Endpoint detection and response (EDR) solutions typically deploy in a standard configuration meant to deliver the least number of false positive alerts in a generic environment.
This allows EDR to deploy very quickly, but it also allows for a number of security vulnerabilities. Here we’ll discuss why EDR vendors choose these configurations, and how organizations can tune their EDR systems to fit their organization and improve security.
Why Do EDR Vendors Deploy Generic Installs?
When an EDR vendor sends a product out for installation, they need the process to go smoothly. If the product causes issues, the client might pull the plug early and cancel the install.
A major factor in a smooth installation is to avoid false positive security alerts that might overload a security team. To avoid these false alerts, the vendor will supply a rather generic version of the EDR tool that will avoid such issues.
Even more importantly, the vendor will deploy EDRs with minimal conditions that would automatically quarantine or isolate the endpoint. Customers generally want to prioritize uptime, so vendors will err on the side of caution to merely generate alerts when isolation might be a more appropriate response for the malicious action.
Hackers Are Prepared for Generic Installations
While the generic installation may not trigger false alarms, it may also miss legitimate indicators of an attack. However, what those specific attack alerts should be vary from organization to organization and from user group to user group, so development of these alerts will be left up to the installation team.
Cyber criminals go after endpoint protection software all day, every day. Since many organizations fail to change the default setup, these attackers know the EDR defaults and understand how much they can do without triggering alerts.
Customization is not an overall solution to defeat attackers; however, it can create tripwires to trigger early alerts or block basic tools to make attacks more difficult. Because a custom environment doesn’t conform to generic expectations, attackers will be slowed and need to test boundaries.
EDR Customization Objectives
When determining what changes will help a company without flooding their security team with false alerts that waste time and money, the fundamental consideration should be to deeply study the organization and understand the answers to three basic questions:
- What should never happen?
- What should be expected all of the time?
- How do certain user groups behave differently?
These questions should be answered and prioritized within the context of:
- Risk: Which are the most valuable resources? What data cannot afford to be stolen? Which systems and operations cannot afford to be disrupted? And what are the most expensive resources to replace if destroyed (in terms of money and time)?
- Attack Exposure: Which resources are most exposed to the web or public access?
- EDR Dependence: What other controls are protecting assets? Which primarily depend on EDR?
- Vulnerabilities: Which MITRE ATT&CK techniques are most relevant and not currently generating alerts?
The answers for these questions should create a fairly unique matrix of assets to protect and behavior norms for each organization. This matrix will be the basis of customization and what types of alerts to add.
Covering all possible alerts would be a never-ending task, but specific categories of behavior and attacks can be considered as a place to start.
Atypical User Behavior
Determine what is normal for this company and for user groups. Atypical or abnormal behavior should be flagged for an alert.
Most users will never need to use an operating system (OS) command line, edit the Windows registry, or use red team attack tools such as Mimikatz or Cobalt Strike. Yet, we often see that generic installations will not send an alert on these events.
Similarly, in most companies, the sales team should never be trying to access the corporate server’s Active Directory. Therefore, the EDR tool for the devices used by this user group should generate alerts on those activities.
The larger an organization, the more difficult it will be for an IT team to understand what is normal and what is not normal across all groups. However, communication with managers can provide a good starting point, and many tools harness artificial intelligence (AI) and machine learning (ML) algorithms to improve visibility into typical activities.
Also read: 10 Top Active Directory Security Tools
Critical Data Access
The most critical data should have tightly restricted access. User groups without proper access rights should always generate alerts when they attempt to access critical data.
For example, the marketing department in a pharmaceutical company should never be trying to access the drug research data, and the warehouse employees of an e-commerce company should not be trying to access employee personal information from the file server’s human resources (HR) folders.
In a sprawling organization, data could be split up over cloud resources, data center servers, local network attached storage (NAS), and local devices. However, critical data should be tracked, and proper management and secure control of this data should be required and enforced.
Data Backup Access and Changes
The rise of ransomware and data wiper attacks makes data backups more important than ever. Access to data backups should be tightly controlled, and anyone attempting to modify or delete data backups should generate alerts or simply quarantine the device from the network to prevent widespread damage.
These alerts should even apply to legitimate deletions by authorized personnel. This will be important not only for maintaining strong security, but also for many compliance requirements that would be met by tracking verified deletion of old data.
Significant Data Changes
Data will often be added, moved, or removed from servers or across the network. However, the volume of the data and the number of files involved will usually fall within a specific range or be limited to specific users.
For example, a company that does subtitles for feature films will need to move huge files and use a lot of data bandwidth but only for the technicians working on the subtitled videos. For this organization, videos could be restricted to a specific server and a specific transmission method, and alerts would only be generated outside of that process.
