When Endpoint Detection and Response (EDR) is not enough

As cybercriminals continue to validate the reality that no prevention-based security control is going to stop every threat every time, companies are expanding beyond prevention-only approaches and closing the gap with endpoint detection and response solutions.

But as we consider this strategy, one pressing question is: How big is the gap? If prevention security isn’t 100 percent effective, how effective is it? A popular perception of businesses is that prevention security is about 98 percent effective with a mere 2 percent of threats slipping by. However, the reality is far worse.

Because our product is most often used for malware remediation on business endpoints, we have extensive telemetry on this gap where current endpoint protection technologies are failing to keep organizations safe. Our data shows that current endpoint protection platform vendor software is approximately 40 percent effective, based on endpoints using Malwarebytes for clean up. That means 60 percent of those endpoints were found to be harboring hidden threats—including Trojans, backdoors, and rootkits.

Framing up the size of the gap is important because it helps organizations prioritize the capabilities they need in their endpoint detection and response (EDR) solution—namely, automated and complete remediation.

Until recently, organizations have turned to EDR to gain greater visibility into what’s happening on endpoints. While helpful and important, visibility doesn’t provide a silver-bullet solution for fast and effective remediation. Incident response (IR) teams still face challenges when managing multiple platforms, chasing false alerts, and manually handling the remediation process.

Lack of visibility into and quick remediation of threats leads to long infection dwell times. In fact, according IR teams interviewed for the 2017 SANS Incident Response Survey, 28 percent report the time from detection to remediation is between 6 to 24 hours. The picture is much more grim in the 2018 Verizon Data Breach Investigations Report, where more than 70 percent of organizations were comprised by a breach within minutes, but discovery of that breach took months for 60 percent of respondents. A further 30 percent took days to contain a breach after discovery and a still solid 10 percent took additional months to get their breach under control.

In addition to dwell time, manual remediation itself is resource-intensive, often involving a lengthy re-imaging process for IR teams, and lots of lost productivity for employees—not to mention the tedious re-installation of end-user applications and customization of personal settings.

There’s a better way.

Breaches are inevitable, and the true size of the prevention gap is much bigger than many realize. As such, remediation capabilities are essential for today’s organizations. To truly close the gap and remediate hidden threats, the “response” portion of EDR solutions need to go beyond alerting to actually fixing the endpoint.

And that’s what we aim to do with Malwarebytes Endpoint Protection and Response. Using a single, unified agent to deliver endpoint protection, detection, and response, our solution effectively alleviates expertise challenges and eliminates the resolution gap. Our product consists of three key components:

1. Prevent

Malwarebytes Endpoint Protection and Response uses a seven-layered, Multi-Vector Protection (MVP) approach, which includes both static and dynamic detection techniques, to seek out a wide range of threats delivered via different attack vectors.

2. Detect

Our solution provides continuous endpoint monitoring and visibility using machine learning anomaly detection combined with aggressive anomaly detection scoring, which is integrated with our cloud sandbox detonation.

3. Respond

Malwarebytes goes beyond alerting and actually fixes the problem with thorough remediation, and even rollback for ransomware infections. Our fast and effective response includes complete removal of infections and artifacts—all with minimized end-user impact.

The result is advanced protection capabilities plus EDR capabilities, packaged with not only visibility into threats but the ability to quickly remediate those threats and fix endpoints.

Malwarebytes isn’t like other security companies. With remediation in our DNA, we do everything in our power to stop attacks before they happen, but we never assume that cybercriminals won’t find a way. That’s why we’ve focused on being the best at finding and removing known and unknown threats.

Learn more about how to remediate threats with Malwarebytes Endpoint Protection and Response.