Understanding EDR Architecture: From Lightweight Agents to Telemetry Collection

Traditional security tools historically focused on static identification. They checked files against a list of known bad signatures before execution occurred. This approach proved insufficient as adversaries began using legitimate tools and in-memory techniques to bypass disk-based scanning.

Endpoint Detection and Response (EDR) represents a shift from static snapshots to continuous observability. Instead of asking if a file is malicious based on its hash, EDR asks what the system is doing right now. It functions like a flight recorder for a workstation or server, capturing every significant event in real time.

The primary goal of an EDR agent is to provide a comprehensive audit trail of system activity. This telemetry allows security engineers to reconstruct the timeline of an attack long after the initial breach occurred. By capturing process starts, network connections, and configuration changes, the agent provides the context needed for behavioral analysis.

For developers, understanding EDR is about understanding system-level telemetry. It is the process of turning granular OS events into actionable data structures. This visibility ensures that even if an attacker uses a trusted system utility, their anomalous behavior will stand out against the baseline of normal operations.

Capturing telemetry requires deep integration with the operating system kernel. Modern EDR agents typically use a combination of kernel-mode drivers and user-mode services to gather data. This dual-layered approach ensures that the agent can see events as they happen while maintaining the stability of the host system.

In the Windows ecosystem, agents often leverage Event Tracing for Windows (ETW). ETW is a high-performance tracing facility built into the kernel that allows the OS to report events from various components. EDR agents subscribe to these providers to receive updates on process creation, network activity, and file system changes.

On Linux, agents might utilize the Berkeley Packet Filter (eBPF) or the Audit subsystem. eBPF allows the agent to run sandboxed programs within the kernel to monitor syscalls with minimal overhead. This provides a safe and efficient way to observe system behavior without modifying the kernel source code directly.

The efficacy of an EDR solution is not measured by the volume of data it collects, but by the precision of its hooks and the context it attaches to every event.

The agent must act as a transparent intermediary. It should not interfere with the normal execution of developer tools or production workloads. High-quality agents are designed to drop telemetry events under extreme load rather than causing a system hang or a blue screen of death.

Process telemetry is the backbone of endpoint security. Every action on a computer is performed by a process, and tracking the lifecycle of these processes is essential. An EDR agent records the process ID, the user context, the full command line, and the cryptographic hash of the executable.

Understanding the lineage of a process provides the necessary context for detection. For example, seeing a python.exe process is normal for a developer. However, if that process was spawned by a Microsoft Word document, it is highly suspicious and indicates a potential macro-based exploit.

The agent captures the exact command-line arguments used during execution. This reveals the intent behind the process. A PowerShell instance running a standard script is different from one running an encoded command that downloads a payload from a remote server.

1{
2  "event_type": "PROCESS_START",
3  "timestamp": "2024-03-01T14:20:01.450Z",
4  "process_id": 4412,
5  "parent_process_id": 1024,
6  "executable_path": "C:\\Windows\\System32\\cmd.exe",
7  "command_line": "cmd.exe /c powershell.exe -ExecutionPolicy Bypass -File C:\\Temp\\setup.ps1",
8  "user": "CORP\\jdoe",
9  "integrity_level": "High",
10  "hashes": {
11    "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
12  }
13}

The telemetry must also include the 'integrity level' or privilege level of the process. An attacker gaining administrative rights is a critical event. By comparing the privileges of the parent and child processes, the EDR can identify privilege escalation attempts as they happen.

The Windows Registry is a frequent target for attackers looking to maintain persistence on a system. By modifying specific keys, malware can ensure that it starts automatically every time the computer reboots. EDR agents monitor these 'Auto-start Extensibility Points' (ASEPs) with high scrutiny.

Registry telemetry includes the specific key being modified, the value being written, and the process performing the modification. This allows the system to detect when a non-standard process attempts to write to sensitive areas like the Run or RunOnce keys. Such behavior is a hallmark of persistent malware.

Monitoring is not limited to just startup keys. Attackers often modify system configurations to disable security features or change network settings. EDR provides a log of these configuration drifts, allowing administrators to revert unauthorized changes and identify the source of the compromise.

1# Simple logic to identify non-standard persistence
2def is_suspicious_registry_change(event):
3    # Define common persistence keys
4    persistence_keys = ["Software\\Microsoft\\Windows\\CurrentVersion\\Run"]
5    
6    # Check if the event matches a sensitive key
7    if event['key_path'] in persistence_keys:
8        # Flag if the process is not an authorized installer or system service
9        if event['process_name'] not in ["msiexec.exe", "trusted_updater.exe"]:
10            return True
11    return False

Deploying an EDR agent involves balancing security requirements against operational constraints. Every piece of telemetry collected consumes CPU, memory, and network bandwidth. Engineering teams must decide what data is essential and what can be safely ignored to maintain performance.

Filtering at the source is a common optimization strategy. Instead of sending every single file-read event to the cloud, the agent might only report writes to executable directories. This reduction in volume saves on storage costs and speeds up the time it takes to detect an actual threat.

The trade-off between local and remote analysis is another key consideration. Local analysis allows for immediate prevention, such as killing a process before it can encrypt files. However, complex behavioral analysis often requires the massive computing power and global context available only in a cloud environment.

• Data Volume: High-fidelity telemetry can generate gigabytes of data per endpoint daily.
• False Positives: Overly sensitive rules can block legitimate developer tools and disrupt workflows.
• Latency: Kernel hooks and inspection engines can introduce measurable delays in system operations.
• Privacy: Monitoring process arguments and file names can inadvertently capture sensitive user data.