EDR for Linux: Detection and Response in Linux Environments

February 5, 2020

The 3 pillars every solution needs to protect critical Linux production environments

Despite the steady ascent of Linux to the top of the production stack, security has often been an afterthought. That’s right—the OS that runs 54% of public cloud applications and 68% of servers has been getting short shrift when it comes to security. 

There are options out there, but they’re mainly traditional endpoint detection and response (EDR) and endpoint protection platform (EPP) systems. On paper, the notion of deploying traditional EDR and EPP tools to production infrastructure sounds appealing. After all, the companies that market these tools—including next-gen products—herald them as detecting and responding to attacks in real-time. But, what they don’t share is that the requirements for protecting production environments are vastly different than those of securing end-user devices. 

And, of course, they were originally engineered for Windows desktops.

Linux is all about performance and security tools like those used for legacy Windows EDR usually don’t care about performance. But in a production environment that requires near 100% uptime under the stress of production loads, those old-style approaches just don’t work. 

So, what’s the right solution? What should you focus on to evaluate your options?

To start, it makes sense to think about the different security considerations resident in protecting VMs, containers, and bare-metal servers compared to end-user endpoint protection. In short, companies must be able to detect and respond to unwanted activity, including developers debugging in production, cryptominers, or attacks leveraging zero day vulnerabilities, within production environments. Traditional EDR and EPP systems can’t deliver as promised across production environments and, when deployed, seriously impede system performance. So, as companies move forward with more advanced cybersecurity strategies, taking a requirements-first approach will help ensure you make the right decisions and put the right protections in place. Regardless of whether a production environment leans toward on-premises or cloud-based systems, or relies on a mix of both, there are a few pillars every business must consider:

Linux support: 

Because Linux is the technology of choice for production infrastructure, endpoint protection must be built specifically with Linux in mind—from what kernel-level data is most important to collect to how to architect a solution for minimal performance disruption. A resource limiter that enforces hard limits (such as no more than 5%) to systems on CPU, disk and memory, with an intelligent load-shedding strategy, is important. Whether sitting in a traditional data center or the cloud, Linux support should be a defining consideration for cybersecurity tools. With scant Linux support, traditional EDR and EPP tools fail to deliver on this basic requirement.

Architectural scalability: 

Production infrastructures are complex, hybrid environments that skew heavily toward Linux-based systems. Threat detection and response is different in this environment and traditional EDR or EPP solutions, with their centralized analysis approach, may spike network traffic dramatically when deployed. If existing tools can’t scale to production levels without putting stability at risk, they won’t meet the cybersecurity needs of the organization.

Cloud-native expertise: 

Securing Linux production systems must include protecting all components within them, not just offering high-level detection that doesn’t consider system context. In particular, companies need container-aware detection not only to catch unwanted activity, but to prevent excess false positives from firing due to the differences in how container hosts and bare metal servers operate.Traditional EDR solutions tend to port their Windows-based detections to Linux with insufficient modification, or rely on noisy machine learning-based detection that is easily confused by legitimate activity (like a configuration management tool running a file). 

Of course after you take a look at these three pillars, you’re still faced with evaluating the tools themselves. If it’s helpful, we recently created a Quick Read, “EDR for Linux Production Systems” to help you evaluate Linux host security tools that includes: 

  • What you need to protect critical Linux production environments
  • The drawbacks of existing Linux security tools, including lack of detection for Linux environments and containers, inability to scale with the cloud, lack of attack context, and lack of resources
  • How to evaluate Linux security tools using these categories: broad support, Linux support, scale, functionality, and response
  • Why Capsule8 Protect, with production visibility, cloud-native detection, efficient response, DevOps-friendly performance, is a better way to secure Linux infrastructure