Why traditional EDR falls short on protecting mobile devices
When it comes to endpoint detection and response, most enterprises think of desktop agents that monitor and quarantine endpoint activity. Because mobile devices constantly shift between Wi-Fi, cellular data, and other networks, they are tricky to monitor and protect. If malware or a virus attacks a mobile device or any other wireless device used within the organization while it isn’t connected to the same network as a desktop computer the risk becomes undetectable.
Having visibility into all endpoints is essential to any effective endpoint security strategy. If a device can’t be seen, you can’t protect it. And while numerous EDR vendors claim to offer the answers businesses need in this sphere, most of them fall short of their promises. Traditional EDR solutions often prove ineffective in protecting mobile devices due to the various limitations inherent in their solution architectures.
In this article, we will discuss why traditional EDR fails to protect mobile devices and how to fix it.
How Traditional Endpoint Detection and Response Works
Traditional EDR solutions, built on the agent model, deploy a client application on each endpoint device such as a laptop, server, or mobile device. The agent continuously scans the device for malicious activity, sending the collected data to a central server via an outbound connection. If the agent doesn’t find any suspicious activity on a device, it sends a “no alarm” report to the server. The server then compares the “no alarm” reports from each device with its own “alarm” reports, looking for similarities between them. If the server finds an alarm report that matches a “no alarm” report from a device, it concludes that the device is infected and proceeds to quarantine it. This is how traditional solutions detect malicious behavior and respond to it.
Limitations in EDR Solutions Architecture
The agent model architecture has inherent limitations that cause significant problems in detecting malicious mobile device activity. Let’s take a look at a few:
- Traditional EDR solutions require that all devices in the network be connected to a central server. When a mobile device is not connected to the same network as a laptop or desktop computer, it cannot be detected or quarantined by the solution. This problem becomes apparent in environments where employees shift between networks such as between office and home networks. In such environments, a user may connect his mobile device to a home network that the EDR solution cannot access. If malware is present on the mobile device, it will not be detected and will therefore be able to replicate and spread within the organization.
- Network-based detection relies on IP address, port number, and protocol information to locate devices on the network. This is problematic since mobile devices often switch between networks depending on their location, making it difficult to track them. An agent on a mobile device might be utilizing a cellular connection, which would appear as a different IP address than the IP address used by the Wi-Fi connection to the company’s network. In this case, the EDR solution would see two different devices, making it unable to detect the mobile device’s malicious behavior.
- Traditional EDR solutions rely on the assumption that an operating system (OS) will behave in a certain way. This reliance on OS behaviors makes the solution unable to detect malicious behavior that does not follow OS norms. If a device contains OS code that does not follow OS behavior, the solution would be unable to detect it.
Lack of Visibility into OS Behavior
Traditional EDR solutions are designed to detect malicious code on a device. If a device is already infected with malware, the solution would be able to detect it. If a device is not infected, the solution would not detect it. If a device contains malicious code that does not replicate and infect that device, the traditional EDR solution would be unable to detect the malicious code. This becomes a major concern in light of the rise of malicious code that does not replicate itself but is designed to steal information, disrupt operations, and cause damage.
Limitation of Network Assumptions
Network-based detection relies on assumptions that may not always be true. These assumptions include the following:
- The device is connected to the network.
- The device has an IP address that the security solution can access.
- The device is using the ports and protocols discovered by the security solution.
- The OS running on the device is one that the security solution has been programmed to identify.
Network-Based Detection Limitations
In the event that the device is offline, the security solution would assume that the device is online since that is the assumption that network-based detection relies on. Due to its reliance on network assumption, network-based detection is unable to detect mobile devices that have shifted from a wireless network to a disconnected state. This would cause the solution to assume that the device is online when in fact it is offline, unable to be detected by the solution. This creates a blind spot in the organization’s ability to detect malicious device activity.
Limitations in Real-Time Detection
Real-time detection relies on the operating system running on a device to create alerts that would trigger a malicious behavior detection alert on the server. This would mean that if the OS running on a device does not produce the alerts that the solution is programmed to look for, the malicious behavior would not be detected. For example, some OSs do not generate alerts when file system changes occur, which is something that the traditional EDR solution would rely on to detect malicious device activity. The malicious code that triggered the WannaCry ransomware attack in May 2017 was able to infect devices running on the Windows operating system since they did not send alerts when the malicious code made changes to the file system. Real-time detection relies on the operating system to generate alerts when malicious code is present. If the OS does not generate alerts, the malicious code would go undetected.
Fixing the Problem: How to Protect Mobile Devices with EDR
Traditional EDR solutions that rely on the agent model rely on the assumption that the device being monitored by an EDR solution is online while the device is connected to the network. This renders the solution ineffective and unable to protect mobile devices that have shifted from a network to a disconnected state. The agent model architecture has inherent limitations that cause significant problems in detecting malicious mobile device activity. In order to protect mobile devices with EDR, we must find a solution that does not rely on the agent model architecture.
Conclusion
Using traditional EDR has become the go-to method for protecting computers from malware attacks in real-time. However, we now understand that this model has limitations that cause significant problems in detecting malicious mobile device activity. Does it mean you can’t protect all of your endpoints with one EDR? Yes and no. Organizations must change their approach and start testing solutions that don’t rely on the agent model and have OS-specific security modules built in. Contact Kaymera if you want to learn more about the matter.