This blog post is part 2 of a 2-part series. To read part 1, click here.
When making a decision regarding an EDR solution, SecOps leaders responsible for endpoint security should consider the following issues:
1. Align with Your IT Strategy
Carefully assess the features and capabilities of each EDR solution before making a technology choice. Align the vendor decision to existing investments in security tools and the wider IT strategy of the business. Consider a cloud-native solution, bringing the benefits of best-in-class features and performance and providing scalability cost-benefits.
Consider a cloud-native solution, bringing the benefits of best-in-class features and performance and providing scalability cost-benefits.
2. Make Things Easier
Choose an EDR solution that comes with additional security modules that can be turned on using the same, single platform and dashboard. This brings greater capabilities in a single solution and maintains ease of administration for the Security Operation Center (SOC).
The industry is also seeing an evolution of EDR technology into eXtended Detection & Response (XDR) solutions that cover more security domains and provide holistic coverage for multiple security products – allowing for faster orchestration, automation, and response to security incidents and reducing the overall Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) to cyberattacks.
3. Look at Integration
Decide on a vendor that ensures efficiency of sensor rollout and compute resources required to run the sensor without impacting user experience.
It is also important to ensure the EDR solution has integration capabilities with other tools to align with other security controls that are also going to form an integral part of the wider SOC tooling. Consider coverage for operating systems to protect the various OS platforms (Windows, Mac, iOS, Linux, Android), to ensure there is full protection – leaving no loopholes for threats.
4. Leverage Automation
Consider the budgeting and resourcing requirements of running a team to onboard and operate the EDR solution. One of the challenges when operating an EDR solution is the number of alerts it generates and the continuous, fine tuning of the security rules to generate meaningful data from the alerts.
EDR solutions should also allow for automated response action to contain and mitigate threats as part of the incident investigation. This needs careful planning and consideration for it to be highly effective. If implemented inappropriately, it can lead to overwhelming IT support tickets and can hamper the user experience.
One of the challenges when operating an EDR solution is the number of alerts it generates and the continuous, fine tuning of the security rules to generate meaningful data from the alerts.
5. Consider a Managed Services Provider
Consider outsourcing the EDR service to a Managed Service Provider (MSP) that can support the planning, design, implementation and management of the EDR solution to overcome cost, complexity and resource challenges. When choosing an MSP for an MEDR service, look for a provider that can provide:
-
EDR platform management, providing ongoing monitoring and maintenance of the EDR platform and sensor health
-
Advanced services such as Threat Hunting and Cyber Threat Intelligence, to augment the MEDR service – providing better context and actionable intelligence
-
Integration of the MEDR service with SIEM and SOAR technologies, to provide better contextualization of security alerts and incidents; and the ability to integrate tooling with IT Service Management (ITSM) to provide a seamless workflow in managing incidents
Consider outsourcing the EDR service to a Managed Service Provider (MSP) that can support the planning, design, implementation and management of the EDR solution to overcome cost, complexity and resource challenges.
A Checklist – Evaluating Managed EDR Providers
A Managed EDR solution can improve an organization’s cyber defense coverage dramatically if – and it’s a big if! – it is implemented correctly. The vendor technology and managed service provider selection are crucial in making EDR a success.
An MSP can bring value in providing an outcome-based service, allowing an organization to focus on its key business objectives.
Here is a checklist of key points to look at when evaluating Managed EDR providers:
-
Invest in a cloud-native EDR solution. If necessary, run a Proof of Concept (POC) to evaluate functionality and key capabilities.
-
Consider the organization’s existing IT infrastructure complexity and ensure its security team is well equipped with resources to ensure the roll-out of EDR sensors or migration from an existing AV to a new EDR solution.
-
Look at aligning the existing AV solution with the same vendor EDR tool to avoid vendor tooling mismatch. This can help you avoid the burden of decommissioning and phasing out existing AV solutions when it comes to the roll-out a new EDR tool.
-
Continuously deploy and improve use cases to detect threats relevant to the organization’s critical assets and map coverage of use cases to industry frameworks like MITRE ATT&CK.
-
Consider licensing & cost models when making the choice of an EDR tool.
-
Integrate other security modules like Attack Surface Management, Host Firewall, Vulnerability management, and Identity Protection along with the EDR solution from the same vendor to realize ease of operational management through a single management console.
-
Leverage dedicated Threat Hunting services from your MSP to hunt for threats on the EDR platform.
-
Consider good Service Level Agreements (SLAs) and Key Performance Indicators (KPIs) for investigating and responding to threats and ensure they are being met by the provider.
-
Consider a security data lake solution from the MSP to store EDR log data for long term hunting and reporting.
-
Make sure that EDR platform management is part of the MSP offering.
-
Consider an EDR vendor that has a good roadmap and investment strategy to bring cutting edge features that can easily be consumed through the existing solution.
-
Look for an MSP that can provide a single pane of glass (SPOG) platform to manage multiple services – helping your team avoid the need to look at multiple dashboards.
Continuously deploy and improve use cases to detect threats relevant to the organization’s critical assets and map coverage of use cases to industry frameworks like MITRE ATT&CK.
Interested in speaking to our experts about Managed EDR services? Contact us today!