We were delighted to host Marko Polunic for our highly anticipated EDR Masterclass last week. Marko is the Director of Business Development of Europe, Middle East and Africa at CrowdStrike and boasts over a decade of experience in cyber insurance underwriting. He now works with insurance and legal professionals, helping them to adopt some of the most advanced security platforms for protecting critical areas of enterprise risk.
Antivirus software and traditional endpoint security tools are no longer enough to ward off today’s more sophisticated cyber threats. As a result, EDR has become a particular buzzword in this industry and insurers are often looking to see their application to incident response as part of their minimum benchmark requirements. EDR technology continually monitors endpoint devices that are connected to a network (such as mobile phones and laptops) to ensure that each is secure and free of malicious activity. EDR technology detects, scrutinizes, and restricts any suspicious activity. Unlike anti-virus software, it is able to tackle the evolving cyber risk more effectively. But what threats in the cyber landscape of today do these tools address? How do these technologies work in practice? And how do EDR and incident response work together to minimize risk for insurers?
The Cyber Threat Landscape
At the most fundamental level, all offensively-focused adversaries conduct operations across three phrases, with threat actors often operating within specific fields. These include initial access, post-exploitation, and objective execution. At the initial access phase, a threat actor will seek only to enter a business’s network. Once access is gained, they will sell it to other parties who have an interest in post-exploitation (namely, moving laterally across the network), and then to threat actors who execute any further objectives. Businesses looking to secure themselves against cyber risk should be assessing their initial access points and ascertaining the extent of their network visibility. Often, those using solely anti-virus software will have a harder time investigating this.
Trojan attacks, malware, and other cyber breaches executed on endpoints have become increasingly difficult to prevent. However, these can be mitigated with high-quality EDR sensors. While antivirus software can scan for some of these attacks, they quickly become obsolete: an estimated 10,000 new malicious files are discovered each month and, in reality, so long as their name and signature are slightly changed, they will be able to bypass antivirus programs undetected. In other words, the development of algorithms and the level of sophistication of modern-day attacks are effectively voiding the use of antivirus.
The Value of EDR for Cyber Insurance
Without EDR technology, once initial access is achieved, these threat actors can move laterally across the business network at a staggering speed. This has potentially fatal consequences to a business, given that the average response time to such an attack is 150 hours. If a threat actor is able to dig deeper into a network, reach objective execution phases and deploy, for example, a ransomware attack, the potential for business interruption soars. In addition, the rise of supply chain attacks has highlighted the importance of EDR to prevent such incidents from having an impact on a broader scale. Although endpoints are critical for a business’s cyber security, the value of EDR lies in the visibility it provides across an entire enterprise – it highlights who is moving, and which access rights, across my network.
Is EDR the end of antivirus?
While the cyber insurance sector encourages businesses to adopt EDR by insisting on such technology adoption as a minimum requirement, many companies are still running on legacy antivirus software – until they get hit, that is. A general lack of awareness of the cyber insurance product is feeding into a lack of understanding around the enormous advances in cutting-edge cybersecurity technologies that are available on the market today. The reality is, had EDR been more widely installed during the NotPetya incident, far fewer companies would have been affected. The differences in cost between EDR and antivirus technologies can be minimal, depending on the package a business chooses to purchase. For the technology alone, a company can expect to pay similar prices to its antivirus software. In the event of an attack, it would then contact its Incident Response team (which may be provided by its insurer). However, those who opt for managed EDR (where an outsourced team runs the EDR software), can expect the prices to increase. It is, however, worth noting that managed EDR services and antivirus solutions cannot truly be compared; it would be more sensible to consider the cost of hiring an in-house team to manage antivirus software and incident response as this would more accurately determine the true return on investment of managed EDR services. Additionally, EDR enables companies to proactively respond to attacks promptly, which in itself, is value for money.
Want to listen to Marko’s full presentation? Follow the link to watch our recording.