How uberAgent ESA Complements EDR Products
Should you wear both belt and suspenders? When it comes to IT security, the answer is most likely yes. No single product can detect all threats, prevent all exploits, or block all attacks. This article explains why it is often beneficial to complement an EDR tool with an analytics product such as uberAgent ESA.
Nobody’s perfect. As stated above, no EDR product detects and blocks all threats. Quite the contrary, EDR often has alarming gaps. As the independent researchers George Karantzas and Constantinos Patsakis found in their EDR study, no EDR can efficiently detect and prevent the […] attack vectors we deployed. That is not all. As the scientists explain, “DLL sideloading attack is the most successful attack as most EDRs fail to detect, let alone block it.”
In addition to the above, EDR is often focused on executables and may ignore scripts, documents, or compressed files. Finally, it’s often unclear what exactly an EDR product can detect.
Most EDR vendors don’t document how their detections work and what exactly is logged. Wanting to protect one’s “secret sauce” may seem like a good move until you consider that it leaves customers in the dark about a product’s capabilities (which may even be intentional in some cases). Unfortunately, obscurity on the vendor’s part may lull customers into a false sense of security, believing they’re protected when in reality they’re not.
With their strong focus on detecting and blocking malicious events, EDR products fail to provide visibility into “normal” application (or user) behavior. This information gap makes it hard to detect outliers and anomalies, a task typically performed by analysts with the help of a SIEM.
In many cases, it’s more complicated than it should be to get EDR data into a SIEM such as Splunk. Sometimes, there’s a significant time lag before data shows up at the SIEM, delaying alerts and notifications.
With many EDR products, creating custom rules or tweaking built-in detection logic can be difficult or time-consuming.
Given the shortcomings of EDR products, feeling the need to verify the data being collected by the EDR is only natural. Also, you may want a fail-safe for situations where the EDR either doesn’t detect a threat or malicious actors disable the EDR altogether.
SIEMs need high-quality data to be useful. There are not many data sources with a good signal-to-noise ratio on Windows or macOS. Simply forwarding event logs is not enough: they’re too noisy and lack essential detail such as parent processes or command-line arguments.
The opaqueness of EDR detections needs to be counterbalanced by a transparent, rule-based approach. You want to know what you’re collecting, when, and why.
You require insights into more than what is deemed malicious events. You need data that helps you understand what is happening on endpoints during regular operations. Visibility into the day-to-day routine is the basis for all advanced analytics.
uberAgent uses a single agent for security analytics, performance monitoring, and user experience data collection. Engineered in Germany, uberAgent is renowned for its small footprint and its overall product quality.
uberAgent ships with rule converters for the two most popular free endpoint analytics tools: Sigma and Sysmon. The former translates Sigma signatures into the format used by uberAgent ESA, while the latter does the same for Sysmon rules.
With support for four different backends, uberAgent can be integrated into almost any SIEM infrastructure. The agent can directly send the collected data to Splunk, Elasticsearch, Apache Kafka, and Azure Monitor.
uberAgent’s Activity Monitoring engine is built around uAQL, a powerful event query language. Whenever an Activity Monitoring rule matches suspicious or unusual behavior, the endpoint agent generates an event in your SIEM.
Although requiring only minimal resources on the endpoint, uAQL fully supports all aspects of the Sigma and Sysmon rule specifications, making it possible to convert them without losing fidelity.
Our largest customers have deployed uberAgent to 100,000+ endpoints – each (more information). This shows that there are no built-in limitations in the product’s architecture. It also demonstrates that uberAgent is inherently flexible in how it can be configured and deployed. After all, organizations with hundreds of thousands of endpoints tend to have heterogeneous networks and complex requirements.
uberAgent ESA is probably the security product that collects the most detailed baseline of regular system activity. uberAgent’s user experience monitoring component includes applications activity, user sessions, network connections, and browser communications, to name a few.
uberAgent is an innovative Windows and macOS user experience monitoring (UXM) and endpoint security analytics (ESA) product.
uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.
uberAgent ESA excels with a sophisticated activity monitoring engine, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.
About vast limits
vast limits GmbH is the company behind uberAgent, the innovative user experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.