According to Gartner, companies are making big changes to their endpoint security strategies. CISOs and security leaders want to replace older style security solutions with Endpoint Detection and Response (EDR) solutions, with around 50 percent of companies keen to complete their upgrades by 2023.
The reason for this? Traditional security approaches don’t offer the flexibility and speed of response that are needed today. In the Gartner report, the analysts state that, "Older anti-virus solutions offer insufficient protection against today’s advanced threats and lack speed of response, nor do they provide the capability to show the root cause or damage done."
However, EDR is not enough on its own - there are some changes needed to make this approach successful for today’s security. This year saw Covid-19 affect companies of all sizes and a huge shift to remote working. This does not look like it will revert back in the near future. Many companies have committed to remote working until at least Summer 2021, while industry analyst firm Canalys has stated that the percentage of remote workers in Western Europe will grow from 12 percent to 28 percent.
Making your EDR strategy work at scale
When it comes to handling Covid-19 and more remote working, EDR can help CISOs respond. However there are some shifts in approach that will be needed alongside EDR.
One of the first problems that security teams run into is how many endpoints are actually in place that need to be supported. Having a full asset inventory in place can make the move to EDR more effective, as it can show that all endpoint assets are included. Conversely, implementing EDR without this list of assets can lead to endpoints being missed or mistakenly overlooked. This can mean that machines don’t get properly managed over time.
Alongside this, EDR has traditionally been implemented and run on enterprise networks where workers are present on the company network. Today, many workers are remote and rely on their home Internet service to connect. For traditional EDR, this would mean using some form of Virtual Private Network (VPN) in order to connect and treat each endpoint as part of the network.
For companies that were fully prepared for remote working, this may suffice. However, many firms did not have full VPN support for all their employees in place. This can make managing EDR deployment more difficult. Instead, cloud-based services that can connect to all endpoints equally, regardless of location, will be needed. This simplifies the process for keeping endpoints up to date, and ensures that detection and response initiatives can scale up.
Applying threat intelligence and EDR
One of the most important elements in an EDR deployment is how you use threat intelligence. Threat intelligence describes the feed of issues and attacks that are being discovered over time, and these threats can then be detected across your endpoints.
When a threat or suspicious activity is detected, you need to act quickly to understand what the information or indicator means, and how you can pivot to take action to prevent any further compromise. Having the right threat intelligence in place is essential to that. However, not all threat intelligence feeds are created equal - threats in one company’s feed may not show up in another’s, while managing multiple feeds can be a pain point.
This can make it harder to act quickly - either you may miss out on timely data, or you may have to work on consolidating feeds yourself. At the same time bringing in external threat intelligence feeds to your EDR can attract a cost as well. This should not be the case - you should not be penalized in terms of time or cost for using additional data sources that improve your EDR.
Being proactive around EDR
EDR is typically used when an issue is discovered. As an example workflow, your EDR product will discover malware that has been downloaded and exploited a vulnerability, and then a chase will take place to discover how that malware got through your security. This will show any chain of events that took place, and then help you stop the same thing happening again.
However, this is very reactive. While EDR makes the clean-up process easier and more automated, it does not help to prevent problems in the first place. Instead, it is important to look at how to be more proactive in future.
There are two elements to this. The first is looking for vulnerabilities that exist, and then ensuring that these issues are fixed. The second is to use your asset inventory when a malware problem is discovered. Not only should your EDR approach help you investigate how an issue was exploited, it should also make it simpler to see other machines or assets that have that same potential problem.
With these processes - and the right data - in place, your security team can inspect other endpoints across your hybrid infrastructure for exploitable vulnerabilities, MITRE-based misconfigurations, end-of-life or unapproved software and systems that lack critical patches. Once an issue is discovered, the remediation process should be automated as much as possible to help employees wherever they happen to be. This should be the same whether employees are within the corporate network or - as is more likely - connected remotely.
This move to remote working will affect companies of all sizes - the number working from home is expected to more than double, according to Canalys. For security teams, responding to this shift will require more work on remediation and response. However, this is an opportunity to put more proactive processes in place, so managing these remote workers is actually easier for security teams as well.
Ben Carr, Chief Information Security Officer, Qualys