Beyond the Basic EDR: Securing Production Environments against Zero-Day Threats

Endpoint protection is one of the most talked about markets in cybersecurity today. As users connect to corporate networks via a growing array of devices, security professionals require tools to understand and respond to attacks in real-time, including malware, ransomware and other zero-day threats.

With the growing number of end user devices tied to corporate networks comes a widening pool of vendors attempting to secure these connections. From the largest players to the up-and-comers, technology providers jockey to position themselves as the solution for securing end users’ endpoints. In fact, the 2018 Gartner Magic Quadrant for Endpoint Protection Platforms (EPPs) included more than 20 technology providers (1), only a fraction of all those active in the space.

Through all the commotion surrounding endpoint security, a key point is often lost: today’s endpoint detection and response (EDR) and endpoint protection platforms (EPPs) focus capabilities at the end user level. What’s missing – and desperately needed? The ability to reach deeply into the production environment – the heart of the organization itself – to immediately identify and respond to the zero-day threats targeting the very systems that enable a business to operate and thrive.

Lost in the Noise of Traditional EDR: Requirements for Protecting Hybrid Production Environments

Few would argue the importance of protecting endpoints in the hands of users. At the same time, companies cannot lose sight of the significant financial and business risk posed by zero-day threats targeting hybrid production environments spanning the cloud and the data center.

Zero-day threats and other attacks that hit production environments can bring a business to its knees. These systems house the data required for a business to act in real time; the infrastructure that holds customer data, intellectual property and other critical information that allows a financial institution, media company, manufacturer, online retailer or any other businesses to deliver goods and services. If a cyberattack pummels a production environment, the financial repercussions will be severe.

On paper, the notion of deploying existing EDR and EPP tools to production infrastructure sounds appealing. After all, these tools – including next gen products – are billed generically as detecting and responding to zero-day threats in real-time. As we pull back the curtain, the requirements of protecting production environments are vastly different that those of securing end user devices. And, this is where the “EDR/EPP to secure production infrastructure” story begins to fall apart.

First, EDR and EPPs simply do not meet the requirements of a hybrid production environment. More on this later, but as companies leverage cloud-based, containerized, virtualized and bare metal systems, EDR/EPP capabilities are unable to detect attacks with accuracy across these hybrid environments. Second, when deployed, EDR/EPP cannot scale past a few hundred nodes. And when these solutions  are deployed in production, they deliver a performance impact that effectively hinder the ability for production environments to operate as required. Decreasing IT performance is simply no-go territory.

Others make clear the necessity of taking a requirements-first approach to securing end user devices and production environments. In fact, in the same 2018 Magic Quadrant, Gartner advised customers to think differently about protecting servers within a data center, because of the significantly different security considerations resident in protecting VMs, containers and other servers compared to end user endpoint protection.

Linux First: Critical Requirement for Securing Production Infrastructure

To protect the environments that power a business, we must first understand where to prioritize requirements. Here, the reality is clear: Linux is the driving force behind the hybrid infrastructure that drive businesses globally. Across the board, Linux-powered cloud platforms and data center technologies, including virtualized, containerized and bare metal systems, are the core of companies’ production environments.

Consider the following: a September 2017 study by Sumo Logic showed that Linux is by far the leading OS in Amazon Web Services with 83.4% of the market in 2017. And, a bit further out in 2014 a study by the Linux Foundation reported that 75 percent of enterprises preferred Linux as their cloud platform, and more than 87% of those surveyed added Linux servers that year. (2)

With Linux at the heart of a business, the ability to detect and respond to zero-day attacks in this environment is imperative. In this context, traditional EDR/EPP tools fall far short. Designed to protect Windows, primarily, with (at best) limited Linux support, these products lack the most fundamental requirement of production environments.

Beyond Linux: Key Tenets to Securing Production Infrastructure

Whether a business’ production environment leans more heavily towards on-premises or cloud-based systems, or employs a more balanced approach, four pillars must be considered:

  1. Linux support: As discussed above, Linux is the technology of choice for production infrastructure. Whether sitting in a traditional data center or the cloud, Linux support has become a defining consideration for cybersecurity tools. With little Linux support, traditional EDR and EPP tools fail to deliver this basic requirement.
  2. Cloudnative technology support: Technologies such as a containers are becoming more pervasive, serving as a complementary solution alongside virtualized environments. Cybersecurity technology must be able to identify and respond to attacks across this infrastructure. These are requirements existing EDR and EPP fail to meet – for example, due to the inability to deliver cross-container visibility.
  3. Architectural scalability:  As discussed earlier, production infrastructures are complex, hybrid environments heavily bent towards Linux-based systems. Threat detection and response is quite different in this environment, where network traffic may spike dramatically when traditional EDR or EPP solutions are deployed. If existing tools will not scale to production levels, they will not meet the cybersecurity needs of the organization.
  4. Performance impact: Production environments must perform as designed; heavyweight tools that slow the system have the potential to harm the business. EDR and EPP deliver just this hit to production infrastructure, throwing the security/performance impact far off.

Requirements-First Approach to Driving Cybersecurity

It is clear that businesses must develop strategies to protect against zero-day threats more comprehensively, from the endpoints in the hands of users to the infrastructure supporting production environments. To achieve this, though, requires a fresh point of view, given the very different requirements for protecting this range of systems.

In short, companies must be able to detect and respond to cyber threats, including zero day attacks, within production environments. However, EDR and EPP are both unable to deliver as promised across production environments and, when deployed, seriously impede system performance. As companies move forward with more advanced cybersecurity strategies, taking a requirements-first approach is what will help ensure the right decisions are made, and the right protections are put in place.

Request a demo today and see zero-day attack detection in action.