Limitations of EDR (Endpoint Detection and Response)

  1. Limitations of reputation analysis
    According to AV-TEST statistics for 2018, 84% of all malicious codes are known and 16% are unknown. Of course, it is important to detect and block unknown threats, but blocking known threats should be fundamental. Standalone EDR solutions currently on the market do not have engines to block known threats, or they must be used in combination with antivirus products. Even if the reputation search service is used separately, it is common that there is no real-time malicious code sample, and in order to check the detection result, the original sample must be registered and publicly shared.
  2. Driver problem
    Standalone EDR products that support only the user level, not the kernel level, require separate drivers to be installed for threat monitoring and recovery, so driver conflicts and redundancy issues continue to exist.
  3. Redundancy of agent and management console
    Anti-virus functionality is essential to blocking known threats. However, for EDR products that are not fully integrated with anti-virus products, there are two agents installed on the user’s PC side and two management consoles that the security manager must monitor. In other words, the security manager’s resource problem follows and inefficient resource waste occurs.
  4. Excessive management resources
    In the case of standalone EDR, rather than blocking malicious code actions, each action is detected as a different event, reviewing all events one by one, and requiring the work of a security administrator to reflect one by one in the blocking policy. In addition, even if suspicious behavior is blocked, the host file cannot be detected without an accurate threat determination, so there are cases in which hundreds of PCs have been unavoidably formatted as security alerts continue to sound. Eventually, the security manager was forced to continue the repetitive work of having to deal with the problem of false positives and over-detection, analyze the suspicious behavior by looking at the threat flow chart.




I have served as CEO of NPCore, Inc. from November 2008 to the present with an extensive career of more than 20 years in the cybersecurity industry.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Why a user-controlled pop-up is vulnerable?

Cybersecurity from a Constructivist, Liberalist, and Realist Lens

How to Trade #UMI on PancakeSwap Exchange

Please vote in superblock 3801600

A screenshot from Crown platform monitor showing the active proposals for superblock 3801600

Announcement of LBank Launches Internal Liquidity Mining Event for YFI and YFII

Think you have digital compliance & risks covered? Think again.

99DEFI New Token Contract Update:

{UPDATE} 12 Months of Year Learning Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Han Solo

Han Solo

I have served as CEO of NPCore, Inc. from November 2008 to the present with an extensive career of more than 20 years in the cybersecurity industry.

More from Medium

The Wanna Decryptor or Wanna Cryptor or WannaCry ransomware worm hit the world on the 12th of May…

Kerberos for a Blue teamer-As seen through Logs in SIEM

Cerebrus, the 3 headed fiery monster

Office Multiple Search Order DLL Hijacking