EDR Security Gaps: Why Instant Breach Containment Beats Detection

Network security spending has risen nearly 18% in the last two years – a trend Gartner predicts will continue through 2029 – yet globally reported data breaches spiked 300%+ last year and two-thirds of cybersecurity pros report feeling more stress in their roles than they did five years ago.  

Although higher spending should translate to fewer breaches and less burnout, we’re actually seeing just the opposite. Why? After years of investing heavily in detection while deprioritizing protection, security teams are dealing with the gaps left by an EDR-heavy approach.  

In a recent webinar, Dr. Chase Cunningham, aka Dr. Zero Trust, and Nicholas DiCola, VP of Customers at Zero Networks, sat down to discuss why EDR alone isn’t enough – and how to build real-time defense in a Zero Trust world. Dive into key moments from the session and learn how you can close the security gaps left by detection-centric approaches, fine-tuning defenses to block lateral movement in real time. 

The Role of EDR in Cybersecurity: Benefits and Blind Spots  

Endpoint detection and response (EDR) solutions were built to monitor endpoints for malicious activity, trigger alerts, and help minimize the impact of a security breach. EDR essentially represents an evolution of antivirus (AV) technology – in fact, EDR solutions were originally branded next-gen antivirus.  

EDR is an established cybersecurity best practice, but it’s designed to solve a very specific problem: identifying and stopping malicious behavior on an endpoint.  

Dr. Chase Cunningham: You should have EDR – let’s just be clear about that. There’s value to it. No one is saying don’t do EDR … EDR is good for endpoint things, but it’s not doing anything beyond that, other than sending some telemetry. 

Nicholas DiCola: And that’s why EDR was built – [for organizations asking] how do we detect attackers on the endpoint? EDR was created for that host-taking area of the MITRE ATT&CK framework; to stop, or detect, or ideally block the attacker if they get to the host.  

While EDR delivers value as part of a comprehensive cybersecurity strategy, its inherent vulnerabilities make over-reliance on EDR risky, leaving organizations with a false sense of security.

EDR Security Gaps and Weaknesses 

Because of how EDR works and where it operates, these solutions are vulnerable to sophisticated attackers.  

Dr. Chase Cunningham: You have to realize, these solutions can be used for other purposes. EDR, like anything that operates at the kernel level or is able to do stuff all the way down an operating system, it’s potentially malware … it’s software that can be used for whatever purposes. Someone’s smart enough to figure out how to re-engineer and change it; that’s just the nature of technology.  

What’s more, EDR’s limited scope makes it all too easy for skilled hackers to evade detection.  

Dr. Chase Cunningham: I’ve been a red teamer. I can tell you that it’s not too difficult to manipulate the telemetry and say ‘everything’s fine on this endpoint, pay no attention here,’ and then they [move laterally] within the network – and that’s way more valuable. Hacking an endpoint – so what? It’s really about getting into the infrastructure.  

The inherent limitations of detection-based security strategies are only more apparent in the context of the modern threat landscape, where attackers launch sophisticated exploits at breakneck speed, crafting their tactics to bypass EDR.  

How Modern Cyber Threats Evade Detection: Tactics and Trends 

A closer look at EDR blind spots shows how attackers manage to stay a step ahead of detection-centric security approaches.

No EDR Stops All Living-off-the-Land Attacks 

Malware-free or “living-off-the-land” attacks accounted for 79% of detected threats in 2024, according to CrowdStrike’s latest Global Threat Report – up from 40% in 2019. An over-reliance on detection may be contributing to this trend; in a Red Team Assessment Report, CISA concluded that heavy EDR reliance creates insufficient protection to stop all living-off-the-land attacks. 

Dr. Chase Cunningham: No EDR that CISA (with their billions of dollars) looked at is able to stop stuff when it gets into the infrastructure and starts living off the land. If I can get to domain controllers, if I can get to servers, things along those lines, I’m living off the land – I’m shoveling shells, and I’m passing creds. EDR will not catch that in any way, shape, or form.  

