Laura
01/08/2023
Endpoint Detection and Response (EDR) alerts are what happens when an EDR system decides that event data from an agent installed on an endpoint, or several endpoints, shows a potential threat. This doesn’t mean that every EDR alert is a malicious event in progress. Many are “false positives” or malicious behaviour that is actually not a threat.
To sort a false positive EDR alert from a real potential threat, security teams need to:
- Check affected URLs/IPs and files for malicious indicators
- Determine if more than one device is impacted.
- Email or call any users involved.
- Understand the context of the alerts and any aggregated risks.
- Collect a memory or process sample and run it in a sandbox.
- Look at the command line for the endpoint.
EDR systems persistently monitor and gather data from endpoint devices like laptops and servers. They log actions and behaviours on these devices, such as file modifications and network connections.
When an EDR solution detects anomalous activities or patterns that suggest a potential security threat, it generates an alert. If allowed, EDR systems can initiate a response, including isolating the affected endpoint or taking other mitigation actions to prevent a possible cyber attack.
The challenge for security operating centres (SOCs) is that the system events, file actions, and network interactions that their EDR determines to be threats often aren’t.
How EDR Alerts Happen
Many of the events that look like potential threats from an EDR system’s point of view are, in fact, totally benign. A false positive EDR alert could be an administrator updating a piece of software which changes system behaviour or a database manager conducting a backup.
One of the ways EDRs work is by looking at “normal” endpoint behaviour and flagging anything that deviates from this norm. This works great in a lab, but in the real world, abnormal is the real normal.
This EDR limitation would be acceptable if only a handful of devices were connected to an EDR system. Unfortunately, this is rarely the case in enterprise environments with dozens to thousands of endpoints and a diverse user base.
Around half (45%) of all alerts are false positives. Because false-positive EDR alerts take significant time to analyse (false positives never tell you they are false positives), the result is noise and a massive waste of security teams’ time. Whether caused by EDR or another endpoint agent, alert fatigue is a growing SOC problem.
Reducing EDR Alerts
Manually tuning out false positives is a severe challenge to a security team. There is no such thing as a “set and forget” EDR for any enterprise environment.
EDRs need configuration work up front (and should be run in a monitoring mode only before allowing any remediation). The ongoing tuning needed will vary depending on the vendor, but all EDRs will require continued attention. When they operate an EDR, a SOC will need to invest continued effort in configuring their EDR with new endpoint security policies, telemetry exclusions, and allow lists of applications.
These are essential configuration steps, but down-tuning your EDR’s sensitivity also runs the risk of missing threats. How many real threats will likely be present in your environment at any given time? It’s generally impossible to know. An environment that is “too quiet” with only a handful of alerts every month or quarter can be very dangerous.
In some cases, such as when an organisation has in-house developers who write custom code, steps like allow listing will also be ineffective at reducing false positives.
A system that can automatically sort EDR false positives from real threats and do remediation measures gives SOCs their time back. 94% of security teams think AI and machine learning-powered automation is the best option for dealing with alert overload from security systems like EDR.
Low Noise Advanced Endpoint Protection with SenseOn
Automating threat detection at endpoints needs a new approach to data collection.
To investigate “real” EDR alerts, an analyst will always need context around the event(s) that triggered it. The continuous challenge here is understanding whether an actual attack has occurred or a threat is in progress versus if the alert is a false positive.
Because they only report on and respond to endpoint data, an EDR solution will still leave security teams with blindspots in their threat detection and response efforts. To gain context into real threats, analysts need a unified source of data collection that can pull together network, endpoint and user information into a single “case.”
SenseOn collects endpoint data and performs the same task as an EDR solution. However, by correlating this data with information from your network and using an advanced AI-powered anomaly detection engine, SenseOn removes the problem of EDR false positives.
Try a demo of SenseOn today.