Bye Bye EDR…

June 13, 2017 in EDR


If you had read the below post and it made you blood boil, mission accomplished 😉 Just kidding. The idea of the post was and still is this – to raise the question: what is the value of EDR and how to measure it? I am assuming the value is there, but it’s lower than expected. I was myself quite shocked when I had to come to terms with this observation.

And just in case – this was a vendor-independent statement. I woke up one morning, and realized that I have expectations towards EDR and we are pretty far today from these expectations to be met.

So, while shots were fired, the question remains: how do we assess the value of EDR?

For comparison: AV is looked at in a very harsh way. The expectation is to cover 100/100.

Can we apply the same assessment criteria to EDR?

I’d love to see high-fidelity alerts only from EDR. But I know it’s impossible.

What’s the acceptable ratio then? 30%?

This is a valid question, because in a large organization you need resources to eyeball all these mail alerts and  dashboards. And expectations should be set for the analysts who process this data.

And if the ratio of the TP is low, you end up looking at events most of the day, and all day long and hey… isn’t the whole idea of tools like EDR to recognize the incidents in the flood of events… ?

Old post

I officially lost faith in EDR.

I know that for some it works. It does work for me too. Sometimes. But… more often that that – it doesn’t.

I am done with the EDR.

Its alerting is following the paths of firewall, IDS, DLP, windows event logs, and… yara rules. Lots of alerts, poor ROI.

Arrivederci EDR.

AV beats EDR in so many aspects. It’s high fidelity. It’s precise. Its heuritics feeds are often better. It also offers remediation and it is undo-able. It even prevents bad stuff from running.

EDR is kaputt.

It assigns value to so-much-hated signatures. The form has changed, but the result is the same. You only see what you can write a rule for. And then you see it, and it’s surrounded by so many FPs. You probably suck at writing rules. Except many are not written by you and come from the other threat hunting experts.

EDR is a waste of money, and time. Now, there you have it – I’ve said it.

EDR was a nice utopia. I believed it for a while. In a perfect world you can gather all these logs and gather intel about activities on the system, of the user, network events, and then profile various scenarios and look at the dashboard happily cherry-picking the bad guys. A nice placebo in the absence of better solutions, despite them being available for a long time (f.ex. whitelisting).

But in reality you face the alarm fatigue, and suffer from infobesity.

EDR stands for Endpoint Detection and Response. It’s neither Detect nor Response. But in my books, it’s defo at the end point.

Comments are closed.