Differentiation
FDR is designed specifically for the detection and response of file-borne breaches and incidents. It is fundamentally different from other detection and response solutions like EDR, NDR and XDR. A quick review of its core technologies and feature set above will highlight numerous points of differentiation relative to adjacent detection and response approaches.
InQuest does not see FDR as a replacement for EDR, NDR or XDR. In fact, most of our customers have one or more of those solutions actively deployed. At the same time, EDR, NDR or XDR are not replacements for FDR. It is the combination of a stronger detection and response solution set that will most effectively safeguard organizations from business-impacting breaches and incidents.
Given that FDR is a newer detection and response entrant, the following comparison points will help readers quickly understand the differences.
Endpoint Detection and Response (EDR)
EDR Overview
- Finds and investigates threats on endpoint devices
- Typically provides detection, analysis, investigation and response capabilities
- Agent-based deployment across laptops, desktop PCs, mobile devices, servers, and IoT/cloud workloads
- Typically includes endpoint protection / antivirus capabilities
- Can restore damaged files and registry settings if ransomware encrypts endpoint data
- Can coordinate response (script execution, direct access to endpoints, host restore, and search / destroy) across enforcement points
EDR Challenges
-
Point-product design
- Do not offer integrations with other tools and data sources for full visibility
- Cannot provide holistic protection
-
Not equipped to perform the in-depth file analysis required to unravel 'Russian nesting doll' malware in any time frame, let alone at speed
- Fast malware can infect in less than a second after executing on the endpoint
- Ransomware can begin to encrypt systems before it is detected and blocked
- Malware may have left droppers / artifacts behind - missed in remediation
- By the time malware has reached an endpoint(s), it is highly likely to have infected multiple endpoints, making it more difficult and costly to root out
-
Agent sprawl
The average endpoint has as many as seven agents installed for remote management - adding to management complexity
-
Expensive
The average enterprise manages approximately 135,000 endpoint devices and already spends $4,252,500 of annual budget on endpoint protection
-
Lack of coverage
48% of all endpoints are at risk because they are no longer detected by the organization's IT department, or the endpoints' operating systems have become outdated
-
Difficult to keep current
OS versions, application versions, patches and security updates, and network settings / connectivity issues all combine to make endpoint security extremely difficult to manage
How FDR is Different
- Focused on files - the root of most modern end-user security issues
- Efficacy - designed specifically to unravel cleverly embedded malware in multiple layers of file structure - at speed
- Easy and fast to deploy - agentless
- Roots out file-based attacks
- Significantly eases the workload of SOC analysts and threat hunter
- Improves overall SOC ROI by sharing rich threat intel to other security solutions
Network Detection and Response (NDR)
NDR Overview
- Designed to identify and stop evasive network threats not easily blocked using known attack patterns or signatures
- Primarily uses machine learning and behavioral analytics to monitor network traffic (raw traffic and/or flow records) and ultimately develop activity baseline - which is then used to identify suspicious traffic that could be command and control, lateral movement, exfiltration, or malware
- Also referred to as network traffic analysis (NTA)
NDR Challenges
-
Incomplete corpus
- Only analyzes network behavior metadata (network logs and flow records)
- Does not consider packet payloads or files
-
Expensive
Siloed cybersecurity tools are costly to deploy and maintain
-
Cumbersome for intense SOC work
Force security analysts to switch between security solution consoles to develop context
How FDR is Different
- FDR includes network traffic analysis, but goes far deeper into end-user security issues with Deep File Inspection and RetroHunting
- Designed with the SOC analyst and threat hunter in mind - intensely focused on contextual analysis and workload automation
- Peers deeply into every layer of files (meta, code, semantics) for all files in motion, at rest and in use - across email, web, and network transmission
Extended Detection and Response (XDR)
Overview
- Has as its goal to increase visibility and productivity relative to independent security tools - ultimately simplifying investigations and reducing the time required to identify, verify, and respond to attacks
- Applies machine learning across multiple data sources - including network analysis and visibility, email security, identity and access management, and cloud security - in an attempt to more effectively identify cyber threats
Challenges
- Implementation can take a substantial amount time
- Requires integrations with existing SOC technologies for data collection
- Data sources must be tuned, or it falses heavy - requiring significant security operations effort to achieve fidelity
How FDR is Different
- FDR also leverages machine learning, but as an input to DFI and InQuest Labs - which outputs high-fidelity threat intel significantly faster
- Designed from the ground up with the SOC analyst and threat hunter in mind - intensely focused on contextual analysis and workload automation
- Peers deeply into every layer of files (meta, code, semantics) for all files in motion, at rest and in use - across email, web, and network transmission - to find accurate evidence of Oday and Nday malware, ransomware, exploits, phishing lures, scams, fraud and data loss violations
- Able to be put to use immediately - no data set training period or laborious integration effort required