Why EDR agents are inadequate for cyber asset attack surface management

Updated
industry

Asset inventory is foundational to security: As a security professional, you need to know what you are being asked to protect. You may currently be relying on data from your endpoint detection and response (EDR) tools to provide their asset inventory. You may even aggregate EDR data with sources via API integrations with other security systems and then enrich the data with unmanaged devices from an unauthenticated scan, an approach typically known as cyber asset attack surface management (CAASM).

Theoretically, EDR agents are great because they integrate deeply into the operating system on every important machine. They should have access to any information you may want for your asset inventory.

However, if you’ve found assets that are compromised but can't find them in the asset inventory, you may have realized that you went down the wrong path. EDR works well for endpoint protection but not asset inventory. Let's examine why.

Incomplete asset inventory: why EDR agents fall short #

The point of cyber asset attack surface management is to establish a comprehensive inventory of all network-connected components, encompassing IT to OT, cloud to remote devices. To ensure a thorough and precise asset inventory, it is imperative to deploy EDR agents, such as SentinelOne or Microsoft Defender for Endpoint, on every device. A striking example highlighting the significance of this practice is a recent finding by runZero, revealing that 38% of assets at a university were lacking EDR coverage.

EDR agents can only know about the assets they are installed on. This means EDR agents miss the following types of devices:

  1. Unmanaged machines: Some servers, laptops, and desktops that are likely not covered by EDR, either because someone forgot to install it or because nobody knew the machine existed. If your goal is to have EDR on 95% of all machines, you can't also use EDR to measure how many machines you have - it's circular logic.
  2. Corporate IoT: Offices contain many IoT devices that can't install an EDR agent because the platform is not supported or the EDR agent doesn't support the platform. Think of your printer, IP phone, video conferencing device, thermostat, surveillance camera, and door controller that let you in when you swipe your access badge. All of these are connected to your network.
  3. Networking gear: Switches, routers, and firewalls typically do not allow for the installation of an EDR agent. Even if you manage them through another system, think about someone bringing their own wireless router because the WiFi is weak in their part of the building. That’s another device missing an EDR agent and one you don’t manage at all.
  4. OT equipment: Usually, industry-specific operational technology (OT) includes warehouse technology, production lines, biomedical equipment, and energy transmission. A programmable logic controller (PLC) that controls the production-line robot does not support installing an agent.

Challenges in discovering unmanaged devices with EDR scanners #

EDR vendors have known for a long time that they can't provide a full asset inventory, and they've been looking for ways to plug that gap. What most vendors have resorted to is neighbor detection (which goes by many other names).

Neighbor detection typically uses one of the following approaches:

  1. ARP scan: This is a quick and easy way to find devices on a network. The problem is that it doesn't yield good results. It provides only the IP and MAC addresses of the devices without a lot of additional information on a device. Some vendors derive the device manufacturer from the MAC address, but this is where it stops. Working on layer 2 of the OSI model, it also can't detect devices beyond the nearest switch.
  2. nmap under the hood: nmap is a well-known and versatile network scanner that was created in 1997. While many know it as a powerful but complex command-line scanner, it is OEM-licensed to many security vendors who need to discover devices on the network. While nmap is a step up, it was built to scan networks for open ports and not to identify the type of asset. In other words, your surveillance camera may be identified as a "Linux device," which is not very helpful when investigating a security incident. nmap has also disrupted some embedded devices, such as printers, PLCs, and Ethernet adapters.
  3. SNMP scan: SNMP is a protocol that helps read and write configurations to network devices. It can get good information from network devices, providing that you have entered the SNMP credentials for the organization. However, it can't provide any insights into devices other than networking devices, such as phones, printers, and surveillance cameras.
  4. Ping scan: This method simply pings every IP address in the subnet where the agent resides. It can tell you if a device exists as long as it's responding on ICMP, which may be disabled.

Even with a better scanner, scanning from a random EDR agent is problematic. For example, consider a remote user working from home. With neighbor detection, the corporate asset inventory would soon be populated with their Playstation 5 and their kid's tablet. Some EDR vendors try to mitigate and only do neighbor detection when there are at least five other EDR agents from the same organization on the same subnet. This has two issues: You miss unmanaged devices in small offices that only have four people, and you add all of the devices from the hotel network where 5 of your colleagues are having a meeting.

