The attacks taking place on small and medium enterprises (SME) are becoming more sophisticated, meaning that they cannot be easily prevented by traditional endpoint protection mechanisms. In such cases, timely incident detection is essential to minimize any potential negative impact. However, this challenging task cannot be done without enhanced endpoint visibility, exploring suspicious activities and understanding attack execution processes.
SMEs understand that they need to improve their security capabilities and they usually contact sales representatives to enquire about products. However, for an organization where it’s IT department is responsible for cybersecurity — as is typically the case for SMEs — translating this intention into practice can be hard. They simply don’t know where to start. It may seem that the ideal plan is to buy a solution that combines all the high-profile features at once.
But what can go wrong with this approach? Will the companies be able to sift through all the data and events that modern Endpoint Detection and Response (EDR) solutions provide, as well as distinguish between false alerts and real threats?
Serious functionality involves big investments – and it’s not only about money
First of all, it is a matter of price. A report from last year, ‘IT security economics in 2019: How businesses are losing money and saving costs amid cyberattacks’, shows that, on average, the share of spending on information security equates to around a quarter of an entire IT budget. This is true for both small and large companies, but in absolute numbers there is a significant difference. Spending on cybersecurity in organizations with 50-999 employees is estimated at $267,000, while their counterparts with more than 1,000 employees spend $18.9 million on average. So, a solution intended for enterprise customers may not suit smaller businesses’ budgets.
Moreover, required investments are not only monetary. Enterprise-grade products may be hard to install and integrate with existing security solutions. In an enterprise with a large IT security department, some staff can simply devote their time to this task. This can be an issue for a smaller company though, as fewer employees are responsible for maintaining the whole infrastructure.
Don’t use a sledgehammer to crack a nut
Of course, all these efforts are worthwhile when a new security solution benefits the company’s level of protection. But, in practice, even if an SME manages to secure a budget and implement an enterprise-grade solution, without sufficient expertise in information security, it will be difficult to fully leverage the scope of functionality.
First, the advanced functions may simply be irrelevant to their particular requests. For example, if a previously unknown suspicious object is detected, some organizations that are not very mature in cybersecurity just need to know if it is malicious, or if it needs blocking. Meanwhile others just need a full picture of the object’s actions and background for a deep investigation. It is important to understand what an organization’s requirements are and what its existing team can work with. Depending on this, a company can decide whether they are ready to purchase, for instance, a sandbox designed for security researchers.
Secondly, products which were created for security analysts are not appropriate for a “set-and-forget” approach. For example, a feature-rich EDR solution requires a team of expert analysts capable of tuning the detection logic and creating new rules to continuously improve detection levels. Without such specialists, the solution’s ability to proactively search for indicators of intrusion will not be useful.
It is common in SMEs for a system administrator to manage an endpoint protection solution. But even EDR, which provides essential capabilities, requires an employee with basic cybersecurity knowledge. Of course, hiring a full team of threat hunters or advanced security analysts at once is hardly a feasible task – such professionals are highly-paid and quite rare to find. Therefore, it is worth starting with an employee who has knowledge in information security. Combined with an understanding of the IT landscape, this allows for validating alerts, eliminating threats while taking into account the risks of their actions, such as isolation of a certain workstation or server, or stopping a critical business process.
When EDR becomes a piece of shelfware, rather than an effectively-used solution, it is not just a waste of an SME’s budget. Such a failure at the very beginning can demotivate company leaders to develop cybersecurity initiatives in general: if they do not see a benefit, why should the business invest in other security products?
Therefore, an organization should first decide if it is ready to hire an employee who is responsible for information security issues. If not, the most effective option will be to ask for help from external incident detection and response professionals.
For those businesses that decide to develop this capability internally, it is essential to initially find a beneficial solution without making substantial investments in additional resources - both monetary and human. And to avoid the above pitfalls, we recommend paying attention to the following guidance:
- To provide visibility without ‘blind spots’ and centralized response features, EDR needs to be integrated with an Endpoint Protection Platform (EPP). Enhancing cybersecurity capabilities should be a step-by-step evolution. Once a company can detect a malicious object with an endpoint protection solution, it can expand existing technology with the ability to understand where it came from and search for this threat on other workstations.
- If an EDR solution can be smoothly integrated with existing endpoint security solutions in a centralized way, it cuts the time required for deployment. So, before purchasing a product, ask if it supports turnkey integration with your EPPs.
- If you have a limited number of staff responsible for security, make sure your chosen EDR solution provides good visibility and automation, but doesn’t overwhelm a specialist with irrelevant information. All the incident information should be readily available from a single console and a path of the attack spread should be visualized to simplify threat analysis. Automated search for Indicators of Compromise and incident response features will speed up the work and increase staff productivity.
David Emm, principal security researcher, Kaspersky