EDR is not a silver bullet

Old lore held that shooting a werewolf, vampire, or even just your average nasty villain with a silver bullet was a sure-fire takedown: one hit, no more bad guy.

As cybersecurity professionals, we understand – much like folks in the Old West knew – that there are no panaceas, no actual silver bullets. Yet humans gravitate towards simple solutions to complex challenges, and we are constantly (if unconsciously) seeking silver bullet technology.

Endpoint Detection and Response (EDR) tools have become Standard Operating Procedures for cybersecurity regimes. They are every CIO’s starting point, and there’s nothing wrong with this. In a recent study by Cymulate of over one million tests conducted by our customers in 2021, the most popular testing vector was EDR.

Yet cybersecurity stakeholders should not assume that EDR is a silver bullet. The fact is that EDR’s efficacy and protective prowess as a standalone solution has been slowly diminished over the decade since the term was first coined by Gartner. Even as it became a mainstay of enterprise and SMB/SME security posture – attacks have skyrocketed in frequency, severity, and success. Today, EDR is facing some of its greatest challenges, including threats laser-targeting EDR systems like the highly-successful Grandoiero banking trojan.

Not a silver bullet…But still highly relevant

While EDR should not be your only line of defense against advanced threats, including it in a defense solution array is paramount. It should be installed on all organizational servers – including Linux-based ones. Yet installation is not enough. Your organization is at significant risk if the underlying OS and EDR are not both implemented and fine-tuned. Why? Based on our findings in the study mentioned above, here are three reasons fine-tuning EDR and underlying OS are crucial:

1. Vulnerabilities

A key challenge with EDR is that not everything security-related is dependent on EDR. EDR is a vendor-provided, third-party solution that underlies first party security controls – like cloud application controls or operating systems. Because of this, there are certain things that EDR solutions will not do for fear of interfering with production assets. The fact is that hackers frequently take advantage of vulnerabilities in first party controls to get around EDR.

2. Excessive permissions

In many companies, operating system permissions do not yet conform to the principle of least privilege. Frequently, employees in the field who have a business or non-technical roles enjoy excessive permissions. When these trusted actors can do things like pop up PowerShell to manipulate the control panel, run DLL files, and access directories that are not the Windows directory – the organization ends up exposed. When excessive permissions enable DLL loading and injections, various JavaScript-based vulnerabilities, or certificates that allow wildcards – all EDR solutions can do is play post-attack catchup. The reason? EDR is based on an “assume breach” mentality. And post-execution remediation, by definition, is only relevant once the attack has taken place.

3. Legacy protocols

Every enterprise environment has legacy assets. Legacy applications, TCP IP protocols, operating systems…all these have legacy ways of doing things that frequently remain enabled by default. Sometimes this is a case of necessity, but frequently these backdoors are left open because nobody thought to close them.

For example, in a recent patch, Microsoft requested that Exchange admins disable basic authentication, which has been the default since forever. There’s no way to prevent man-in-the-middle attacks with basic authentication enabled, so there’s a need to switch to advanced authentication. This is a legacy protocol that remained exposed…until somebody closed the door.

Another example are legacy Microsoft HTA files. These are Windows-native binary files that are used to call Microsoft HTML applications and live in the Windows System32 folder. One click and these files can be replaced with malware – with EDR none the wiser.

The bottom line

Even as they remain the cornerstone of most cybersecurity defenses, EDR systems are clearly no silver bullet. They’re not sufficient to protect the organization as a first line of defense against security breaches. That said, EDR – if optimally implemented along with OS testing and tuning – has an important role to play. To maximize security return on investment from EDR solutions, organizations need to ensure that EDR isn’t being undermined by first-party vulnerabilities, excessive permissions, or legacy protocols.