Blog

A "Who's Who" of Open-Source EDR Solutions

When it comes to open-source EDR solutions in 2023 and beyond knowing "who's who" is the most efficient way to determine what to implement... and why.

In this article, we will examine some factors in determining whether an organization would benefit from EDR technology and will weigh the pros and cons of the top open-source EDR solutions available today. Without further ado, let's begin:

What is EDR?

EDR is an advanced cybersecurity technology that provides real-time monitoring, threat detection, and incident response capabilities to protect endpoints and detect cyber threats. EDR solutions detect and respond to more sophisticated attacks than traditional anti-virus including zero-day exploits, polymorphic malware, and insider threats using advanced algorithms and machine learning to detect malicious activity. Organizations that face a high degree of risk or need to meet a high standard of compliance will benefit from EDR solutions and the detection and response and orchestration capabilities they provide. 

EDR is also available as Managed Detection and Response (MDR) service. MDR outsources detection and response to a managed service provider (MSP) allowing a company to take advantage of highly skilled and experienced cybersecurity professionals. In contrast, Managed Extended Detection Response (MXDR) includes the correlated and cohesive capabilities of Extended Detection and Response (XDR) to provide security across an entire network environment. 

At roughly $8 - $12 per endpoint, SMEs may be on the fence about the value of implementing MDR to protect their organization, while still acknowledging the increasing cyber risks they face. However, there is another option available: adopting an open-source EDR platform.

Should Your Organization Be Using EDR Technology?

Here are some indicators that your organization should be using EDR technology solutions:

  • You are facing Advanced Persistent Threats (APT): If your organization is likely to be targeted by an APT, EDR is essential. Commonly targeted industries include healthcare, financial services, IT, critical infrastructure, and government

  • You need advanced incident response capabilities: EDR enables orchestrated incident response capabilities, allowing security teams to quickly contain and remediate threats. This includes the ability to isolate infected devices, disable malware processes, and take other actions to dramatically reduce malware dwell time and minimize the impact of an attack

  • You need to meet compliance requirements: EDR supports formal compliance efforts with IT industry standards, including HIPAA, PCI-DSS, SOC 2, ISO 27001, and NIST allowing an IT security team to quickly generate evidence that systems on a network are compliant

  • You need to handle incoming files from untrusted sources: For corporate departments such as customer service that may handle potentially malicious files on a daily basis, anti-virus does not provide a high degree of assurance against advanced threats. EDR monitors the host system in real-time to detect malware that is able to bypass perimeter defenses and anti-virus

When in doubt, the Packetlabs team is one click away when it comes to consulting you on what types of cybersecurity implementations best suit your organization's needs.

Top Open-Source EDR Solutions in 2023 and Beyond

Here are the top open-source EDR solutions that companies wishing to implement their own advanced detection and response capabilities should consider:

osquery

osquery is a highly effective open-source EDR agent initially developed by Facebook in 2014 as an internal tool and was open-souced with a GNU public license in 2015. I

ts source code is available on GitHub but osquery has downloadable installers for all major OS so you don't need to dig deep to get started. osquery is the defacto open-EDR agent and it continues to grow through support from a large community of IT security engineers. osquery is an excellent solution for SMEs with in-house cybersecurity talent or a security-oriented MSP seeking to provide advanced protection to its clients.

Advantages of osquery

  • Multi-platform, lightweight, and backed by a large community

  • Monitors the host OS and stores data in an SQL-enabled relational database schema with 200+ tables 

  • Can integrate with frontend GUIs like Fleet

  • Out-of-the-box queries for monitoring Windows registry, auto-run, scheduled tasks, system processes, and other critical subsystems commonly attacked by malware

  • Plenty of third-party integration for more robust features such as remote asset management via GUI, mapping to MITRE ATT&CK TTP, and more advanced EDR capabilities

  • For the most advanced users, osquery's functionality can be extended with custom tables and plugins

  • Supports YARA rules for detection

Disadvantages of oquery

  • Has a steep learning curve that requires SQL expertise to extract meaningful insights

  • Lacks bleeding-edge EDR features of top commercial EDR solutions

  • Lacks its own built-in automated response capabilities, requiring third-party integration for asset management

Velociraptor

Compared to osquery, Velociraptor is a more comprehensive open-source EDR solution, digital forensic, and cyber response platform with full-fledged GUI and client-server service architecture, allowing an IT security team to continuously monitor a fleet of assets and adjust defensive configuration in real-time. 

Similar to osquery, Velociraptor relies on its own SQL-like language - Velociraptor Query Language (VQL), a flexible framework for creating custom security artifacts, collecting evidence from endpoints, querying collected data, and investigating individual endpoints, clusters of endpoints, or an entire network. Velociraptor can also integrate and deploy osquery agents making it a very extensible EDR option.

Advantages of Velociraptor

  • Cross-platform robust graphical interface-based solution

  • Powerful endpoint visibility and analysis capabilities

  • Uses a client-server-agent architecture

  • Leverages a query-based approach similar to osquery

  • Can easily deploy osquery agents and allows queries in native osquery SQL 

  • Supports live forensics, threat hunting, and data collection

  • Has an active community and continuous development

Disadvantages of Velociraptor

  • Advanced features require expertise in incident response and forensic analysis

  • Requires customization and query development to suit specific use cases and environments

Wazuh

Wazuh is a unified Extended Detection and Response (XDR) and SIEM platform that uses a client-server service architecture. Unlike osquery and Velociraptor, Wazuh follows a freemium model for its solution. It offers a free open-source version and a commercial version, which includes additional features, support, and services. The latter requires a subscription.

The Wazuh backend architecture components (Server, Dashboard, and Indexer) can be installed on most 64-bit Linux operating systems. At the same time, Wazuh agents run on Linux, Windows, macOS, Solaris, AIX, and other operating systems. Compared to osquery and Velociraptor Wazuh has a noticeable enterprise feel and having access to extended services for a subscription price is an robust option for a growing company.

Advantages of Wazuh

  • A powerful XDR solution with out-of-the-box enterprise-level capabilities

  • Integrates with Elastic Stack (Elasticsearch, Logstash, Kibana) to provide real-time monitoring, log analysis, and threat detection on endpoints

  • Offers out-of-the-box rules and alerts, centralized management, and dashboards for visualizing an entire IT environment

Disadvantages of Wazuh

  • Initial setup and configuration and advanced response actions may require significant configuration and customization

  • Requires familiarity with Elastic Stack components

Conclusion

EDR solutions detect and respond to advanced cyber threats, including zero-day exploits, polymorphic malware, and insider attacks, making them an advantageous tool to organizations facing a high degree of cyber risk or complex compliance requirements.

While Managed Detection and Response (MDR) services and Managed Extended Detection and Response (MXDR) services are available, adopting an open-source EDR platform is an alternative worth considering if an organization already has a highly skilled IT security team.

Looking for more resources to help strengthen your organization's security posture? Reach out today or download our complimentary Buyer's Guide below.

Featured Posts

See All

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

September 26 - Blog

Blackwood APT Uses AiTM Attacks to Target Software Updates

Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.