How EDR Will Supplant Antivirus as the Key to Endpoint Security

How EDR Will Supplant Antivirus as the Key to Endpoint Security

Here’s the question which has tormented enterprise IT decision-makers for the past few years: How will EDR supplant traditional antivirus as the key to strong endpoint protection? When will it happen? How would it change the calculations?

However, people asking that question often miss the forest for the trees. The fact is that EDR didn’t create a new cybersecurity category and pulled the market to it. Instead, EDR responded to an already accelerating market shift and changing InfoSec priorities. After all, cybersecurity tries to adapt to an ever-evolving threat landscape, and the threat landscape of even a few years ago was already destroying the prominence of antivirus.

 

Why Antivirus is Falling Apart

Let’s take a look at endpoint security through a historical lens. Originally, endpoint security basically boiled down to deploying antivirus on the endpoints and perhaps running it actively once in a while. This made sense for how endpoints operated in enterprise IT environments at the time. Even if every employee had a computer (not always the case), they generally stayed on-premises. Additionally, every virus had a signature, which antivirus could easily detect and therefore remove without issue.

Sure, sometimes a serious breach or attack would occur. But the danger felt contained, to one degree or another. So what changed?

Hackers changed. Or rather, their tactics and tools changed. The popular imagination of hackers as black hooded basement dwellers creating viruses for pranks obfuscates the true nature. In short, the majority of hackers do what they do as a career. Sometimes they organize into pseudo-corporations with or without governmental support. At other times, they work independently but take advantage of the vast resources available on the Dark Web.

So they began evolving their attacks to bypass antivirus capabilities. First, they innovated their viruses to operate without signatures, which required antivirus capabilities to catch up. Then they began using more insidious tools like cryptojacking viruses, phishing attacks, and fileless malware, which antivirus struggles to this day to detect let alone contain.

Further, the IT environment and the endpoints connecting to those environments changed as well. Mobile devices and portable endpoints became the norm, with the COVID-19 pandemic forcing more enterprises to embrace bring-your-own-device (BYOD) and remote work policies. Antivirus struggles when trying to protect disparate IT environments, and at some point in the past few years, this became the norm.

Why EDR Will Supplant Antivirus

Of course, cybersecurity didn’t take all of these changes laying down. Instead, it adapted just as much as hackers did in a kind of feedback loop. The old prevention model embodied by antivirus faded from prominence as businesses instead embraced a detection and response model.

EDR fits with this model perfectly, which explains why it has already supplanted antivirus as the key to endpoint protection. EDR monitors every device connecting to the IT environment, regardless of their physical or digital location. If it detects something which violates either baseline behaviors or normal processing (such as malware), it sends an alert to your IT security team. This prompts faster investigation times, which in turn leads to faster response times.

With the damage of a breach growing exponentially with dwell time, reducing dwell time via fast response matters more than ever. EDR can even pause malicious activities so investigators can more adequately investigate without fearing getting outpaced.

Why EDR?

More accurately, why is EDR important in the face of other tools and solution options. Why not SIEM or XDR?

EDR offers a firsthand view of the actual endpoint. Remember, the endpoint is the actual gateway for almost all users into the IT environment. It remains a critical attack vector and target for hackers both external and internal. SIEM can provide that same visibility but is more suited to databases, applications, and individual user behaviors rather than endpoints. XDR, in its current definition, works as a means to bridge cybersecurity platforms and unify data silos for better analysis.

EDR operates on the ground, so to speak, working alongside your employees and devices. Maybe now’s the time to deploy it on your business. EDR will supplant antivirus. Perhaps it already has.

Check out the EDR Buyer’s Guide for more.

 

Follow me

Ben Canner

Editor, Cybersecurity at Solutions Review
Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner
Follow me