Endpoint Security Is Not Enough to Thwart Advanced Threats

A single-pass cloud engine that integrates a layered security approach may be your best bet against APTs.

May 16, 2023

Endpoint Security Is Not Enough to Thwart Advanced Threats

Endpoint security is often the first line of defense, but attackers can bypass it using sophisticated techniques. Endpoint detection and response (EDR) is reactive, meaning it can only detect threats after they have already arrived at an endpoint. This is a drawback because it gives attackers more time to do damage. Etay Maor, senior director of security strategy for Cato Networks, explains why organizations need a layered security approach that includes EDR along with other security measures such as firewalls and intrusion detection systems. A single-pass cloud engine can integrate all these measures into one platform.

Endpoints have become the epicenter of risk in modern enterprises. From users to devices, from business applications to cloud workloads, every type of enterprise data flows via the endpoint. What’s more, with remote work gathering pace and a large number of IoT devices connecting to corporate networks, monitoring the security and visibility of every single endpoint has become extremely challenging. 

Over the last few years, EDR has been deployed to detect malicious activity at endpoints and to help defend against advanced threats like ransomware. However, recent evidenceOpens a new window shows EDR is neither hackproof nor entirely effective against advanced persistent threats (APTs). Let’s understand where EDR falls short and why endpoint security alone is not enough to protect organizations.

1. Endpoint Security Is Usually the First To Get Evaded

According to the Cybersecurity and Infrastructure Agency (CISAOpens a new window ), to gain initial access, threat actors routinely exploit misconfigured systems, poor employee practices (weak passwords, unsafe internet activity and browsing behavior, etc.) and weak security controls (unpatched software, open RDP ports, etc.). 

After access is achieved by rogue actors as part of their discovery and reconnaissance operations, APTs will typically identify systems and processes that should be avoided. Naturally, endpoint security software ranks high on that list because attackers want to ensure they don’t get caught. As a result, attackers utilize a number of evasion tactics, such as tampering or blending, to bypass EDR defenses. Recently a ransomware group was caught leveraging such sophisticated techniques to bypass well-established EDR controls. 

2. EDR Is Vulnerable to Privilege Escalation Attacks

EDR tactics typically rely on running processes or services on the endpoint to collect data, detect threats, and respond to incidents. An attacker that gains administrative access to an endpoint can disable these processes, rendering the EDR system ineffective. Don’t forget that 80% of security breaches involve some kind of privilege escalationOpens a new window . So if an attacker buys credentials from the dark web and social engineers or brute forces user credentials, they can easily get their foot in the door. They obtain privileged access by compromising vulnerabilities in software (e.g., Windows and Linux) and misconfigurations. Next, they will likely run a script to block endpoint security or disable EDR protection using administrative privileges. 

An attacker with privileged access could remotely disable endpoint security by simply rebooting the device in safe mode and renaming the application directory before its associated service was launched. In another recent example, attackers leveraged AI to synthesize a polymorphic keylogger that used legitimate channels (i.e., Microsoft Teams) to send usernames and passwords to the attacker. EDR did not detect the attack because the technique did not leverage any kind of command-and-control infrastructure.

See More: EDRs Don’t Stop Cobalt Strike: What Does?

3. EDR Can Get Compromised Via the Supply Chain

Most EDR requires software to be signed by the vendor, or else they’re flagged as untrusted; in some cases, if applications are not signed, their execution is blocked entirely. If attackers somehow compromise this code-signing certificate, security products will blindly trust the application, allowing even compromised software to run without any kind of inspection. The Sunburst attack that led to the compromise of leading US government agencies and technology companies happened for this reason. Despite many victims having had sophisticated endpoint security installed, it failed to detect the malicious update package because it was digitally signed by SolarWinds and as a result, it was considered trusted. A ransomware group recently abused vulnerabilities in legitimate third-party drivers and disabled EDR running on a victim’s machine. 

4. EDR Can Be Difficult To Manage and Monitor

A considerable number of resources is required to make EDR perform optimally. An average EDR generates about 11,000 security alertsOpens a new window per day, requiring analysts to spend mind-numbing hours culling through a vast trove of data, many of which are false positives. Sifting through alerts can be extremely counter-productive and tiresome, but certainly, a job AI can fix. Serious threats can slip past all this chatter, allowing attackers to spend longer dwell times in the victim’s environment. 

Not a Failure of EDR, But a Failure of the Entire Cybersecurity System

One of the greatest drawbacks of EDR is that it is ironically too reactive. In other words, the threat has already arrived or been executed at the endpoint, and it is now the EDR’s responsibility to block it. 

The truth is, there’s never a single point of failure because every stage of an attack presents an opportunity to block it. This is why organizations need end-to-end security afforded by a single-pass cloud engine such as SASE (secure access service edge), which can consume network flows from every user, every application, and each device, providing granular visibility over networks and endpoint activity. Because everything is integrated and delivered as a cloud service – from firewalls to endpoint security, to web security, to cloud security – it is easier to manage and monitor the various attack surfaces and respond to potential threats as they manifest. 

EDR remains a powerful standalone tool to detect malicious behavior on endpoints. That said, modern malware is increasingly evolving and evading even advanced defenses like EDR. Organizations require synchronized end-to-end systems that can detect and block advanced persistent threats even when one of the security layers fails to detect malicious activity.

Do you think a multi-layered security approach is better at handling advanced persistent threats than EDR alone? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!

Image Source: Shutterstock

MORE ON ENDPOINT SECURITY

Etay Maor
Etay Maor

Senior Director of Security Strategy, Cato Networks

Etay Maor is Senior Director of Security Strategy for Cato Networks, a leading network security provider. Previously, he was Chief Security Officer for IntSights and held senior security positions at IBM and RSA Security's Cyber Threats Research Labs. An adjunct professor at Boston College, he holds a BA in computer science and a MA in counter-terrorism and cyber terrorism from Reichman University (IDC Herzliya), Tel Aviv.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.