shield shield

 DDACS 2.0.1

   Protect yourself at all times!

EDR and Adequate Security

Endpoint Detection and Response (EDR) is a term that in security world unifies automatic protection solutions. They attempt to recognize attacks and once recognized - act to prevent them.

Consider a program that automatically determines all possible attacks on your computer and prevents them. If it indeed protects reliably, that would be ideal. However, studies show year after year that more and more security solutions appear, but attacks launched and succeeded are also more and more. How come?

The main problem with automated detection systems is that they miss. They miss in both ways - produce false alarms and miss attacks.

Sometimes you may read that some EDR system succeeds to prevent 80 or 85% of attacks. What does this mean?

In probability theory in mathematics there is a notion of "improbable event". It's not that probability is zero - the event may happen, but likelihood of it occurring is low enough to assume that in a single experiment it won't happen and take the respective risk. So how little is low enough?

It depends on application. Imagine that you accepted a new and exciting job, and it's important for you to succeed. Among other tings you need to care to be in time at work and at home after work. So you study railway's stats and find that its train may arrive late once in 1000 travels. Is it OK for you to use the train?

Probably yes. You may be prepared to explain your lateness at work or at home once in two years due to train and be calm, assuming that for your practical purposes train's late arrival is an improbable event.

Now you need to take a business trip to another country. You study airlines and aircraft models and find that an airline has a crash rate of one in 1000 flights. Is it OK for you to use the airline?

Most likely no. In reality airlines bear probability of one incident in 1 to 7-8 millions of flights, and an airline with incident rate of 3 or more in one million flights already raises safety concerns.

The higher is the value at stake, the lower is acceptable probability of an "improbable event" of failure that allows taking the risk.

If an EDR was enough experimented with and showed attacks prevention rate of 85%, apparently it means that when you are attacked, you have chance of 0.15 to be hit. Is it low enough to rely on the EDR?

It again depends. If you manage a large enterprise network of computers, each of which doesn't hold particularly high value, and need to report quarterly about 85% of prevented attacks, then yes. But if you keep on your PC a patent that you were working on for two decades and it's not yet registered, you probably can't tolerate a risk of 15% that the information will be stolen in a single attempt.

The EDR is actually a game program that plays without knowing all the rules. When you are attacked, the hacker knows it for sure and you would know for sure if you knew what happens with your computer. EDR detects an attack by analysing behavior - sequence of accesses, actions attempted on your computer. When certain access pattern is matched, it concludes that you are attacked.

But there may be that you and the hacker make very similar access. For example, you may search many files for some important information, because you forgot where it is exactly. The hacker may get remote access to your computer and also search many files for important information because he wants to steal it. You know the difference and the hacker knows it, but behavior is the same and automatic detection software will not be able to see the difference.

Automatic EDRs are designed to protect against zero-day attaks. But most protection rates are measured with attacks by methods known to developers when the protection was designed. How well they will do against brand new attacks that use methods and patterns not known by the time that the EDR was released, is likely an information that will always be missing. And automatic detection is extremely helpless against manual or dedicated attack that may take only a couple of actions to steal your data.

If you have high-value information on your computer, automatic protection will not be enough - you will need dedicated protection that can enforce your specific rules set to prevent exactly 100% of attacts.

© Daniel Drubin 2020