When it comes to endpoint detection and response, most enterprises think of desktop agents that monitor and quarantine endpoint activity. Because mobile devices constantly shift between Wi-Fi, cellular data, and other networks, they are tricky to monitor and protect. If malware or a virus attacks a mobile device or any other wireless device used within the organization while it isn’t connected to the same network as a desktop computer the risk becomes undetectable.
Having visibility into all endpoints is essential to any effective endpoint security strategy. If a device can’t be seen, you can’t protect it. And while numerous EDR vendors claim to offer the answers businesses need in this sphere, most of them fall short of their promises. Traditional EDR solutions often prove ineffective in protecting mobile devices due to the various limitations inherent in their solution architectures.
In this article, we will discuss why traditional EDR fails to protect mobile devices and how to fix it.
Traditional EDR solutions, built on the agent model, deploy a client application on each endpoint device such as a laptop, server, or mobile device. The agent continuously scans the device for malicious activity, sending the collected data to a central server via an outbound connection. If the agent doesn’t find any suspicious activity on a device, it sends a “no alarm” report to the server. The server then compares the “no alarm” reports from each device with its own “alarm” reports, looking for similarities between them. If the server finds an alarm report that matches a “no alarm” report from a device, it concludes that the device is infected and proceeds to quarantine it. This is how traditional solutions detect malicious behavior and respond to it.
The agent model architecture has inherent limitations that cause significant problems in detecting malicious mobile device activity. Let’s take a look at a few:
Traditional EDR solutions are designed to detect malicious code on a device. If a device is already infected with malware, the solution would be able to detect it. If a device is not infected, the solution would not detect it. If a device contains malicious code that does not replicate and infect that device, the traditional EDR solution would be unable to detect the malicious code. This becomes a major concern in light of the rise of malicious code that does not replicate itself but is designed to steal information, disrupt operations, and cause damage.
Network-based detection relies on assumptions that may not always be true. These assumptions include the following:
In the event that the device is offline, the security solution would assume that the device is online since that is the assumption that network-based detection relies on. Due to its reliance on network assumption, network-based detection is unable to detect mobile devices that have shifted from a wireless network to a disconnected state. This would cause the solution to assume that the device is online when in fact it is offline, unable to be detected by the solution. This creates a blind spot in the organization’s ability to detect malicious device activity.
Real-time detection relies on the operating system running on a device to create alerts that would trigger a malicious behavior detection alert on the server. This would mean that if the OS running on a device does not produce the alerts that the solution is programmed to look for, the malicious behavior would not be detected. For example, some OSs do not generate alerts when file system changes occur, which is something that the traditional EDR solution would rely on to detect malicious device activity. The malicious code that triggered the WannaCry ransomware attack in May 2017 was able to infect devices running on the Windows operating system since they did not send alerts when the malicious code made changes to the file system. Real-time detection relies on the operating system to generate alerts when malicious code is present. If the OS does not generate alerts, the malicious code would go undetected.
Traditional EDR solutions that rely on the agent model rely on the assumption that the device being monitored by an EDR solution is online while the device is connected to the network. This renders the solution ineffective and unable to protect mobile devices that have shifted from a network to a disconnected state. The agent model architecture has inherent limitations that cause significant problems in detecting malicious mobile device activity. In order to protect mobile devices with EDR, we must find a solution that does not rely on the agent model architecture.
Using traditional EDR has become the go-to method for protecting computers from malware attacks in real-time. However, we now understand that this model has limitations that cause significant problems in detecting malicious mobile device activity. Does it mean you can’t protect all of your endpoints with one EDR? Yes and no. Organizations must change their approach and start testing solutions that don’t rely on the agent model and have OS-specific security modules built in. Contact Kaymera if you want to learn more about the matter.