Kostas has created this project to help people do some comparisons of EDR solutions. He describes the project as:
The EDR Telemetry Project aims to provide a comprehensive comparison of various Endpoint Detection and Response (EDR) solutions based on their telemetry capabilities. By analyzing the data collected from different EDR tools, the project helps organizations make informed decisions when selecting an EDR solution that best fits their security needs.
Project Goals
Compare the telemetry data collected by different EDR solutions.
Identify strengths and weaknesses of each EDR in terms of data visibility.
Provide a resource for security professionals to evaluate EDR tools.
You can find the project and Kostas here:
My thoughts:
Features for EDR are far more then the telemetry it collects. In fact the telemetry is much lower down the list of what I look for when evaluating security products such as EDR. If an EDR does not collect a type of telemetry I would like or expect, is there another solution that I have that can, or does to fill this gap? Likely another solution will fill many gaps an EDR will have making telemetry important, but less of a deciding factor. For example, without a good SIEM, EDR will miss, or not collect many important aspects or early indicators of an attack such as;
Early and ongoing Recon events
Lateral Movement
JP-CERT has the BEST lateral movement detection research paper I have found and recommend it in my presentations. It is this type of data that EDR does poorly on and a SIEM with the right data can do very well.
Some things to consider when looking at an EDR solution that would be at the top of my list are things like;
Ease of use - Can a SOC use this solution
Can you get the details needed to remediate a system (Detailed Triage)
Can you easily exclude items and false positives (a lot will fail this one)
Can you easily create rules for new or missing telemetry (need logs)
Can you you add local logs to the solution (key)
Is the query language robust enough - Wildcards and include and exclude lists
Not all EDRs should be compared, or should not be compared to others as their features are not close enough to compare. There are two main categories of EDR type solutions;
Ecosystem - This would be the Cisco, Palo Alto, Checkpoint, etc. You likely buy their whole ecosystem and take advantage of the discounts and SIEMs they all own and have
Non-Ecosystem - These are solutions that are not associated with big iron or firewall vendors, independently owned or have multiple solutions
You can get my slides and watch my talk on EDR from a few years ago here:
DerbyCon 2017 - http://www.irongeek.com/i.php?page=videos/derbycon7/t416-edr-etdr-next-gen-av-is-all-the-rage-so-why-am-i-enraged-michael-gough
DerbyCon 2017 Preso - https://www.slideshare.net/slideshow/edr-etdr-next-gen-av-is-all-the-rage-so-why-am-i-enraged/80220180
Another criteria that came out in our testing 16 EDR solutions is they type of attacks they can or cannot detect. We tested 3 types of attacks and compared the detection’s to the samples we used that our IPS solution detected. Shockingly… half did not detect samples the IPS saw a malicious comm indicator and that surprised us. The three conditions we tested were:
Typical user Word Doc type malware (most did fine with this)
Already infected system (some failed this)
Pushing malware to a system like an adversary/Red Team would do (many failed this)
An example that many EDRs we tested failed was Dll side loading where the folder and file get renamed on reboot (typical Dridex) and used a valid Windows utility (LoLBas) to load a malicious Dll in a user directory. More than half failed this test
Just some things to think about when deciding on an EDR type solution and be sure to compare solutions, apples to apples and be sure to seriously evaluate the solutions that they do what you expect.
Happy Hunting!
