Many endpoint detection and response (EDR) products claim to be disruptive, and provide zero-gap protection. These products rely on rules-based engine, an approach that checks for pre-built sequences of collected events to determine any malicious activity in an enterprise.EDR products with rules-based approaches fail to protect against unknown threats at the earliest stages of the attack lifecycle. The following summarize the five main failures of rules-based products.

1. Easily Bypassed and Very Brittle

An endpoint security platform dependent on rules looks for symptoms or secondary artifacts such as sequences of API calls to find malicious activity. Detection of any malicious activity requires every event to occur in the exact sequence. For example, these approaches look for a sequence of well known APIs to find malicious activity, such as process injection. This is simply a signature-based approach. Attackers constantly change their attack tactics, and circumvent rules-dependent platforms that fail to detect new methods if the attack does not match the pre-built sequence.

2. Requires an Expert or Third Party To Configure and Manage Rules

There is significant time and effort required to pre-configure sequences before the SOC analysts can begin using the tool to detect advanced attacks. Sequence-dependent EDR platforms require tier 3 experts or third party companies to help configure the rules, and then must constantly tune them to stay apace adversaries’ new attack techniques and tactics. 

3. Does Not Protect Off-the-Network or Offline Endpoints

Most rules-based tools collect data on endpoints and send it to the management platform, on premise or in the cloud, to stop malicious activity. Those endpoints that are offline or are not on the corporate networks are unable to connect to the streaming rules engine leaving systems unprotected and vulnerable to compromise.

4. Prone to High False Positives

Rules-based endpoint platforms are only effective in highly controlled environments, which get overwhelmingly noisy. Often these rules are set too loose. Legitimate activity can be identified as malicious causing too many false positives, and alert fatigue. SOC analysts can miss real malicious activity as they waste time separating real alerts from false positives , which in turn delays response time and remediation.

5. Fails to Stop Unknown Threats and Detects Post-Execution

With the new and dynamic attack landscape, rules-based technology quickly becomes stale because it is based on known adversary tactics. Rules-based EDR products are unable to stop unknown threats and tactics, and allow malicious activity to execute before detection. This makes enterprise networks susceptible to breaches. The other challenge is how they allow malicious activity to execute before detection. While the events are generated and analyzed, the attacker can gain control of the endpoint, stealing critical data and causing damage.

Endgame Stops Attacker Techniques

Endgame’s endpoint protection platform stops nation-state level attacks in time to prevent damage and loss. Unlike rules-based platforms, Endgame provides layered techniquebased protections stopping advanced threats at the earliest and all stages of the attack lifecycle. With existing resources, our platform prevents, detects and responds, and hunts for advanced threats, before damage and loss occurs. Endgame enables enterprises to achieve zero breach tolerance. 

  • Attacker technique focused protections:  Endgame’s technique-based preventions block exploits, malware, ransomware, and fileless attacks at the earliest stages of the attack lifecycle. Endgame stops ongoing malicious persistence, credential dumping, malwareless attacks, and privilege escalation by leveraging our knowledge of adversary tradecraft.

  • SOC force-multiplier:  Endgame allows the SOC analyst to prioritize, triage, and remediate alerts, before any data theft and loss. With a few clicks of a button, Endgame empowers tier 1 SOC analysts to be a force-multiplier and stop known and unknown threats at enterprise scale. 

  • Single agent, single console: Single dissolvable or persistent agent and single centralized management console stops advanced threats in minutes across enterprise scale.

About Endgame

Endgame is a leading endpoint security platform that enables enterprises to close the protection gap against advanced attacks and detect and eliminate resident adversaries. Endgame transforms security operations teams and incident responders from crime scene investigators into hunters preventing damage and loss, and dramatically reduce the time and cost associated with incident response and compromise assessment. Our IOC-independent platform covers the entire attack lifecycle, leveraging machine learning and data science to uncover, in real-time, unique attacks that evade traditional defenses and respond precisely without disrupting normal business operations.