Are we there yet? An Industrial Viewpoint on Provenance-based Endpoint Detection and Response Tools

TL;DR

This study evaluates the industry perspective on Provenance-Based Endpoint Detection and Response systems, highlighting their effectiveness, concerns, and gaps between academic research and industrial needs through comprehensive surveys and measurements.

Contribution

First systematic study analyzing industry views on P-EDR systems, identifying key effectiveness factors and gaps hindering adoption.

Findings

P-EDR systems are considered more effective than traditional EDR by industry experts.

Industry concerns include high operating costs of P-EDR systems.

Major gaps include client-side overhead, alarm triage imbalance, and server-side memory usage.

Abstract

Provenance-Based Endpoint Detection and Response (P-EDR) systems are deemed crucial for future APT defenses. Despite the fact that numerous new techniques to improve P-EDR systems have been proposed in academia, it is still unclear whether the industry will adopt P-EDR systems and what improvements the industry desires for P-EDR systems. To this end, we conduct the first set of systematic studies on the effectiveness and the limitations of P-EDR systems. Our study consists of four components: a one-to-one interview, an online questionnaire study, a survey of the relevant literature, and a systematic measurement study. Our research indicates that all industry experts consider P-EDR systems to be more effective than conventional Endpoint Detection and Response (EDR) systems. However, industry experts are concerned about the operating cost of P-EDR systems. In addition, our research reveals three significant gaps between academia and industry: (1) overlooking client-side overhead; (2) imbalanced alarm triage cost and interpretation cost; and (3) excessive server-side memory consumption. This paper's findings provide objective data on the effectiveness of P-EDR systems and how much improvements are needed to adopt P-EDR systems in industry.