Endpoint Detection and Response systems (EDRs) promise to protect the endpoints of your IT systems against malware, ransomware, and other types of malicious code. As a result, companies of all sizes have rushed to add EDRs to their security efforts (as evidenced by the EDR industry’s growth rate).
However, even companies with EDRs still experience ransomware attacks. In fact, in the same period in which EDRs have become more popular, not only has the number of malware attacks that companies experience grown year over year, but, according to IBM’s “”Cost of a Data Breach Report 2021″”, the time to detect and contain a breach has now increased to a whopping 287 days on average.
Which begs the question “how is this possible if more companies are adopting EDRs and XDRs?”
The short answer is that it’s a result of the way EDRs and XDRs work. Below, we break down why EDRs aren’t equipped to prevent 100% of malware and ransomware attacks (by design) and why companies should focus on prevention rather than detection to ensure they’re fully protected.
Why EDRs and XDRs Can’t Prevent Unknown Malware & Ransomware Attacks
Most EDRs today work similar to your immune system when your body is infected with a virus. When they detect malicious behavior, they develop the software equivalent of antibodies (a response) in order to prevent the attack from causing further damage.
This works to stop a lot of the damage that malware and ransomware could inflict on your organization. But because EDRs need your systems to be infected before they can stop an attack, they can’t prevent damage from an attack entirely.
This is true no matter how sophisticated your EDR or XDR is. Even XDRs that use AI and other cutting edge technologies to detect malicious code still require an ongoing attack to commence before a response can be developed.
To Prevent Malware Attacks, Use Malware’s Strengths Against it
To stop malware from affecting your IT systems altogether, you can’t wait for it to reveal itself before you take action — you have to prevent it from executing an attack in the first place. And the best way to do so is to use malware’s strengths and tendencies against it so that it never executes in the first place.
For example, file-less malware uses other software to enter your system and runs in your virtual memory (RAM), not from your hard drives. As a result, it’s extremely difficult for an EDR to detect and stop.
However, you can use the strength of this kind of malware against itself with a rule that requires all source code to run from your hard drive.
The evasive tactics malware uses to avoid being detected can also be used to prevent an attack in a similar fashion.
For example, if a piece of malicious code wants to avoid a sandbox environment (where it would be detected), it will often query the OS to ask if it’s in a virtual machine (VM) or ask what the resolution is. So to create an environment where it won’t want to execute for fear of detection, you can tell the malware “yes, you’re in a VM” or “you’re running on an 800×600 resolution” (typical sandbox resolution) even though that’s not really the case.
Why We Created Minerva
Since EDRs are reactive rather than proactive, they don’t equip you to prevent malware from attacking your systems and stealing your data using the methods described above. So we created Minerva to provide companies with a ransomware protection platform that stops ransomware attacks before they occur rather than once they’ve begun.
In fact, using the tactics above (and other patented methods), Minerva stops malware attacks without needing to identify what kind of threat it might be. As a result, it eliminates the potential for your data to be stolen or held for ransom altogether.
Fill in the form below to learn more about preventing malware attacks with Minerva.