Skip to main content
Red Canary help

Linux EDR vs. EDR/EPP

  • Updated .

Red Canary Linux Endpoint Detection and Response (EDR) does not currently support prevention or response capabilities. 

Linux EDR vs. EDR/EPP

Common customer pain points with EDR/EPP products for Linux are...

  • Limited Linux distribution and version support
  • Limited Cloud support and integrations
  • Limited telemetry collection
  • Limited detection capabilities due to a lack of investment in threat research and detection writing for Linux
  • Limited visibility and guarantees into sensor safety, performance and reliability

These issues are the largest reason why many businesses do not deploy traditional EDR or EPP products into their Linux Datacenter or Cloud environments. For these businesses, detection expectations are low, and the risk of things going wrong are perceived as high.

Red Canary Linux EDR addresses these issues

  • We provide the broadest support for Linux distributions and versions.
  • It is written in the safe, performant Rust language and does not require the installation of a kernel module.
  • It supports AWS, Azure and Google Cloud.
  • It provides sensor performance reporting in the platform, giving you, your team and your internal stakeholders confidence that the sensor is performant and not causing system degradation. This includes CPU and memory utilization, with p50, p90 and p99 percentiles.
  • We are 100 percent focused on Linux and have dedicated engineers consistently delivering on fixes and new capabilities.
  • We have dedicated threat researchers and detection engineering consistently tuning and delivering on Linux threat detection.

Prevention Capabilities

Red Canary Linux EDR does not yet provide Prevention/Anti-Virus/Next Generation Anti-Virus capabilities for the following reasons:

  • Prevention capabilities are limited in their value for traditional EDR/EPP products. There are few or zero threats to block due to the vendors lack of investment in Linux capabilities and detection. We're changing this.
  • Traditional EDR/EPP prevention capabilities require the use of low-level code that halts execution until the product gives a "yes/no", "is this safe" answer, which introduces performance degradation. This is a deal breaker for many companies as Linux systems are designed to perform workloads, and slowing them down can result in resource fatigue and, as a result, customer facing impact (internal, or external). The stakes of impacting a server are often higher than impacting an employee's laptop.
  • Most vendors do not support Prevention for Linux, and for those that do, very few customers enable it due to perceived risk.
  • Only once we have completely delivered on detection outcomes for our customers can we examine prevention capabilities.

Response (Containment/Eradication) Capabilities 

Red Canary Linux EDR has a response action plugin but actions are limited. 

Comments

0 comments

Please sign in to leave a comment.