Skip to main content

With endpoint security breaches on the rise, how do you find the right EDR solution?

(Image credit: Pixabay)

In case you haven’t yet noticed, endpoint security has recently become a hot topic on the cybersecurity front. Why? For one thing, there are now over 7 billion global devices populating our always-on and continuously connected world. And that number is growing daily – with more employees taking advantage of the opportunity to work from home or bring their own devices to the office and accessing internal networks. Meanwhile, most organisations spend their finite cybersecurity resources guarding servers and firewalls. And that makes the endpoints a soft target for today’s well-funded and well-staffed attackers, who are looking to either monetise data or make a political statement.

At the same time, it’s become clear that antivirus software solutions are no match for the growing sophistication and volume of today’s advanced threats. According to the most recent Ponemon Institute report on endpoint security risk, survey respondents estimate their current antivirus solutions are effective at blocking only 43 per cent of attacks, on average. What’s more, antivirus software is – by definition – useless against insider tampering, zero-day attacks, and file-less malware.

So, today’s growing interest in EDR (endpoint detection and response) solutions certainly makes sense – especially when the latest Ponemon research reveals that data breaches take an average of 197 days to be uncovered. That’s roughly six-and-a-half months! Just think about all the damage that could occur over such a long period of time. To make matters worse, organisations often fail to find out about those incidents until law enforcement or cardholder merchant services notify them.

Of course, the situation would improve significantly if it were possible to detect incidents sooner. It would certainly cut data breach costs and go a long way toward protecting brand reputation. And that’s where EDR solutions come into play. It’s all about providing the immediate detection and effective response necessary to swiftly mitigate any threat.

Here’s how EDR tools typically work: They start by monitoring endpoint and network events and recording the information in a central database. Analytic tools provide ongoing monitoring and detection, which allows them to identify, respond to, and deflect both internal threats and external attacks.

What should an EDR solution look like? While the market is still evolving, with a host of providers offering a wide variety of features, the majority of EDR solutions on the market today typically include capabilities for:

  • Security incident detection
  • Incident containment
  • Incident investigation
  • Threat intelligence
  • Remediation guidance

In addition, Gartner Research has recommended that an EDR solution should:

  • Record and store endpoint-system-level behaviours
  • Employ data analytics techniques to detect suspicious system behaviour
  • Provide contextual information
  • Block malicious activity
  • Provide remediation suggestions to restore the affected systems

Today’s EDR solutions typically fall into one of two categories: self-managed EDR software, offered by companies like CrowdStrike and Carbon Black or EDR as a managed service, which is available from Netsurion. While a self-managed solution may be attractive to some, it’s likely to require additional staff and a high level of expertise to manage and maintain it. At the same time, a managed service – which could potentially alleviate difficult staffing issues – might prove to be an easier choice.

Either way, there are several things to keep in mind as you consider and compare the options available in today’s EDR solution marketplace:

  • Will it work and play well with your existing cybersecurity tools, such as log management or SIEM?
  • How easy is it to implement and maintain?
  • Can it support all the operating systems – and their variants – that you need to protect throughout your organisation?
  • How effective will it be at monitoring and tracking the various types of activity taking place on your endpoints? And how will it perform when those endpoints disconnect from the network?
  • How effective will it be at monitoring and tracking the various types of activity taking place on your endpoints? And how will it perform when those endpoints disconnect from the network?
  • How will it impact the performance of your endpoint operating systems and hardware? Will end-users complain of lower productivity? How will you resolve those issues if they arise?
  • If you’re looking at a managed solution, does it also deliver SIEM (security information and event management) capabilities, along with a 24/7 SOC (security operations centre), staffed by security analysts with malware expertise?
  • And finally, if you’re leaning toward a software-only EDR solution, do you have – or will you be able to recruit, train, and retain – a team with the expertise necessary to manage it internally?

Clearly, we’re reaching the point where the question is no longer about whether you’ll add an EDR solution to your data security arsenal, but when – and what type best meets your needs. As you can see, there’s a lot to learn. And there are a lot of important decisions to make. But perhaps the most important decision you need to make is to start doing your research now.

Aaron Branson, VP, Netsurion