However, in a lumber company, sending huge data files should be very rare and might merit an alert because the huge file might be a data exfiltration event. Similarly, most companies would want to be alerted if a huge number of files were suddenly moved or deleted from any source.
Unusual Software and Tool Use
The larger the organization, the harder it will be to monitor all of the different software in use regionally and in what languages. Still, there will be baseline software use that can be monitored using alerts.
In a big multinational electronics manufacturer, for example, the accounting team may need to enable macros for their complex Excel spreadsheets, but the sales executives may not have any reason to do so. In this case enabling macros by users such as the sales team should trigger alerts about potential malware being activated.
Even more fundamentally, most users would not know what a command prompt is, let alone how to launch it. Many users have never heard of Net.exe or even PowerShell.
Only a small percentage of lawyers, business executives, or warehouse employees would be inconvenienced by being denied access to command prompts, PowerShell, or other dangerous programs. While these can and should be controlled by Work Groups in Active Directory, alerts should also be enabled through the EDR system to flag such unusual behavior or even automatically quarantine the endpoint.
AI-enhanced EDR uses programming to detect similar behavior, but AI can always be bolstered with hard rules that reinforce expectations. Even if the alert is applied universally across all systems and users, admins may still use these tools for legitimate purposes, and since they triggered the alarms, they will have no problem verifying that the alert can be ignored.
Consider Gaps in Coverage, Detection and Monitoring
When setting up EDR or any security tool, consider and verify what assumptions may be in place. For example, is there an assumption that EDR coverage is applied to all endpoints, that the EDR detects all attacks, or that the EDR is being monitored?
Gaps in Endpoint Coverage
Applying alerts and tightening security on corporate desktops and laptops doesn’t help the security team much if mobile devices and BYOD (bring your own device) devices go unsupervised. In addition, Internet of Things (IoT) and operational technology (OT) devices within the network should be accounted for and controlled.
Asset discovery should be one of the first steps in EDR installation. If the EDR, for whatever reason, cannot be installed on a class of endpoints, then other devices might want to alert the security team if that unsupervised class of devices attempts to access a protected device.
For example, is there any condition under which a security camera IP should be the source of a user login to a shared server? For most organizations, they can safely create an EDR alert that checks for unusual sources of a login or access attempt.
Gaps in Attack Detection
Be sure to also inspect the gaps in EDR solutions against categories or specific types of attack.
Check the MITRE ATT&CK evaluations for when an EDR only provides minimal data or telemetry or does not provide any information at all. The IT security team can plug the gaps by creating custom alerts to catch specific actions.
Gaps in Attack Monitoring
Make sure the alerts are delivered to a team that is focused and paying attention.
For example, on March 31, 2021, the Conti ransomware gang gained PC access in Ireland’s Public Healthcare and anti-malware successfully detected their use of Cobalt Strike and Mimikatz.
Unfortunately, no one responded to the warning, and their country’s healthcare system was crippled two months later. The security setup failed in two fundamental ways:
- The anti-malware was set to monitor only and not interfere.
- The anti-malware sent the alert, and the alert was ignored.
The IT team establishing the endpoint protection justifiably decided that doctors and nurses generally don’t need to deploy hacking tools. Unfortunately, they did not set up the EDR or user group to deny access, they merely set an alert.
However, many security teams suffer from alert fatigue. With a rising number of attacks and a constant shortage of qualified security personnel, many security teams find themselves working longer hours and dealing with a longer list of issues to deal with in their queues.
EDRs can be customized to help security teams avoid alert fatigue by categorizing certain actions for immediate responses. It will be much easier long-term to deal with an angry user that triggered a quarantine than to restore the entire infrastructure of an organization.
Also read: Best Antivirus Software
Consider Customizing Your EDR Solution
EDR customization will take time, effort, and probably money. While a security team may determine many possible alerts that could be added, financial limitations may limit the number of alerts and automated actions that can be realistically implemented.
However, customized defense provides an enormous advantage to a security team. Advanced warning from optimized alerts reduces attack windows. Optimized automated responses can also reduce alert fatigue and cut off attacks in process.
Short-term customization costs will need to be balanced against the potential long-term savings from a customized EDR deployment. Security teams can use risk analysis to prioritize key assets and users to prioritize alerts to implement.
As time progresses, improved budget circumstances may allow for the number of alerts or automated remediations to be increased and improved. The most important thing is to start now.
For those that choose not to customize their EDR at installation, future successful attacks may force customization. Unfortunately, it is guaranteed that the forced customization will be far more expensive than the voluntary customization.