How Does SOAR Fit in an EDR-centric SOC?

If you’ve worked in a security operations center (SOC) that has an endpoint detection and response (EDR) platform, you know the value it can add to your incident response capabilities. A SIEM-centric SOC model was more popular in the past, but as EDR tools have improved, more companies are becoming EDR-centric. While they are not replacements for each other, it is said that EDR systems outperform SIEM on prevention, while falling short on detection.

EDR’s ability to detect, alert and respond to incidents at the endpoint level quickly and efficiently protects your organization from data breaches and cyberattacks. For SOC teams, SOAR has become an increasingly integral part of the incident response cycle, providing more visibility into threats that might otherwise go unnoticed. SOAR may be most commonly associated with the SIEM-centric model, but in this blog, we’ll explain how SOAR fits into an EDR-centric SOC, what role it plays in the detection process, and why it’s important to have your EDR and SOAR working together.

What is EDR?

EDR refers to tools that detect and investigate suspicious activities on endpoints. An endpoint can be any computing device that connects to a computer network, from a mobile phone to a server. EDR was formerly known as endpoint threat detection and response (ETDR), a term coined by Gartner’s Anton Chuvakin in 2013. Two years later, EDTR was renamed EDR. Endpoint detection and response solutions generally use a combination of anomaly detection, machine learning, and behavioral analytics to detect, contain and remediate security incidents. EDR tools identify potential threats, including malware, credential theft, inappropriate user behavior, and cyberattacks. Gartner defines EDR as “solutions that record and store endpoint-system-level behaviors, use various data analytics techniques to detect suspicious system behavior, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected systems.“

Gartner states that EDR solutions must provide the following four primary capabilities:

  • Detect security incidents
  • Contain the incident at the endpoint
  • Investigate security incidents
  • Provide remediation guidance

Why do SOC teams need EDR?

From zero-day exploits to advanced persistent threats (APTs), there are so many ways for attackers to infiltrate your systems and networks. SOC teams need EDR because it enables them to detect and analyze advanced threats from adversaries who don’t leave any traces on the file system. Traditional signature-based endpoint protection software like anti-virus or end-point protection suites are not enough to protect your organization from such cyberattacks.

EDR tools measure and evaluate endpoint events, such as system files accessed, data transmitted over the network, changes to the registry, and signs of malicious activity on storage and in memory. These tools gather critical information about your systems and networks, and then the software analyzes that data in real-time to look for signs of malicious activity that might otherwise be missed.

The increasing number of endpoint devices and the growing number of attacks on endpoints require security technologies that are flexible, easy to use, and integrate with existing security tools and processes. EDR serves that niche. Even if you don’t have the budget for a commercial solution, you can use open-source EDR software tools like OpenEDR or OSSEC.

SOC teams can use EDR to detect threats that were previously considered noise and they can turn that noise into a valuable threat intelligence asset. EDR can act as the first line of defense so that if your systems are compromised you can detect, contain, and rebuild them. EDR security tools are essential to SOC teams, but they can also be helpful to forensics teams, purple teams, and IT auditors.

Read: SIEM vs. SOAR: How They Differ and Why they Work Well Together

Why EDR Is Not a Complete Security Solution

The biggest problem with EDR is that it is reactive, playing catch-up instead of being ahead of the game. Another drawback is that EDR needs to be installed on each individual endpoint. The per-seat pricing model offered by most EDR vendors can prove expensive. EDR systems typically require cloud connectivity, and as such will always be late with protecting endpoints. If the solution is not on the device, there will inevitably be some dwell time.

EDR has a high rate of false positives, which can cause SOC analysts to ignore the system. Serious threats can easily get lost. It can be expensive to implement and maintain. Most EDR solutions don’t have sandboxing functionality, and they generally don’t offer strong reporting and case management features.

In a 2021 research paper published by the University of Piraeus, Greece, the researchers found that 10 of 20 attacks were completely successful against eleven state-of-the-art EDRs. In fact, none of the EDRs managed to detect all of the attacks. Commenting on the research findings to SC Magazine, EDR vendor Kaspersky recommended a defense in depth strategy to thwart such attacks.

How SOAR Can Extend the Power of EDR

While SOAR and EDR share some capabilities, they work best in conjunction. In scope, SOAR is concerned with the entire organization, while EDR is concerned with individual servers or workstations. SOAR tools can ingest EDR alerts and then make sense of them by correlating them with data from other security tools (SIEM, threat intelligence feeds, etc.) and do kill-chain analysis using the MITRE ATT&CK framework. If there is a potentially malicious file on the system, SOAR can grab it off the system and detonate it in a sandbox for analysis. By searching its databases for other instances of the file, SOAR can determine if it has been found on any other systems, and then take remedial actions (such as blocking hashes, and quarantining endpoints) across multiple endpoints simultaneously, as well as the rest of the stack.

Read: Why Do I Need SOAR if I Have… (SIEM, ITSM, TIP, EDR)

Get More ROI From Your Security Investments With NextGen SOAR

SOAR also provides a single platform for automating and orchestrating incident response activities across multiple security products to ensure they are working together as intended so you don’t miss any gaps in coverage. As a leading independent SOAR vendor, NextGen SOAR has deep integrations with leading EDR security tools including

By syncing EDR alerts with NextGen SOAR, security teams can gain new capabilities by using D3 SOAR playbooks to detect threats, orchestrate incident responses, and automate remediations faster across their entire environment. NextGen SOAR leverages EDR, turning the massive amount of data captured by EDR systems into actionable intelligence. Schedule a one-on-one demo with us and we’ll show you how to turn chaos into clarity.

Social Icon
Shriram Sharma

Shriram is a Marketing Content Writer at D3. A former journalist, he chronicled high-profile data breaches, cyber-attacks, and conducted interviews with white and grey hat hackers. He likes to share his fascination for the field of cyber security by creating accessible and engaging content.