The last thing any IT Director, IT Manager, or Security & Risk Manager would ever want is for a breach to happen on their watch. You don’t want to be in the position of having to explain to the board why the attackers were able to get through – and why you weren’t able to detect them in time. The unfortunate reality is that enterprise endpoint attacks are continuously increasing, including attacks targeting smart devices. Most organizations simply don’t have the cyber security staff needed to address these threats.
Many organizations are recognizing the need for Endpoint Detection & Response or EDR – the global market for EDR should grow to USD 3,443.64 million by the year 2024 – but how do you know which EDR vendor is right for your organization?
Sometimes choosing the right solution is simply a matter of knowing which questions to ask. When talking to vendors about their EDR solutions, address at least these five questions.
QUESTIONS FOR EVALUATING EDR VENDORS
How does the EDR vendor’s product actually detect threats?
When it comes to evaluating different EDR vendors, the field is a lot less cluttered than traditional antivirus. The gold standard is a program developed by US-based non-profit MITRE. It evaluates EDR solutions against the organization’s own “ATT&CK framework”, a continually updated set of tactics, techniques and procedures used by cyber criminals. This framework provides companies with impartial results to benchmark different EDR vendors’ performance against, along with insights into the kinds of telemetry, alerts, interface, and output you can expect from each. MITRE’s evaluations are widely used by several industry authorities, such as Gartner and Forrester.
Every EDR solution has its own approach to detecting threats, and the approach can determine which types of attack it will be most effective at detecting. You should ask your vendor for a detailed run-down of what detection techniques their EDR solution uses and how they work together to provide a context for any detection. Can their solution detect attacks using popular file types such as Word and PDF? Can it detect the misuse of PowerShell and other legitimate applications? Can it detect suspicious behavior by applications or users? Can it detect insider threats, whether intentional or unintentional? Can it assess the risk level of a detection, the importance of the affected host, and the detection’s place in the prevailing threat landscape?
An EDR solution’s ability to detect threats is always going to be the most important factor. Although this has been a difficult question to evaluate up to this point, the MITRE organization’s test results are now the standard you can use to see how different EDR technologies performed. Ask your vendor how their EDR solution detects threats, and compare its results to other solutions in the MITRE tests.
How difficult and time-consuming is it to run their EDR solution?
MITRE’s evaluation is a great starting point, but you also need to consider other factors besides detection performance. An EDR solution cannot give your organization a comprehensive EDR capability on its own, yet developing such a capability can involve a number of challenges. Your EDR solution will need to be integrated with your other security systems, managed by your IT team, analyzed by incident response experts, and followed up with security research and threat hunting.
A product that can only be used effectively by a fully certified incident response expert is only going to be useful when you have such an expert on hand. Most companies don’t have constant access to their own incident response experts, so you need an EDR solution that can be operated even by a junior IT employee. A clear user interface and dashboard is a must, and it’s also helpful to have a solution that visualizes all activity happening on your endpoints. That will make it much easier for your team to understand when and how an attack is happening. Automated response actions and built-in guidance can enable you to react to attacks without needing to be an expert yourself. Our EDR solution, for example, offers clear recommendations on dealing with the potential incidents that pop up on your dashboard. It also gives you access to our trained incident response experts directly from the product interface, if you encounter a situation that’s above your team’s skill level.
Can the EDR vendor’s solution be integrated with your other security products?
EDR is distinct from traditional endpoint protection, although both are needed for comprehensive security. Endpoint protection platforms include antivirus and anti-malware solutions designed to recognize and stop known threats. EDR is focused on detecting advanced and targeted threats designed to evade endpoint protection – including sophisticated campaigns that may involve a number of different endpoints. If your EDR solution isn’t integrated with your endpoint protection platform, you won’t be able to examine the information from both sources simultaneously. The ideal situation is one in which you can not only prevent, detect, and respond to all threats effectively, but can also manage both solutions inside the same user portal. For this reason, it might be beneficial to look at EDR vendors that also have a robust endpoint protection product in their portfolio.
What is the solution’s performance impact on your endpoints?
An EDR solution that slows network traffic and impacts the performance of your endpoints is likely to frustrate users and reduce the efficiency of everything happening within your organization. The best choice is an EDR vendor whose solution has light and discreet endpoint sensors that are practically invisible to the end user. This should be the goal of every cyber security solution out there, so it’s important to know whether a potential vendor shares this priority.
What kind of support does the EDR vendor offer?
Support can – and should – take many forms, and be whatever you need it to be. That’s why this question is more complex than it might initially seem, and generally splits into several sub-questions.
If your business experiences an attack or a complex threat detection, will the vendor be there to help you deal with the threat? Does the vendor’s EDR solution include access to trained incident response experts with hands-on experience in dealing with a wide range of cyber attacks? Does your vendor offer the option of purchasing a managed service, allowing you to focus on your core IT tasks while your security is handled by experts? If your organization is large and especially likely to be targeted, can your vendor provide access to a fully-managed threat hunting service capable of detecting and responding to even the most demanding attacks in minutes? Does your vendor provide 24/7 support from threat investigators and incident response experts?
If you’d like to hear our answers to the questions raised in this article, or any other queries you might have, get in touch or book a free demo for our EDR solution here.