what an “endpoint” is and how we protect it

61% of data from Secureworks customers doesn’t come from endpoints, which means endpoints shouldn’t get 100% of your cybersecurity investment.

I hope that title got your attention. Do we believe EDR is really dead? No, at least not yet, but siloed EDR is also not the future of cybersecurity. Once upon a time, we thought of the devices on our networks as “endpoints.” To protect those endpoints, we built firewall fortresses around them. Now with remote work, digital re-engineering and other tech evolutions, the perimeter has dissolved.

Today, endpoints have become a more abstract concept where data can be gathered — nodes that can exist virtually anywhere, rendering the “endpoint” term an anachronism. Perimeters are no longer fences, but multidimensional attack surfaces that can expand, contract and otherwise morph as it includes every device, network segment, cloud, document, database and line of application code in your environment. Complexity doesn’t end there either, as threat surfaces also span supply chain partners and contractors.

Standalone endpoint detection and response (EDR) is no longer what it once was. It’s a vastly outdated view when considering organizations’ growing attack surfaces.

Telemetry has evolved and how we can maximize its value has changed. Security telemetry was once isolated to point solutions or noisy SIEMs, but now it needs to come from everywhere in the organization — also making it more valuable than ever. The evolution of telemetry over time represents the molecular structure of XDR — a technology which you simply must implement if your organization is to evade the ever-evolving cyber threat.

EDR as a Component of XDR

Cybersecurity is experiencing a shift from “defend the perimeter” to “Zero Trust.” Now it’s time to replace that old school EDR thinking with contemporary ideas that we can all rally around. Here are four brief things to consider when it comes to EDR security.

1. Siloed EDR is at significant risk of missing an increasing volume of attacks and breaches as customer attack surfaces continue to expand. For effective threat detection, you can’t limit your aperture — instead you need a panoramic view into all valuable security telemetry regardless of whether it comes from a traditional endpoint, network segment, email systems, cloud, or business applications. Then your XDR app can dive with gusto into quickly correlating those disparate scraps, helping you ascertain exactly what type of attack you’re dealing with. Traditional endpoint telemetry alone will not deliver the sustenance your cyber defenses need for survival. XDR technologies that gather, normalize and correlate data across the attack surface are the best solution to the data context problem. This is at least part of the reason why 73% of organizations are planning to deploy XDR in the next 12 months.
2. It’s all about dwell time, but siloed EDR is a welcome mat for intruders. You want to do everything you can to keep threat actors out of your environment. That’s why you should implement “the basics” - e.g. multi-factor authentication (MFA), next-generation antivirus (NGAV) and more rigorous end — user training. But if you’ve already done the basic blocking and tackling, your bigger problem is the unacceptably long dwell-time threat actors enjoy if and when they get past your defenses. Average dwell time for most organizations has risen to 200 or more days for some industries. It’s imperative that you get better at spotting and neutralizing intruders so they can’t snoop your network at leisure, stealthily compromising one asset after another.
3. Don’t gamble with your cybersecurity budget. You have a finite number of dollars to spend on risk mitigation. Spending too much on any one piece of defense is like pushing a bunch of chips onto one number at the roulette table. The smarter play is to balance your allocation on a weighted basis across all your cybersecurity investments: EDR security, vulnerability management, threat hunting services, etc. In the face of today’s threats, many organizations need to prioritize investing in XDR. XDR enables organizations to maximize their existing investments by bringing together the most critical components to prioritize the most critical threats — giving security teams time to focus on other strategic initiatives.
4. You want a platform and a partnership, not a tool. When it comes to cybersecurity, everybody is overworked and understaffed. That’s why you need more than tools and gimmicks in your cybersecurity technology portfolio. You need a purpose-built XDR platform and a trusted partner in your mission to mitigate your exposure to business risk. That means technology plus expertise, threat intelligence and a deep-rooted culture of customer care and collaboration. A recent Forrester Snapshot revealed that 73% of organizations looking to deploy XDR in the next 12 months want exactly that. No more chasing the point solution of the moment. Qualify your EDR vendor by their skills, service and culture — not some cherry-picked EDR feature/function checklist.

None of these points are meant to dismiss the importance of EDR security, which truly is an important piece of a holistic cybersecurity portfolio. But, cybersecurity in the 21st century is about a lot more than getting alerts from systems. It’s about leveraging all your technology, people and processes for the lowest total cost of ownership. In other words, maximum security with maximum value.

Speaking of Secureworks...

I’m blogging about EDR security because Secureworks just released a new version of our Taegis endpoint agent featuring cross-platform support from Windows to MacOS to Linux, real-time connectivity and industry leading performance with a low footprint. The agent with sundry other features that make it ideal for collecting endpoint telemetry feeding into our industry leading open Taegis XDR platform for optimal threat prevention, detection and response.

Now, because we’re open, we ingest telemetry from third-party endpoint vendors as well as hundreds of other data sources from cloud, network and business systems. However, we include our Taegis endpoint agent at no additional cost with our XDR solution, because the value is in the telemetry, not in a siloed endpoint approach. Security teams that combine endpoint telemetry with additional security telemetry, machine learning and expert human analysts will maximize their detection performance by reducing false positives and false negatives. After all, you want to own the signal, not the noise.

Also bear in mind that a move to Taegis XDR may also enable you to free yourself from the SIEM “tax” you’re paying simply to aggregate your security-related telemetry (assuming you’re a SIEM user). Taegis XDR performs that aggregation as an intrinsic platform function. You don’t need a separate, expensive database just to store that telemetry somewhere.

In other words, by moving to Taegis XDR you get:

• An industry-leading platform for detecting, neutralizing, and excising active threats anywhere in your environment—driven by world-class threat intelligence derived from the 3,000 incident response and testing engagements we perform, the 175+ threat groups we monitor and 55,000 threat hunts performed annually.
• Continuous innovation in threat detection (see, for example, our patent-pending Hands-On Keyboard detector) which is continually adding to our 60 million curated threat indicators and 20,000 countermeasures.
• Bundled endpoint telemetry that’s effective, minimally invasive, easy to install and continuously updated, and included for no additional cost with the Taegis endpoint agent.
• Freedom from SIEM cost sprawl due to increasing data volumes and platform maintenance and configuration expenses.
• On-demand access to SecOps practitioners who have vast experience supporting 4,800 customers across 80 countries.
• Open architecture that lets you mix-and-match the tools you choose today and in the future.

Some 61% of data from Secureworks customers doesn’t come from endpoints, which means endpoints shouldn’t get 100% of your cybersecurity investment. Now is the time to take a panoramic view of your organization and get a real feel for your current security maturity. You’ll be better positioned for the challenges of today if you spread that investment out with XDR – and most certainly positioned for a better cyber future.

Written by Steve Fulton , Chief Product Officer