How FDR Differs from other Detection and Response Solutions

Posted on 2022-09-07 by Pedram Amini

Our industry has had a hyper focus on detection and response for a number of years now. You know all the major categories: EDR, NDR, and XDR. There are so many DR’s that an entire industry of companies who purport to manage it all for you has spawned (MDR). It ought to be clear that we’ve all conceded prevention can only take us so far. The attackers will still get through even the most well-architected defense-in-depth armor. So the dominant mindset remains: detect anything anomalous, winnow the pile to what matters, triage what’s left, and respond as fast as possible - hopefully before calamity strikes. Nothing new there. But to borrow a point from a prior blog, we can still broadly break attacks into system-targeted and human-targeted - and then consider what might be done to strengthen detection and response. I’d like to reopen that discourse.

Here at InQuest, we wholly concern ourselves with the likes of malware, ransomware, phishing attacks, scams, fraud, and data loss violations. And the vast majority of these threats typically have two things in common: an end user and a file. One is easily tricked, and the other is easily laced with hidden risks. This creates the end-user security gap. And therein lies the conundrum. While EDR, NDR and XDR have their roles (and we wouldn’t argue otherwise), our firm belief is that these solutions - even if you have all three deployed - do not close the end-user security gap.

File Detection and Response (FDR) is designed specifically for the detection and response of file-borne breaches and incidents. It is fundamentally different from other detection and response solutions. A quick review of its core technologies will highlight numerous points of differentiation relative to adjacent detection and response approaches.

Here are three factors that immediately set FDR apart from other detection and response solutions:

First, files are ubiquitous - they exist in your network, cloud, USB stick, etc. They enter your world via email, web, and more. They cross all dimensions of state - in-use, in-motion, at-rest. And, unfortunately, they serve as the central carrier for threats. Something must therefore consider them holistically - not just when they independently appear in a network, cloud or endpoint location. FDR provides this holistic visibility into an otherwise fractured and nebulous data source.

Second, FDR is designed for file analysis at scale…breadth of scale, depth of scale, even  across files and across time. InQuest FDR is capable of analyzing millions of files daily at a reasonable cost. At its core, our patented Deep File InspectionTM peels apart the ‘Matryoshka doll’ nature of a file - exposing each logical layer to a rich set of detection capabilities and producing an immediately actionable label - driven by severity and confidence - which we call the IQScore. This score tells you exactly which files are definitively bad, which are risky, which are benign, and which may contain sensitive information. Best of all, the system architecture performs this deep-dive work in about three seconds per file, and it is the essence of how we collapse the detection burden for both man and machine. When we say across-files, we mean considering files as a haystack - not just individual straws. And this scale applies not only to files encountered in real-time, but also files that have already passed through inspection points. Consider that we will learn something today through threat intelligence that we did not know yesterday. How do you take that fresh knowledge and re-examine files from the past for possible malware presence? InQuest RetroHunting gives you that automated lookback power - which saves untold amounts of time, energy, and frustration for already exhausted analysts.

Third, FDR is designed with security ROI at large in mind. Not only does it stop file-borne breaches and incidents and automate threat hunting with real-time intelligence. It also appeals to a key pain point for security leadership - easily integrating with other security products across prevention, analysis, and event information systems - and enriching them with highly-curated threat intelligence only made possible by FDR’s Deep File Inspection (DFI). The power of aggregating multiple 3rd party threat intel sources, DFI’s deeper file analysis capabilities, and human intel from InQuest Labs into a single, consistent, trustable score for any file, anywhere, any time - cannot be overstated.
Want to learn more? Check out our FDR overview here. Have cohorts who might like a quick video on the subject, click here or watch below!

file-detection-and-response deep-file-inspection retrohunt

Get The InQuest Insider

Find us on Twitter for frequent updates, follow our Blog for bi-weekly technical write-ups, or subscribe here to receive our monthly newsletter, The InQuest Insider. We curate and provide you with the latest news stories, field notes about innovative malware, novel research / analysis / threat hunting tools, security tips and more.