Naming products and services – and also their many different functions and features – in the infosec domain is, in a word, tricky. Why? Complexity…
Cybersecurity: it’s not a one-dimensional object like, say, a boat. There are different sized boats, but besides things like that, a boat is mostly always a boat. But in infosec, how can all that a modern system of enterprise cybersecurity does be labeled simply, catchily (if that’s at all possible), and so as to be reasonably easy to understand? And how can you differentiate one security system from another? Often it’s difficult explaining such differences in a long paragraph – while in the name of a product or service? Like I say: tricky.
Maybe that’s why Kaspersky is still associated by some with “antivirus software”. But actually, detecting and neutralizing malware based on an antivirus database is today just one of our security technologies: over a quarter century we’ve added to it a great many others. The word antivirus today is more of a metaphor: it’s known, understood, and thus is a handy (if not too accurate or up-to-date) label.
But what are we supposed to do if we need to tell folks about complex, multifunctional protection for enterprise IT infrastructure? This is when strange sets of words appear. Then there are all the abbreviations that come with them, whose original idea was simplification (of those strange sets of words) but which often just add to the confusion! And with every year the number of terms and abbreviations grows, and memorizing them all becomes increasingly… also tricky. So let me attempt here to take you on a brief excursion of all this gobbledygook these complex but necessary names, terms, descriptions and abbreviations – hopefully to do what the abbreviations struggle with: bring clarity.
From EPP to XDR
Ok. Back to the boat; rather – antivirus.
The more accurate name of this class of products today is Endpoint Protection or Endpoint Security. After all, as stated above, it’s not only antivirus that’s protecting endpoints these days, but a collection of security measures. And sometimes the varied endpoint technologies are given an updated name – including the word “platform”. Somehow that sounds more appropriate, and more accurately descriptive – it also seems fashionable, as is its abbreviation: EPP (Endpoint Protection Platform).
Endpoint Protection Platform is, in essence, a concept that dates back to the 1990s. It’s still needed, but for quality protection of distributed infrastructure other methods are required. Data needs to be collected and analyzed from the whole network to detect not only singular incidents, but also whole chains of attacks, which aren’t limited to a single endpoint. Threats need to be reacted to across the whole network – not just one computer.
Fast-forward a decade or so, and in the early 2000s there appears a class of products called SIEM – security information and event management. That is, a tool for the collection and analysis of all infosec telemetry from various devices and applications. And not only for today: a good SIEM can pull off retrospective analysis – comparing events from the past and uncovering attacks lasting many months or even years.
So, by this stage (the early 2000s for those at the back not paying attention!) we’re already working with the whole network. But there’s no “P” for “Protection” in SIEM. So the protection was provided by the EPP (Endpoint Protection Platform; you at the back – detention after school!). However, EPP doesn’t see network events; for example, it could easily miss an APT (advanced persistent threat).
Therefore, in the early 2010s, along comes another abbreviation to fill the gap and cover both security functions: EDR (Endpoint Detection and Response). On the one hand, it provides centralized monitoring of the whole IT infrastructure – allowing, for example, to compile traces of attacks from all the hosts. On the other, an EDR-type product uses for detection not only EPP methods, but also more advanced technologies: correlational analysis of events and the picking out anomalies on the basis of machine learning and dynamic analysis of suspicious objects in a sandbox, plus assorted other threat hunting tools to assist investigation and response.
And when we do EDR ourselves here at K, of course we need to put our stamp on it, to give us KEDR.
So far, so good great. But… there’s no limit to perfection!
Fast-forwarding again, this time to the early 2020s, and a new abbreviation is introduced and quickly becomes all the rage in the cybersecurity industry: XDR (eXtended detection and response). This, to put it crudely, is EDR on steroids. Such a system analyses data not only from endpoints (workstations), but also from other sources – for example the mail gateways and cloud resources. Which totally makes sense, since attacks on infrastructure can come from any and all kinds of entry points.
XDR can be even further enriched in terms of its expertise by further data from:
Such data can also come in via similar services provided by third-parties.
XDR’s response capabilities are also advanced. More and more protective actions are becoming automated, whereas before they were all done manually. Now the security system can itself respond to events based on cunning rules and scenarios input by experts.
Complicate or simplify?
I hope it’s clear now that any EDR or XDR represents a large, complex collection of technologies. However, the functionality of different provider’s EDRs or XDRs can differ greatly. For example, each provider determines what and how much their experts input into an EDR/XDR to better reflect and thus repel modern-day attacks. So, though they’re all called EDR/XDR, they’re by far not all the same.
For example, on Kaspersky XDR platform, besides the listed-above XDR capabilities, there’s also a module providing interactive training for raising client-companies’ employee cyber-literacy. And no other XDR does such a thing! Surely that’s a good reason to cheer if not boast?…
Actually, sceptics may not be happy. They might say that if we add simply everything we’ve got to enterprise protection – kitchen sink and all – won’t this simply be too much? A morass that becomes too complex, cumbersome, and hard-to-understand and master. “Whatever next?” they think: marketing types coming up with YDR next year, then ZDR the year after?!
Ok, we get it. And we listened to our customers too. And over the years we’ve come to realize that in enterprise cybersecurity, by far not all companies need everything plus the kitchen sink. Often, more up their street we’ve found is a basic set of EDR tools plus clear and convenient instructions on how to use them. This is especially the case for small and medium-sized businesses with small teams of infosec specialists.
So what have we done to meet these more essential needs? We’ve come up with our new and improved [EDR Optimum] KEDR Optimum [EDR Optimum]: “advanced detection, simple investigation and automated response in an easy-to-use package to protect business against the latest threats”. For example, in its new alert cards, besides detailed descriptions of suspicious events and threats, there’s also now a Guided Response section. This gives step-by-step recommendations for investigation and response regarding discovered threats.
Recommendations like this have been prepared based on the decades of dedicated work of our leading experts, and come in the form of links to detailed descriptions of protective procedures. This not only raises reaction speeds, it also allows infosec specialist trainees to boost their skills, for example – with interactive pop-ups:
Another thing KEDR Optimum can now do is to keep an eye on infosec specialists possibly inadvertently blocking this or that critical system object. After all, malware can sometimes launch using legitimate operating system files – and blocking such files can hinder the operation of the whole IT infrastructure. With KEDR Optimum – you’re covered.
And finally, I must mention just one other thing about KEDR Optimum. All the above was written by me – Mr. K. Prefer something more impartial? Be my guest! Head on over to independent testing laboratories to see what they think. For example: IDC, Radicati and SE Lab. There. 100% transparent and fair.