If an EDR solution can spot an attack, why doesn’t it stop it too?
SE Labs tested Crowdstrike Falcon in this Breach Response test, pitting it against a range of hacking attacks designed to compromise systems.
This month shattered any doubt that intrusion detection technology is necessary. Large companies and other organisations that rely on compromised technology from IT management firm SolarWinds are racing to discover possible breaches.
Journalists: Google your next headline
And it’s not like things have been quiet on the breach front more generally. Once security vendors and the press cast around desperately for examples of breaches. The vendors used rare known cases to sell their software.
Journalists used them to write explosive articles. Now it’s a case of Googling ‘ransomware’ and choosing from the dozens of recent reports, including attacks on major healthcare, technology and educational victims.
Security vendors design so-called endpoint detection and response (EDR) products to spot a breach and document it. If something weird happens, like company data being leaked, you want to know what happened to avoid a similar problem.
An EDR product or service can help, even when the security industry doesn’t know about the specific malware used. Some of those companies reeling from the SolarWinds attack are probably digging through their EDR logs now, wishing they had monitored them more closely.
This poses a question, though. If an EDR solution can spot an attack,
why doesn’t it stop it too?
Transforming detection into protection
Increasingly vendors have been taking this approach, ‘weaponising’ the capability of their detection technology to enable protection. It’s a bit like attaching a sniper rifle or (less lethally) a massive glue gun to a CCTV camera. Wouldn’t it be better to neutralise the threat rather than quietly observe as it does damage or steals things?
Breach Response Test: Crowdstrike Falcon
In our Breach Response testing we have two different modes that we use to test products. The ‘Detection’ mode measures all the different ways in which a product can detect an attack, and at which stages it can do so. Our ‘Protection’ mode, as used in this report, shows its abilities to detect and stop a threat.
Understanding the capabilities of different security products is always better achieved before you need to use them in a live scenario. SE Labs’ Breach Response test reports help you assess which are the best for your own organisation.