Unless you’ve been living under a rock, you are aware of the Crowdstrike and Windows outage on July 19. There are multiple lessons to be learned here, perhaps none more significant than this crucial reality for businesses — IT systems are now essential infrastructure, but they are extremely vulnerable. The above incident is the perfect example. Just one single faulty update from a service provider resulted in significant damages.

Let’s start with revenue losses. It’s estimated that global damage is around $15 billion. Then you have angry customers, which could ultimately add to these financial damages down the road. And let’s not forget IT teams who have been given the unenviable task of manually restoring company devices.

As for where to go from here, the incident has elevated awareness among IT and security professionals, management and boards, who now understand the potential for widespread disruptions. Spurred by this awareness, they are reassessing their IT infrastructure for any single point of failure, and as they do so, big decisions lie ahead.

Is One-Fits-All the Answer?

In the world of cybersecurity, much like big tech, the market is dominated by a few large players. There are many reasons for this, including trust and convenience. Another is the push to consolidate tech stacks. Add it all up, and businesses are eschewing smaller, specialized providers for larger ones with comprehensive services.  In the case of endpoint detection and response (EDR) technology, these providers include CrowdStrike, Microsoft Defender or SentinelOne.

Yet this one-size-fits-all decision introduces new risks, as we saw with the CrowdStrike and Windows outage. This incident raised new concerns about operational stability and potential security gaps, prompting leadership to consider following government agencies and start diversifying their vendors. This approach is common in the government realm, where it creates network and security redundancy while ensuring continuous coverage even during outages.

This strategy is particularly critical for single-source security technologies like EDR, where an outage or service failure could create serious security vulnerabilities. Next comes the lowered sensitivity levels in these security systems, which further increases the risk of malware and phishing attacks, especially during such outages.

Despite these shortcomings, EDR remains vital to any business’s security posture, but counting on it alone will expose its deficiencies. These include:

• Relying on Traditional Detection Approaches: EDR and extended detection and response (XDR) solutions rely on traditional detection methods such as signature and behavior-based detection to guard against known threats. But when it comes to advanced and unknown threats such as incidents where cybercriminals spend much of their time exhibiting normal behavior, these tools struggle— more than 30% of unknown attacks evade antivirus and EDR systems.
• Requiring High Alert Levels: When defending against sophisticated attacks (e.g. fileless, in-memory, zero-day threats and ransomware), these solutions must operate at high alert levels. While that may sound promising, it can degrade system performance while flooding security teams with an increased number of false positives.
• They Take a Village: EDR and XDR require continuous monitoring and response, which requires a dedicated team. Yet this all-hands-on-deck approach will still only identify some threats, many of which will be detected after an attack has occurred.

Defense-in-Depth Strategy

As I touched on earlier, the answer to these issues is not to abandon EDR/XDR but rather take appropriate steps to enhance it with a multi-layer defense-in-depth (DiD) strategy. A DiD strategy employs multiple layers of security controls to improve operational resilience and ensure comprehensive security that allows businesses to defend against advanced attacks.

When I was a Gartner analyst on the team that created the XDR category in March 2020, it was never meant to be a bulletproof approach to cybersecurity. DiD was always needed. With the adoption of detection and response technologies, less prioritization on prevention-first approaches was put on the back burner, now they are at the forefront and have become a new top priority for organizations as this gap in XDR and EDR has come to light in recent years.

Many solutions comprise a DiD strategy. Some examples include multi-factor authentication (MFA), intrusion detection/prevention systems (IDS/IPS and security information and event management (SIEM). However, when we talk about EDR, the key enhancement is automated moving target defense (AMTD) technology.

Understanding Automated Moving Target Defense (AMTD)

When we discuss AMTD technology and why it’s a great complement to EDR, it begins with a focus on movement. Anyone who has tried target shooting knows that hitting a moving target is far more difficult than hitting one that is stationary. So, what if a business’s runtime environment was like a stationary target that never changed? That would certainly make it easier for cyber criminals to breach the perimeter and wreak havoc.

AMTD continuously alters the runtime memory environment using the same tools used by attackers — polymorphism, deception and evasion. Using these, AMTD randomizes application memory during runtime. With this unpredictability, a threat actor could find their way in once, but lose their way as they would not be able to replicate the attack on the same or another device because they would struggle to pinpoint their targets accurately.

Reducing Dependency on EDR

As I mentioned earlier, AMTD is not an EDR replacement. It is a complement that reduces a business’s dependency on EDR. It does this by enhancing existing defenses with a layered approach, integrating seamlessly with current technology stacks to catch missed threats, and reducing the number of false positive alerts, which in turn decreases burdens placed on the security team. This is vital for defending against sophisticated threats, including in-memory, fileless, zero-day and supply chain attacks.

As we look ahead, the next CrowdStrike/Microsoft incident is likely lurking around the corner and businesses counting on a one-size-fits-all EDR solution to keep them safe are the perfect target. By merging EDRs with defense-in-depth technologies such as AMTD, businesses can detect and respond to known threats, as well as those lurking in the cracks.