For 10 years, no evolution has been observed in the field of prevention unlike other aspects of cybersecurity. More strategic than the response to an attack, prevention brings together many advantages and is essential.
The cybersecurity market has seen the emergence of new EDR (Endpoint Detection and Response) offerings. These rely on agents installed on endpoints, which collect and send behavioral data to a central database for analysis. They are then able to identify trends and detect anomalies, which can then be automated to send alerts for corrective action or further investigation.
An EDR-type solution will generate alerts that must be dealt with quickly. Some will correspond to real malicious behavior, while others will not be so clear and will require investigation. This is where the SOC (Security Operations Center) becomes relevant. It is managed by security experts responsible for continuous security monitoring.
EDR solutions have become essential for detecting and remediating most of the cybersecurity threats that organizations face on a daily basis. A real investigative tool, the latter has become a pillar of modern security devices. However, attacks have exploded in frequency and severity, undermining the effectiveness and protection capabilities of EDRs.
The threat landscape is also becoming much more dangerous. Between 2019 and 2020, an 800% increase in ransomware* attacks has been observed and Ponemon Research has reported that 80% of vulnerabilities come from previously unknown malware and zero-day attacks. The tools that many organizations use do not provide adequate protection against increasingly sophisticated attacks. Although these solutions have improved in recent years, it is still common for teams to receive little contextual information, which prevents them from properly prioritizing their response (false positives). Moreover, EDR is not a tool suitable for all organizations since it requires having a dedicated or managed SOC.
Rethinking Cyber Defense
EDR is based on a “presumptive breach” mentality, i.e. the received wisdom that no amount of cyber defense can actually prevent cybercriminals from entering an environment. Detection and response solutions such as EDR, MDR, NDR and XDR all have one thing in common: they are all based on post-execution remediation. By its very name, EDR is only relevant once the attack has taken place. And that ultimately means attackers are already inside the corporate network when detection and response solutions escalate incidents.
Post-execution is too late to prevent a breach, and remediation is costly and time-consuming – a point highlighted by a recent study testing the effectiveness of 11 of the most well-known EDR tools and highlighting their inherent shortcomings. The professionalization of modern threats and the high number of successful breaches have proven that EDR is not enough to stop today’s increasingly advanced threats.
It’s time to redefine what threat prevention really is and explore the new deep learning-based technologies that have made malware detection, classification, and prevention possible.
Better to prevent than to respond
Companies recognize their inability to protect against today’s most advanced threats and are actively investing in better protection. Gartner predicted that global spending on security and risk management would exceed $150 billion in 2021. It likely exceeded that number.
A prevention-focused approach to stopping threats replaces or complements the traditional view in order to reduce or even eliminate risks. Pre-execution malware prevention and reduced false positives improve operations, reduce costs, and stop known, unknown, and zero-day threats, including ransomware, before they hit. have the ability to infect the organization’s environment.
Machine learning-based prevention solutions also typically rely on data streams from antivirus tools, EDRs, and other security tools. This means that they can only react to threats, rather than anticipate them. And attackers are increasingly able to exploit these flaws with attacks designed to do their damage before they can be detected.
And while Machine Learning-based solutions have proven to be essential to deal with the avalanche of alerts, they are limited by their reactive nature. Indeed, this approach is fundamentally incapable of preventing attacks upstream of the chain. Attacks have time to execute before systems have managed to identify their malicious nature, which can take several minutes or more.
Go even further than Machine Learning
Deep Learning is the most advanced subset of Artificial Intelligence. This technology represents the next step in intelligent security, as its foundations are inspired by the functioning of the human brain. The more raw data the machine receives, the more it intuitively understands the meaning of the new data. Deep Learning technology enables companies to completely block cyberattacks. It can detect and respond to them, as well as predict and prevent them, stopping more than 99% of threats and dramatically reducing false alarms at
A new reflection on EDR tools is therefore necessary.
A cybersecurity solution capable of predicting and detecting unknown attacks, without human intervention, will revolutionize the cyber defense of companies. With Deep Learning, organizations will not only be able to prevent today’s attacks, but also predict and prevent those of tomorrow.