We've seen quite a lot of posts lately on 'which AV should I get' or 'Huntress vs S1 vs X', so I thought as an update to my post here, I'd put together a bit more information as people seem to need something like this.

Let's start here: AV and EDR are not the same. Huntress is technically neither with their base product, their "Process Insights" product is an EDR, though. All these are the same class of thing (Endpoint Protection), but they all have very different design, and there's a fourth item - MDR/MTR. We'll go through these together.

Antivirus (say, Webroot, Norton, Intercept X, AVG, Microsoft Defender Antivirus, etc) is a no fly list. Effectively, imagine a piece of software has 'done something bad', so we don't let it run anymore. This is a list we call 'virus definitions'. For the most part, if you're on that list, you're bad, and if you're not, you're ok (from the perspective of the AV). The biggest problem with this is that something has to have been seen before, and also be classified as a direct threat, say like a virus deleting files, or a worm editing the registry.

To combat this, AV vendors came up with heuristics. These are 'indicators of badness' so to speak. Effectively, we do our best to try and analyze what something is doing and if it looks like other things we know of on our list, we block it. It's an improvement, but it's not perfect, and it's not complete enough.

Notably: Encryption is a completely normal computer activity. So is data transfer. Ransomware and data exfiltration look like both of these, and AV is effectively worthless against them. To make things worse, these are the most common software based threats nowadays, and over 75% of them (according to Sophos and Blackpoint) are only seen once.

To be blunt: AV has zero use nowadays against modern attacks and threats. It went away when Bitcoin helped monetize attackers and resource them. The threat actor industry went from cute spirals on your monitor and hackstivism to a real, $1.5 trillion business with real threats and real attackers. If you're using Webroot and you keep getting ransomware, that's why.

Enter NGAV.

Next Generation Antivirus is supposed to be the 'prevention' portion of EDR. It's heuristical analysis, ai, and machine learning. It doesn't do the detection of EDR, but it should be relatively effective against malware, fileless attacks, ransomware, and some data exfiltration (though some of those 'live off the land' attacks where nothing is downloaded, and say, Powershell is used to send data out, would benefit quite a bit from EDR. Here are writeups by Crowdstrike and Sentinel One on the topic. Though this isn't a recommendation thread, NGAV is very commonly paired with EDR, or is a literal component of it. It would be difficult to run NGAV alone, and you'd miss the benefits of EDR's monitoring.

Thank you @0Weird0 for the information on that section, his comments (correcting mine) are below in the thread, with sources.

Enter EDR.

EDR is an AI/behavioral analysis engine, for the most part. Rather than identifying 'this file is bad', it actively analyzes processes on a system and uses those metrics against its own baseline learning and cloud intelligence to determine the intent of running items to determine if they should be allowed. EDR is incredibly effective. It basically solved the ransomware problem overnight, so long as it's in use and properly configured.

Notable EDRs in no order of recommendation: Sentinel One, Sophos EDR, Crowdstrike, Carbon Black, Process Insights, Microsoft Defender for Endpoint (Please note Microsoft's extremely awful naming convention" Microsoft Defender Antivirus is the AV that comes with Windows. Microsoft Defender for Endpoint is the EDR that requires a 365 subscription.

EDR is designed to protect against ransomware, and in doing so, it was easily modified to protect against other things, like data theft, credential hijacking, malicious javascript, etc. It's fabulous at detecting things it's not seen before, which are most, if not all, modern attacks, as they're customized for their victims. It also generates a lot of data.

Enter MDR/MTR

These products are EDR with a security team monitoring them (a SOC). Most organizations don't have threat hunters, process analysts, threat experts, or remediation specialists designed to protect and monitor the absolute mountain of data that EDR provides, so manufacturers and third parties have setup teams to do just that. There are several levels of what a 'SOC' is. Huntress' is on the lower end - they'll send you an email with instructions (or a button) if something goes wrong, and isolate a machine from a network to stop a spread. Sophos, for example, is a much more involved (and thus expensive) SOC, where they'll fully remediate systems, dig into where threats came from, analyze the network, and actively call you and work tickets if need be. There are also third parties like Blackpoint that are vendor agnostic, ingesting large amounts of data from multiple sources and putting human eyes on it.

There are other SOCs too, and various other levels of involvement; this is not intended to be a recommendation, but a short list: Arctic Wolf, Microsoft Threat Experts, Sentinel One's Vigilance, Blackpoint, and Crowdstrike/Carbon Black also have their own SOCs.

Humans are very important here - from either an MSP or a single organizational standpoint, all the data in the world does nothing if you don't react. Sure, we may have stopped the ransomware with the EDR, but how did the attacker get in? What else did they do? If you're an MSP and you don't staff for this, that's normal, but if you don't know, you're doing your clients a disservice. If you're a standalone enterprise, it's your job on the line if attackers repeatedly penetrate a system. Modern threats require modern solutions.

So what's Huntress do?

Huntress looks for remnants with their core product. Footholds and 'persistence' they call it, that allow attackers back in, even if you've cleaned the initial threat. They're looking for the 'pivot and escalate' portion of an attack. They do now also have an EDR in Process Insights, and it remains to be seen how impactful that is. They're trying to compete with the popular Sentinel One/Huntress combo today.

Important edit: Andrew from Huntress has corrected me. Huntress includes Process Insights, their EDR, in all offerings now. They should be included in the EDR section, as well as the above note about persistence. Also as a note - Huntress has a stellar reputation around here. This is still not a recommendation of anything, but they don't deserve misinformation in a root post. Thanks Andrew.

So what's XDR?

Think EDR, but with getting information from other sources. It's having the telemetry from things like switches, firewalls, SIEM, Microsoft Graph, etc as well as endpoint telemetry. It's still a bit of a marketing term, since what's included with XDR is still variable from manufacturer to manufacturer, and though it absolutely is a security uplift, determining how much more secure the network is with XDR vs EDR is not standardized yet.

Hopefully this helps someone. This information is written 2/7/2023 (edited thus far on 2/8/2023 from updates in these threads) for anyone finding this on Google - security changes rapidly and it may not be accurate in the future. Also please note - no recommendations here, no "whos' better" type stuff, just a primer on endpoint protection and SOCs, hopefully.

Discuss! Below should be great discussion, eventually, on things I've missed or differing opinions. That's why Reddit is awesome.