Limitations of EDR (Endpoint Detection and Response)

  1. Limitations of reputation analysis
    According to AV-TEST statistics for 2018, 84% of all malicious codes are known and 16% are unknown. Of course, it is important to detect and block unknown threats, but blocking known threats should be fundamental. Standalone EDR solutions currently on the market do not have engines to block known threats, or they must be used in combination with antivirus products. Even if the reputation search service is used separately, it is common that there is no real-time malicious code sample, and in order to check the detection result, the original sample must be registered and publicly shared.
  2. Driver problem
    Standalone EDR products that support only the user level, not the kernel level, require separate drivers to be installed for threat monitoring and recovery, so driver conflicts and redundancy issues continue to exist.
  3. Redundancy of agent and management console
    Anti-virus functionality is essential to blocking known threats. However, for EDR products that are not fully integrated with anti-virus products, there are two agents installed on the user’s PC side and two management consoles that the security manager must monitor. In other words, the security manager’s resource problem follows and inefficient resource waste occurs.
  4. Excessive management resources
    In the case of standalone EDR, rather than blocking malicious code actions, each action is detected as a different event, reviewing all events one by one, and requiring the work of a security administrator to reflect one by one in the blocking policy. In addition, even if suspicious behavior is blocked, the host file cannot be detected without an accurate threat determination, so there are cases in which hundreds of PCs have been unavoidably formatted as security alerts continue to sound. Eventually, the security manager was forced to continue the repetitive work of having to deal with the problem of false positives and over-detection, analyze the suspicious behavior by looking at the threat flow chart.

--

--

--

I have served as CEO of NPCore, Inc. from November 2008 to the present with an extensive career of more than 20 years in the cybersecurity industry.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Fighting BOPIS Fraud in the Age of Quarantine

Why Exein?

MetaMask security tips. How to keep your crypto safe.

OpenSwap Swapping Guide

🕵🏻‍♂️ New Airdrop: Robot Warriors (New Round)

5 Cybersecurity trends for 2021

Why should you care about data ethics?

What is Device Whitelisting & how Cryptocurrency Exchange Software Benefit From It?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Han Solo

Han Solo

I have served as CEO of NPCore, Inc. from November 2008 to the present with an extensive career of more than 20 years in the cybersecurity industry.

More from Medium

THM Writeup— BLUE: Deploy and hack into a Windows machine, leveraging common misconfiguration…

Offensive Security Proving Grounds Walk Through “Roquefort”

BTLO: SPECTRUM(Audio Steganography)

Why is there a lot of Windows Logon Success with Logon Type 3? -A quick look-