Cybersecurity tools tend to be fragmented since you likely deal with multiple vendors, contracts, billing metrics, and other devices. This disjointedness can create security gaps within your systems that are exploitable. Furthermore, fileless attacks or advanced persistent threats (APTS) are increasingly common and can damage an organization’s networks.
Signature-based tools (AV) are necessary but insufficient since all but the most basic attacks now include obfuscation and evasive techniques. Next-gen AV — machine learning and behavioral-based detection — is now the bare minimum. Endpoint detection and response, or EDR, solutions can provide better behavioral visibility and investigation capabilities of any borderline endpoint activity.
With attacks moving down-market, EDR is increasingly required even for smaller companies based on their risk profile. However, because the feasibility of attack increases exponentially based on one's ability to defend from attack, cyber leaders shouldn't treat EDR as another tool that can manage without integration with other endpoint technologies — as is often the case with AV, patch and vulnerability management, network intrusion detection, and DNS security.
EDR Solutions Can Provide Four Major Capabilities
EDR’s primary strength capabilities include the following:
- Attack prevention: Blocking security incidents at network endpoints and keeping them from spreading across your entire network.
- Incident response: EDR solutions provide incident response capabilities, such as prioritization and investigation, which can help your security team respond more quickly to attacks.
- Advanced threat detection: EDR software can detect anomalies on endpoints and malicious activity on the network. In addition, it provides for more than just looking for file-based malware.
- Incident investigation: EDR makes forensic investigation of incidents easier by building one central repository of endpoint data and preparing it for analysis.
Endpoint security (including EDR) is the second-to-last line of defense, deployed after earlier layers of security such as network and email, but before end users enter the picture. As a result, all these layers must work together to defend against threats, leveraging techniques such as machine learning and end users’ proficiency with and application of security awareness training.
Every organization must possess on-the-go protection, meaning fully independent protection on all endpoints. This should be bolstered with cloud telemetry, analytics, and management. From the end user's perspective, this protection should be independent of being on- or off-network. From the IT team's perspective, remote endpoints must be monitored, managed, and fully accessible, just like on-premise endpoints.
What IT Should Look For
Look for vendors that provide a suite of security solutions covering a broad swath of security needs focusing on the “cyber kill-chain” of typical attack patterns: phishing via email and attempted endpoint compromise and exploiting users’ trust to gain access. Email, web, network, and endpoint protection are essential, as are end-user training, threat intelligence, identity management, and backup. While no vendor can provide everything, consolidation is generally a positive.
Additionally, watch out for vendors that provide a broad set of capabilities, some poorly executed. All components in a suite should be of high quality, and you should be on the lookout for excessively costly vendors charging for numerous add-ons. Finally, billing should be clear and transparent.
Complete Visibility Means Stronger Endpoint Protection
Protect endpoints from hackers without giving them a gateway into your corporate network. Risks include gaps created by poor default configuration and confusing options, additional burdens on the IT team, poor product quality (lack of detection efficacy and inefficient operation), and lack of integration with related solutions.
Any endpoint solution — whether traditional AV or EDR — should support a fully set-it-and-forget-it operation: it should block nearly all threats with minimal setup and configuration. When threats are discovered, an investigation should focus on root cause analysis and future system hardening, with relevant, actionable data shown in practical, informative ways. At the same time, you want to avoid creating additional work maintaining definitions, signatures, and updates.
The core product efficacy should be verifiable by independent testing agencies such as AV Comparatives and AV Test. Beware of random review sites and "pay to play" testers who may exhibit conscious or unconscious bias. EDR provides real-time visibility into endpoint activities by detecting malicious behavior, responding to threats, and recording endpoint data. There is an assumption that a human will be looking at the results for certain kinds of threats. Therefore, aside from detection efficacy, investigation results must be usable, reliable, and transparent with high quality.
A high-quality endpoint solution will not solve the security problem if IT staff have to monitor and manage multiple other endpoint products simultaneously independently. The many endpoint security capabilities should work together to block and investigate threats. Traditional AV, next-gen AV, and EDR features can now be found in a single package to avoid confusion and conflicts. Network and DNS protection must be fully integrated since many threats propagate over the air. Consider integrated vulnerability and patch management to harden systems and respond to EDR investigations proactively.
As the Gartner Hype Cycle for Endpoint Security notes, these issues are essential. For example, it states that ransomware attackers have evolved from using simple automated techniques to highly organized human-operated campaigns to extract the maximum ransom from victims. For this reason, it’s crucial for risk management leaders to correlate data from the endpoint and many other security points to support threat hunting.
Gartner further calls EDR "a new type of security technology," which helps shorten response times. EDR solutions help companies detect and respond to threats quickly, in real-time — the threats that have bypassed your EPP or other security tools. In essence, EDR provides exceedingly quick access to information about an attack.