Cybersecurity faces a daunting challenge in stopping new and evasive threats, as evidenced by the significant increase in attacks despite the $172 billion spent on global cybersecurity in 2022. Threat actors armed with cloud-based tools and supported by sophisticated affiliate networks can develop new malware much faster than organizations can update their defenses.
The reliance on malware signatures and blocklists against rapidly evolving attacks has become ineffective. As a result, threat detection and investigation have become the focus of the SOC toolkit. Organizations now rely on security controls to log any potentially malicious activity, which security analysts scrutinize to determine what to investigate further. However, these methods are proving insufficient as 76% of security teams are understaffed and 56% of attacks take months or longer to discover.
The global cost of cybercrime is expected to reach $10.5 trillion by 2025, indicating a need for change. While detection technologies have their purpose, they have been overemphasized. Prioritizing threat prevention is crucial, as zero-trust leaders believe in assuming that prevention controls have already failed and that an organization is being breached at all times.
The endpoint is just the starting point
Although many security categories demonstrate the gaps in detection-first security strategies, let's focus on one in particular: endpoint detection and response (EDR).
Adoption of EDR has spread like wildfire. It is now a $2 billion sector that is growing at a 25.3% CAGR. It makes sense: most attacks begin at the endpoint, and detecting them early in the attack chain reduces the impact. A strong EDR solution also provides extensive endpoint telemetry to aid in investigations, compliance, and the detection and mitigation of vulnerabilities.
Endpoint security is a worthwhile investment and a key component of zero trust, but it is not the entire story. XDR solutions do not provide defense-in-depth on their own, despite vendor claims of "extended" detection and response that connects data across the organisation. EDRs have antivirus to detect known malware, but they often allow all other traffic to flow through, relying on analytics to discover what the AV missed.
Every tool has flaws, and EDR is no exception, because:
Not every attack begins at the endpoint. The Internet is the new network, and most businesses have a diverse set of data and applications housed across multiple clouds. They also regularly utilise internet-routable equipment such as VPNs and firewalls.
Not all endpoints are under IT management. While EDR depends on agents that are installed on every device under IT management, it fails to consider the various situations where unmanaged endpoints may come into contact with your data or networks, such as personal devices used for work, IoT and OT devices, third-party partners and contractors who have access to data, or guests who use Wi-Fi in your office.
EDR is vulnerable to being bypassed. All security tools have their own limitations, and EDR is known to be susceptible to being circumvented by several common methods, such as exploiting system calls. Cybercriminals use encryption and obfuscation techniques to create new PDFs, Microsoft 365 documents, and other files that can modify the malware fingerprint and avoid detection by conventional cybersecurity models.
Modern threats are very fast-moving. Most of the ransomware strains that are available for purchase on the dark web can encrypt data too quickly for detection-based technologies to be effective. LockBit v3.0 can encrypt 25,000 files in a minute, and it is not even the fastest ransomware available. In contrast, the average time to detect and mitigate a breach is 280 days. That is more than enough time for LockBit to encrypt over 10 billion files.
Get your security in line
True, signature-based antivirus systems are no longer sufficient to prevent sophisticated threats. However, the same AI-powered analytics that power detection technologies can (and must!) be used for prevention as well as detection if delivered inline. This prevention strategy must take into account your entire infrastructure, not just your endpoints or any other component of your architecture.
A sandbox is an excellent example of a security technology that may be used in this manner. Sandboxes protect against complex and undiscovered threats in real time by analysing suspicious files and URLs in a secure, isolated environment. When they are deployed inline (rather than as a passthrough), a file is not allowed to progress until the solution returns a verdict.
About the Creator
With over two decades of experience in the field, Jason Davis is a seasoned cyber security expert. His expertise extends across diverse systems, from small-scale businesses to large multinational organizations.