Unveiling the Gaps: Linux EDR Telemetry in Focus

Introduction

Visibility serves as the cornerstone for understanding and mitigating modern threats. The EDR Telemetry Project was established as a comprehensive effort to evaluate the depth and breadth of telemetry provided by Endpoint Detection and Response (EDR) solutions for Windows systems. Its purpose has been to illuminate the gaps that often go unnoticed, providing an objective measure of whether defenders can depend on these tools to identify, analyze, and respond confidently to adversarial activity.

If you don’t have medium Premium, you can read this blog here: https://kostas-ts.medium.com/unveiling-the-gaps-linux-edr-telemetry-in-focus-1290a010ad1b?sk=2f3ced9dbd47c83acd9e6b8fe26af119

As the project moved forward, we noticed an important area where we could improve: the need to put more emphasis on Linux systems. Linux is no longer a niche platform; it is the backbone of modern IT. From cloud environments to enterprise workloads and critical infrastructure, Linux powers much of what we depend on daily.

The decision to expand the project to include Linux was necessary. With attackers increasingly targeting Linux environments with sophisticated threats, defenders must have the tools to monitor and respond effectively. This article delves into why Linux telemetry matters, our approach to testing, and what the results reveal about the current state of Linux EDR solutions.

The Rising Tide of Linux Threats

For years, Linux enjoyed a reputation as a “safe” operating system. Its smaller market share compared to Windows, combined with its robust permission model, made it less attractive to attackers. That era is over.

• Attackers are now actively targeting Linux systems with specialized malware, such as the perfctl malware, which was designed to evade detection and compromise millions of servers (AquaSec, 2024).
• Ransomware families like Helldown have also been observed expanding their capabilities to encrypt Linux systems, a sign of the growing value attackers see in these environments (Sekoia, 2024).
• These threats often exploit the unique characteristics of Linux environments, such as exposed Docker services…