Slow EDR Rollout Needs a NG-IDS Compensating Control

When Anton Chuvakin, then a Gartner Analyst, first coined the term endpoint detection and response (EDR) in 2013, most enterprises raced to replace antivirus (AV) with EDR. And that makes sense, as EDR with machine learning-powered behavioral analysis has proven that it can strengthen host defenses against known and unknown attacker tactics compared to legacy AV.

I was a bit surprised when I read a quote by Gartner Research Vice President Peter Firstbrook about the slow progress made with EDR rollouts. Peter pointed out that only 30% of endpoints have EDR protection in place:

"Endpoint detection and response (EDR) tools are critical to detecting [SUNBURST type] attacks and to search history. Only 30% of endpoints have EDR capabilities so the industry has a long way to go."
—Peter Firstbrook, VP Analyst, Gartner

Nearly a decade after the term was coined, EDR is part of Gartner's SOC visibility triad, making it a top priority project for most businesses, which makes 30% adoption seem shockingly low. For more insights, I consulted the ExtraHop Threat Research team about EDR deployments on real networks. They shared that ExtraHop observes Window assets are making good progress, but nearly one in six are still part of the EDR blindspot. Linux based assets have an alarmingly lower EDR coverage rate—less than 5%.

Given the inherent challenges of deploying agent-based EDR on server infrastructure, non-Windows machines, IoT, and cloud assets, it may be quite a while before most enterprises achieve 100%.

EDR Gaps Need a Network Compensating Control

Through the lens of security and compliance, that gap points to a need for compensating controls. The natural place to add that compensating layer of security is the network. Network detection technology has always been an effective way to gain passive visibility into all the good, the bad, and the dangerous traffic entering and exiting endpoints.

Like EDR, network detection tooling has advanced too, moving past the simple, bimodal signature detection found in traditional IDS—technology that dates back to, and hasn't evolved a lot since the 1990's. Today, NG-IDS technology like Reveal(x) network detection and response (NDR) provides full-spectrum detection powered by machine-learning behavioral analysis, rule-based exploit pattern matching, and curated threat intelligence.

Many companies are using traditional signature-based IDS technology to add a compensation layer for EDR gaps. While making the decision to move to next-gen endpoint technology is a start, relying on signature-only IDS as a defense against modern threats is highly counterintuitive and leaves significant security gaps, including:

• Signature-based detections that are limited to known threats
• High volume of error prone alerts
• A lack of behavior-based detections for unknown threats
• Blindness to encrypted traffic
• Missed lateral movement and post-compromise activity
• Time-consuming workflows

MITRE Engenuity ATT&CK Evaluation

How far off the mark is traditional IDS from what we consider to be a modern model for network security efficacy? Today, scoping security efficacy is best described by the MITRE ATT&CK Framework. Following the framework is a powerful way for security leaders to understand adversary actions and validate security technology readiness.

In 2018, MITRE released test suites to measure efficacy against tactics, techniques, and procedures (TTP) actively perpetrated by advanced attackers in the wild. In 2020, the MITRE Engenuity ATT&CK Evaluation team released the APT29 test suite and the participating EDR vendor's results.

ExtraHop engineering leveraged MITRE evaluation plans to refine and validate detection capabilities and apply the framework to better communicate operational detection and remediation insights to Reveal(x) users.

I got wind of ExtraHop engineers running Reveal(x) NDR as an NG-IDS alongside Snort IDS filled with Cisco Talos and Proofpoint Emerging Threat signatures using the MITRE APT29 methodology (here's a diagram of our test configuration). In the context of EDR compensating controls against adversaries like Cozy Bear that were modeled in the APT29 test, the results offer valuable data for companies considering an upgrade to next-generation IDS, as security architects and leadership need data to help them get off the compliance treadmill of IDS—which doesn't actually provide serious security. I hope this data will help nudge you toward a next-gen approach to IDS.

Summary of MITRE APT29 Test Results

The results point to the simple fact that traditional IDS was not designed to stop modern attackers like Cozy Bear or provide an equivalent compensation control expected of an EDR-centric environment. In contrast, Reveal(x) aligns with the framework to stop the inevitable intruder before they pivot toward your valuables.

Observed Reveal(x) vs Snort IDS MITRE ATP29 Test Detections

Detailed Test Results

Test #Network Technique IdentifierReveal(x)Snort IDS*2.B.1T1041 - Exfiltration Over Command and Control ChannelTelemetry and technique detectionMissed4.AT1362 - Upload, install, and configure software/toolsTelemetryMissed7.BT1041 - Exfiltration Over Command and Control ChannelTelemetry and technique detectionMissed8.A.1T1086 - PowershellTelemetry and technique detectionMissed8.A.2T1086 - PowershellTelemetry and technique detectionTelemetry and technique detection8.BT1105 - Remote File CopyTelemetry and technique detectionTelemetry and technique detection9.B.8T1041 - Exfiltration Over Command and Control ChannelTelemetry and technique detectionMissed14.BT1003 - Credential DumpingTelemetry and technique detectionMissed16.AT1018 - Remote System DiscoveryTelemetryMissed16.C/DT1105 - Remote File CopyTelemetry and technique detectionMissed18.AT1537 - Transfer Data to Cloud AccountTelemetryMissed20.A.1T1003 - Credential DumpingTelemetry and technique detectionMissed

*Snort rules configuration include Cisco Talos snortrules-snapshot-29151 and Proofpoint emerging threats

Why Are the Test Scores So Dramatically Different?

The simple answer is that Reveal(x) uses full-spectrum detections powered by machine learning-based behavioral analysis. Combine that with rule-based detections and curated threat intelligence, and you have the secret sauce that can stop today's advanced threats.

Looking deeper, the ExtraHop technical marketing team took a look at Snort signatures provided by Cisco Talos and how they apply to MITRE ATT&CK–defined tactics, techniques, and procedures (TTPs). As it turns out, in early 2019, Talos added the MITRE TTP designators to new and existing signatures that could apply toward MITRE ATT&CK. Then we compared Reveal(x) and Snort signature applicability lists against the total network-centric TTPs to calculate a percentage.

Interestingly, the quantitative coverage comparison coincides with the APT29 test results.

Reveal(x) and Talos Snort signature network TTP applicability comparison

Recommendation

Modern attackers need to be dealt with using modern defenses. Using traditional, signature-based IDS technology as a compensating control for an incomplete EDR rollout leaves glaring holes for attackers to exploit. Today's attackers often land on easy targets then pivot towards valuables. Using your IDS budget for NG-IDS more than compensates for EDR gaps and helps stop the attacker before they do real damage.

Learn more about how Reveal(x) NDR supports security and compliance as a next-generation IDS technology.