Han Solo

Nov 4, 2020

2 min read

Limitations of EDR (Endpoint Detection and Response)

  1. Limitations of reputation analysis
    According to AV-TEST statistics for 2018, 84% of all malicious codes are known and 16% are unknown. Of course, it is important to detect and block unknown threats, but blocking known threats should be fundamental. Standalone EDR solutions currently on the market do not have engines to block known threats, or they must be used in combination with antivirus products. Even if the reputation search service is used separately, it is common that there is no real-time malicious code sample, and in order to check the detection result, the original sample must be registered and publicly shared.
  2. Driver problem
    Standalone EDR products that support only the user level, not the kernel level, require separate drivers to be installed for threat monitoring and recovery, so driver conflicts and redundancy issues continue to exist.
  3. Redundancy of agent and management console
    Anti-virus functionality is essential to blocking known threats. However, for EDR products that are not fully integrated with anti-virus products, there are two agents installed on the user’s PC side and two management consoles that the security manager must monitor. In other words, the security manager’s resource problem follows and inefficient resource waste occurs.
  4. Excessive management resources
    In the case of standalone EDR, rather than blocking malicious code actions, each action is detected as a different event, reviewing all events one by one, and requiring the work of a security administrator to reflect one by one in the blocking policy. In addition, even if suspicious behavior is blocked, the host file cannot be detected without an accurate threat determination, so there are cases in which hundreds of PCs have been unavoidably formatted as security alerts continue to sound. Eventually, the security manager was forced to continue the repetitive work of having to deal with the problem of false positives and over-detection, analyze the suspicious behavior by looking at the threat flow chart.