HITS

NSS Labs announced the results of its 2018 Endpoint Detection and Response (EDR) Group Test. Four products from market-leading security vendors were examined to help enterprises understand the merits of products in the market and identify capabilities that are best suited to meet their use case.

EDR products provide the critical information incident response teams need to conduct forensic investigations. Properly utilizing an EDR product requires an expert team of security forensic specialists. Forensics are particularly important for some enterprises, which is why EDR products that focus on forensic investigation and continuous monitoring remain in demand. In the 2018 NSS Labs Network Security Study, 89.4% of the US enterprises surveyed indicated the use of some forensic features on their endpoint products.1 NSS Labs’ testing of forensic reporting capabilities in EDR products included application programming interface (API) calls, data exfiltration, file system, network traffic, registry, and system and data integrity.

For organizations that are constantly under attack, an EDR product can save time and money. NSS Labs recommends that organizations that are likely to be the target of advanced persistent threats (APTs) deploy an EDR product. This is especially true for organizations deemed to be critical infrastructure. NSS Labs also recommends deploying EDR products strategically on systems with access to critical information and systems in the data path that can be used to gain entry to (or exfiltrate) a network.

An EDR product provides visibility into the behavior of endpoints so that forensic security analysts and forensic teams have the information they need to investigate suspicious activity. Continuous monitoring of the endpoint, detection of anomalous activity, and supplying forensic detail to empower incident response are core features of an EDR product. In theory, an endpoint protection platform (EPP)/antivirus (AV) product blocks attacks while an EDR product detects the attacks that were not blocked. Using this approach, incident response investigations can focus on what happened and whether any data was compromised or lost.

This first iteration of NSS Labs’ EDR Group Test introduced real-world cyberattack scenarios to determine how effective products were at detecting, logging, and reporting on the following threats:

Socially engineered malware (i.e., binary attachments sent through email, executable downloads from website)
Blended threats, which leverage exploiting multiple vulnerabilities, such as spear phishing, infected peripherals, and sophisticated antivirus evasion techniques, to infect the endpoint device
Techniques and tactics from common APTs