Modular Malware and AI-Enabled Attacks Beat Detection by Design 

Attackers are embracing AI to build smarter, stealthier, and more tailored malware campaigns. Popular malware like Lumma Stealer, QakBot, LockBit, and SocGholish deliver modular capabilities that can be combined for greater impact.  

Dr. Chase Cunningham: [Modular malware] is going to slide by most EDRs depending on how it’s put there. You have to be very careful about what your policies and controls are, and it’s not enough to say, ‘I’ve got next-gen AV on my endpoint.’ 

Nicholas DiCola: It doesn’t take OpenAI data centers to do this type of work. People are able to quickly build their own models, and of course, if you feed it enough POC samples for malware and say, ‘Can you take all these samples and give me a sample that will bypass x, y, and z?’ There are no guardrails in that. It’s not going to stop the AI from giving you exactly what you want as an attacker.  

EDR Coverage Gaps Are Attackers’ Doorways  

Today’s networks span data centers, clouds, branch offices, and everywhere in between, weaving layers, workloads, and identities into a tangled digital landscape. Trends like accelerating IT/OT convergence only add to this complexity, broadening attack surfaces. The reality today is that OT protection must begin in IT –  75% of attacks targeting OT systems start as IT breaches. 

Because it’s simply not possible to protect every asset with EDR solutions, many modern networks remain vulnerable. A recent attack carried out by the Akira ransomware group illustrates this risk in action.  

Nicholas DiCola: [Akira] initially got in and did get caught by the EDR. So, they went to a web camera – because there’s no EDR running on the web camera – and from there, they were able to jump to everything that they wanted because nothing was stopping them.  

Dr. Chase Cunningham: Persistent adversaries don’t go away because they hit an endpoint in EDR. No bad guy hacker in the world has ever said, ‘Oh, I hit antivirus. I’m done. I’ll quit.’ They just find another avenue; defenses need to adapt.  

Building Proactive Defenses to Prevent Lateral Movement  

When hundreds of millions of cyberattacks occur globally every day, organizations must assume breaches are inevitable – the key is neutralizing threats and preventing lateral movement to limit the blast radius.  

Nicholas DiCola: Years ago, at Microsoft, we started saying you’d need to assume breach. It’s going to happen, even if it’s just a spearfish, and maybe somebody gets some money from your invoicing department. That’s a breach. It’s not if, it’s when – and we have to adapt.  

Adapting security strategies to proactively contain threats rather than reacting to them means re-evaluating how core cybersecurity functions are prioritized. The National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) outlines a set of six high-level functions to help organizations manage and reduce risk: Identify, Protect, Detect, Respond, Recover, and Govern. Although protection is key to stopping breaches quickly, it’s become largely overlooked.  

Nicholas DiCola: In general, I think cybersecurity is really focused on detection and response, and we kind of forgot about protection. There aren’t a lot of people talking about protection and prevention, doing that early stuff, which is really what stops a lot of attacks.  

Dr. Chase Cunningham: I think we’ve abandoned a lot of the really good things around ‘protect’ because it’s not sexy. The truth of the matter is protection is exceptionally valuable – you do things that are going to protect you from bad guys being successful.  

By reprioritizing protection with strategies like microsegmentation to prevent lateral movement, security teams can close the gaps left by reactive, detection-based solutions.  

Nicholas DiCola: If an attacker gets in and they can’t spread laterally, what do they do? They leave.   

Dr. Chase Cunningham: This is the only space that you’ll find where they tell us what works and people wonder what works … if the bad guys can slide by EDR, what should you do? Limit the blast radius. It’s not hard to be smarter than the next easy target.  

Stop Cyberattacks in Real Time with Zero Networks  

Zero Networks’ automated, identity-aligned microsegmentation solution makes it easy to minimize the blast radius and enhance cyber resilience, building instant breach containment into the network foundation.  

Even sophisticated tactics like living-off-the-land that blind EDR solutions are blocked by Zero Networks, leaving hackers stranded and critical systems secure.  

Find out how easy it is to build a proactive and comprehensive network security posture with Zero – request a demo.