The latest debate about the disclosure of customers data uploaded by an EDR solution to multi scanners raises some important questions about how much you can really trust your security vendor. Although it seems that the EDR vendor did not intentionally do anything wrong, the problem is embedded within the concept.
Like many other security products, since they lack the ability to determine whether or not a specific file is malicious one premise, the EDR offered the users the ability to upload the file for additional cloud based scanning. Other security products may do it less conspicuously, but all of them send some form of customer data and files to the “cloud” in order to benefit from the breadth of the cloud and be able to detect new malware faster. While these companies invest heavily in data protection, there is a full echosystem of services around it and in many cases (like in this case) data is sent to 3rd parties that don’t uphold the same data protection agreement with the original customer. This resulted in the unintentional risk of exposing sensitive data from the organizations and can expose them to additional attacks based on the data that was exposed.
Enterprise customers that seek the highest possible detection rates without the need to send any files or data outside the organization premises, should look for a solution that performs all the analysis on premise and is able to detect new and unknown threats based on their behaviours, not IOCs. The behavioural analysis is the key factor in detecting new and unknown threats such as the Petya Ransomware. Though it creates a high amount of false positive ‘noise’ and this problem has prevented the implementation of behavioural analysis in EDR solutions.
Cyberbit hybrid detection engine runs a machine learning analysis on top of the behavioural analytics engine to effectively solve the noise issue. Cyberbit EDR is able to dramatically reduce the false positives while achieving a high detection rate of new and unknown malware. Everything is done on the customer’s premise without sending any data outside the organization for analysis. The Cyberbit hybrid, on-premise solution has proven very effective at detecting recent malware attacks.
Oren Aspir is CTO of Cyberbit