The Value of Endpoint Detection and Response Solutions
What is EDR?
Endpoint Detection and Response (EDR) is often the name given to new “next-generation” threat management solutions that continually monitor and respond to cyber threats on computer devices. EDR solutions rely upon advanced behavioural analysis to recognize attacks as they develop and respond in real-time to contain an identified threat.
This is different from signature-based detection in traditional anti-virus solutions which monitor processes as they execute and not the processes that can spawn from them.
As technology evolves, so does the sophistication of cyber threats. At one time, traditional anti-virus was mostly effective at identifying the threats of the day and stopping them to keep a machine safe. However, modern threats are designed in such a way that they can more easily evade these “perimeter defenses” to compromise machines and wreak havoc across networks.
Ransomware is one such example of a threat that can evade traditional anti-virus solutions to encrypt sensitive data both locally and on a corporate network. That data is then held hostage until a financial ransom is paid. Malicious cryptomining is another threat that can sit stealthily on a machine or network and consume expensive compute resources to the detriment of other legitimate business services.
EDR solutions are designed to combat these modern-day threats by ditching the reliance on signature files, which are only designed to identify known threats. Instead, EDR solutions utilize an “always-on” approach of continuous file/process scanning backed often by Artificial Intelligence (AI) and Machine Learning (ML) heuristics. These processes allow EDR to be ready for even the newest zero-day threats at all times and take action at the first sign of malicious behavior.
What features should EDR solutions have (i.e., what makes a good solution)?
Top features that should be included in an effective EDR solution include:
- Multi-platform solution covering Windows, macOS, and Linux deployments
- Centrally managed with effective dashboards for viewing relevant information quickly
- AI-driven behavioral analysis based on ML threat heuristics plus the ability to train the AI on the fly as the solution adapts to the business environment
- Always-on system scanning
- Real-time threat response including kill, block, quarantine, rollback (to the last known good version of the file), and device containment (disconnecting from the network)
- Forensic details to make informed decisions about detected threats
- Versatile white-listing processes that allow setting exclusions not just at the typical folder or file level, but also at the hash level for more accurate identification of safe applications or processes
- Firewall
- Device control allowing for granular policies enabling/disabling access or connectivity of USB and Bluetooth devices
How do you evaluate EDR solutions?
The best way to evaluate any EDR solution is to conduct a pilot phase where the product is placed in a “training mode” and deployed to a segment of the end-user population. This allows the solution to run on a select group of devices and only provide alerts as to what it may detect.
This pilot period is very important as any AI solution first needs to adapt to its new environment. You may discover that initially a wide range of legitimate business software or processes are being flagged as threats. This is because the EDR solution is relying upon AI engine(s) to make determinations of what is suspicious activity and what isn’t.
This training period allows you to fine-tune the solution to your environment and set your various exclusions for what is legitimate. Pilot periods often run from 2-4 weeks with a steadily increasing number of devices enrolled to get the best evaluation possible of the corporate environment before automated kill & protect policies are enabled.
What are the questions you should be asking when exploring options?
When exploring options, it will be important to evaluate how well the solution deploys to devices and reporting capabilities.
- Is it easy to deploy and silent to the end-user?
- Does it require manual intervention for each device or can it be deployed en masse automatically?
- Did it cause any disruption to your user base’s ability to work?
- How effective is the information you are receiving from the reporting?
- Can you remotely review threat detections and specify response actions from a central location?
Other considerations for evaluation will depend on whether you intend to manage the product in-house or are looking to outsource to a Managed Service Provider (MSP). If you are evaluating the MSP, it is important to find out their level of expertise with the product.
- How knowledgeable are they in answering your questions?
- Are they able to suggest best practice deployment strategies for your environment?
- Do they have access to vendor support if something goes wrong?
- What does their monitoring commitment look like for your environment?
Whether in-house or through an MSP, EDR solutions add additional layers of security to organizations and their systems. The AI and ML elements of EDR establish these solutions as the next phase of end-point cybersecurity evolving enterprise cybersecurity as new threats are encountered.