Are You Really Protected? The Myth of EDR-Driven Security

Since the beginning of IT, adversaries have found ways to breach and attack a computer system — and defenses constantly must evolve to catch up.

With endpoint detection and response (EDRs), firewalls, and email security in place, you might feel secure — yet, still, the bad guys are getting in. What are we doing wrong?

Well, if you do what you've always done, you get what you've always got. To mature the stack, our security architecture has to become resilient and self-reliant.

Cyber Stacks Have Never Been Impenetrable

There has never been a wall built that cannot fall. In spite of stronger and more technically advanced defenses, year upon year, the number and scope of breaches continue to rise. Antivirus evolved into EDR; spam filtering evolved into complete email security — and still, nothing is ever impenetrable.

IBM's "Cost of a Data Breach Report 2024" states that the global average cost of a data breach in 2024 is $4.88 million, and the damage inflicted by cybercrime gets worse annually. The predicted cost of data breaches to the global economy is over $20 trillion by 2026, according to data reported by Statista.

State actors are funding more cybercrime groups than ever before. For several years, most nation-state cyberattacks have originated in Russia, yet countries including North Korea and Iran are increasingly developing their cybercrime abilities, reports the World Cybercrime Index.

And artificial intelligence (AI) is increasing the volume and speed of attacks and allowing criminals to improve their social engineering skills. Threats using AI-enabled human targeting are growing more difficult to detect and defend against — even with AI tools being used to identify them, says Microsoft's "2024 Digital Defense Report."

So why do organizations feel their current defenses are enough?

The EDR Illusion

The illusion of security is a dangerous thing. It's like walking a tightrope over an abyss while thinking you have a safety net: If you are not aware of the dangers, you don't take measures to stay safe.

EDRs are the biggest example of this in modern cybersecurity. Many organizations believe that EDRs will protect them, no matter what, but cybercriminals are taking advantage of that fallacy.

EDR-killing malware is everywhere now. Earlier this year, Elastic Security Labs reported that GhostEngine malware evades detection by shutting down security defense systems. RansomHub is offering a binary that escalates privileges to disable endpoint protection software.

The "Lumu Compromise Report 2024" found that infostealers comprised 11.7% of malware tools detected to have bypassed traditional security. Infostealer malware is particularly effective in evading and disabling EDRs. Even without shutting down an EDR, infostealers can often operate almost silently without being detected by endpoint defenses while they extract valuable information and credentials from the system.

The use of compromised credentials for initial access is around 24%, according to CrowdStrike. Not only is this the most common initial attack vector, but IBM's "Cost of a Data Breach Report 2024" says it also takes the longest to identify and contain. Most traditional tools are simply not designed to detect activity when legitimate credentials are used to gain access.

Complementing the EDR illusion, extended detection and response systems (XDRs) are the new panacea. XDRs are, in essence, an extension of EDR technology and have the same limitations. For example, an EDR requires an agent and, by default, this creates blind spots on anything without an agent — such as cloud-based workflows and the Internet of Things. Unless integrated with network detection and response (NDR) or a security information and event management (SIEM) solution, an XDR will not trigger an alarm when malware bypasses the EDR.

This proves we must break the EDR illusion and rethink our cybersecurity architecture.

Time to Rethink the Stack

It has never been more imperative to step back and figure out how to close the gaps in cybersecurity.

We must assume that we will be attacked and cybercriminals will break through the first lines of defense (if they haven't already). When this happens, we still need to provide security to ensure that any breach is stopped in the shortest time possible. How?

A good NDR tool takes all these points into consideration.

The illusion of EDR-driven cybersecurity must be shattered. EDR it can never be enough alone. It's time to rethink the stack to ensure fast reaction times after a breach by making visibility across the network the heart of your cybersecurity architecture.

By Ricardo Villadiego, Founder & CEO, Lumu Technologies

About the Author

Ricardo Villadiego (RV) is a seasoned entrepreneur and visionary technology leader focused on cybersecurity. His last 20 years have been spent in the quest of solving some of the most prevalent cybersecurity challenges organizations face. RV founded Easy Solutions, a global organization focused on the prevention and detection of electronic fraud. Subsequently, RV led the cybersecurity business unit at Cyxtera Technologies, where he developed a long-term vision and execution plan. His passion for technology and cybersecurity have triggered yet another venture, and he created Lumu Technologies with a clear objective: help organizations detect compromises at speed.

Along his career, Ricardo has held various leadership positions at IBM, Internet Security Systems, and Unisys Corporation. He is an electrical engineer who is also an avid reader, relentlessly curious, and a technology enthusiast, and currently lives in South Florida with his family.