Here’s an example of a device detected by neighbor detection of a leading EDR:

Attribute Value
Hostname UBUNTU-20-04-K3
Manufacturer VMWare
Confidence Low
Last Seen May 17, 2023 23:00:00
IP address history 192.168.40.248
First seen by 8f284cc1df2e4ab59dc255cfd9ef2d05
Seen by platform Windows
First seen Nov 24, 2022 19:00:00
MAC address 00-0c-29-59-c4-65
Seen by 8f284cc1df2e4ab59dc255cfd9ef2d05
Seen by type Workstation
Seen by count 1
Network prefix 192.168
Last seen by 8f284cc1df2e4ab59dc255cfd9ef2d05
Asset information essentially only includes the IP and MAC addresses of the discovered device. All other information refers to the sensor that ran the scan.



And the same device scanned by runZero:

Asset detail in runZero
runZero shows much richer information about networked devices than an EDR agent and also integrates with EDR consoles to merge asset inventory data to provide breadth and depth across the entire environment.

Asset detail comparison: Leading EDR vs runZero #

Let’s compare and contrast what each solution found:

Leading EDR runZero
First seen
Last seen
IP address
Secondary IPs
MAC address
Seen by sensor/scanner
Device type
Operating system
Hardware
Risk
Outlier score
Vulnerabilities
Hostnames
Domain names
Ownership
Recent user
Open ports
Searchable banners
Protocols
Software products
Upstream switches & ports

EDR can provide more depth for managed devices but still misses information.

EDR agents are watching out for unauthorized takeover of machines. It should be able to collect a ton of information on the devices that it's installed on. However, EDR agents are not made for asset inventory and simply don’t collect much of the information.

For example, EDR agents don’t typically track open ports. They are unable to detect the external attack surface of an asset. This can be valuable information, for example, when RDP is active on a public IP.

Risks and slowdowns due to missing devices #

If you are missing assets in your inventory, you can’t actively manage your security posture. You can only successfully find EOL devices, insecure configurations, and vulnerabilities if you know about all of the devices on your network.

What’s even worse is that gaps in your asset inventory slow you down when you need to move fast: When your incident detection tells you you have a potentially compromised device on a specific IP address. Still, you can’t figure out what that device is. You lose valuable hours while the bad guys get deeper into your network.

This is why an accurate, is crucial.

CAASM solutions can improve EDR coverage. #

You now understand why EDR alone cannot answer the question of asset inventory by itself. However, it can be part of the solution.

Cyber asset attack surface management (CAASM) solutions combine EDR data with other sources:

  • Corporate security solutions via APIs: Many CAASM solutions integrate with EDR, MDM, vulnerability management solutions, and even productivity tools such as Google Worksuite to cover all managed devices.

  • Modern network scanners: Some of the best CAASM solutions also use specialized network scanners optimized for asset inventory to find unmanaged IT and OT devices.

EDR is a necessary component of any cybersecurity defense. Many organizations strive for 95% EDR coverage as a best practice or for cyber insurance compliance. The best way to measure progress towards that goal is to correlate your EDR with a full asset inventory through a CAASM.

A cyber asset attack surface management solution that covers assets from IT to OT, cloud to remote devices. #

runZero is a cyber asset attack surface management solution. It combines integrations with EDR and other sources with a proprietary network scanner that is fast and safe even on fragile IoT and OT networks.

runZero scales up to millions of devices, but it’s easy to try. The free 21-day trial even downgrades to a free version for personal use or organizations with less than 256 devices.

Written by Chris Kirsch

Chris Kirsch is a co-founder of runZero. Chris started his career at an InfoSec startup in Germany and has since worked for PGP, nCipher, Rapid7, and Veracode. He has a passion for OSINT and Social Engineering. In 2017, he earned the Black Badge for winning the Social Engineering Capture the Flag competition at DEF CON, the world’s largest hacker conference.

More about Chris Kirsch
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

Product Release
Introducing the customizable dashboard, Wiz integration, and more!
Introducing the customizable dashboard, Wiz Integration, and other Q2 2024 enhancements to the runZero Platform.
Product Release
How to integrate your SIEM platform with runZero to create an actionable asset inventory
Learn how to combine runZero's real-time asset inventory with SIEM exports for comprehensive asset tracking and historical data analysis..
runZero Insights
Celebrating Women’s History Month with trailblazers & innovators
It’s Women’s History Month! runZero is celebrating all month long by highlighting innovative women who have been technological trailblazers.
Industry
Upcoming NYDFS regulatory requirements on asset inventory and vulnerability enumeration
Is your business prepared for the approaching deadlines for complying with the latest version of the NYDFS Cybersecurity Regulation (23 NYCRR 500)?...

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved