10 Considerations before buying an Endpoint Detection and Response (EDR) security solution
Endpoint Detection and Response (EDR) solutions detect and remove malware on endpoints of your network. They can detect malicious activity and isolate threats before they spread. Endpoints broadly refer to devices connected to a local or wide area network such as modems, switches, laptops, routers, or printers.
Standard EDR solutions help track indicators of compromise and indicators of attack. They collect data that organisations can later use for forensic investigations. Endpoint Detection and Response tools should integrate well with other security tools in an organisation’s system.
Beyond these standard features, here are ten other considerations to help you decide on the right EDR tool.
1. Whether the Endpoint Detection and Response uses agents or not
An agent is a software on the endpoint device being monitored by the EDR tool. It collects and transmits data on each session of use to a central server. The agent unlocks capabilities such as tracking user activity no matter the device they use to login to the network. The EDR can intervene and quarantine devices if it realises suspicious activity.
The agent version also enables remediation actions such as host isolation, process termination and retrieving of binaries for analysis etc, this is very helpful for swift containment of the identified threat.
Agentless EDR solutions do not need the installation of agents on devices. Instead, the EDR monitors traffic flow as data passes between servers and machines. It captures and isolates suspicious files in the network but cannot detect malicious files in local devices.
The main drawback with an agentless EDR solutions is that most employees are now working remotely and require device monitoring, especially if they are using their own devices.
2. Support for operating systems
When picking an agent-based EDR solution, ensure there is support for your preferred operating system. Most endpoint detection and response solutions support Windows, Mac OS, and Linux. However, you may have other devices that use different operating systems.
Find out whether there is support for these operating systems before settling on and EDR provider. If not, you may be forced to consider an agentless EDR solution or any other alternative.
3. Cloud security
Installing EDR solutions to a local environment is much different from doing it in a cloud environment. If your organisation runs its workload from the cloud, you need to figure out how the EDR solution will work.
Ensure your EDR provider has experience in securing systems that run in a cloud environment. They should be able to anticipate and plan for potential risks or hurdles. For instance, if they provide an agent-based solution, how will they install the agent on virtual devices?
4. Ease of integration with other security tools
Your organisation is likely to use other security software besides the EDR. Your security manager needs to have a broad picture of how the EDR will work in concert with the rest of the security tools on board. There may be overlapping features, but they shouldn’t disrupt each other.
A good example of proper integration is when an EDR system can feed data into a security incident and event management system in case of an attack.
Security vendors today are building their solutions to work in tandem with applications. Ease of integration is a major selling point for EDR solutions.
5. Frequency of updates
Security threats change every day as attackers attempt to beat security systems using new tactics, techniques, and procedures. Therefore, you need an EDR solution that gets regular updates on Indicators of Compromise (IoC) and Indicators of Attacks (IoA).
Some EDRs also allow companies to add their own IoCs and IoAs. Some organisations hire an internal team to build machine learning algorithms to search for anomalies that indicate potential threats. The teams are tasked with improving the models continually.
6. The EDR should categorize threat alerts
Some EDRs tend to signal alters for anything that looks suspicious. Some of the alerts are false, and when they occur too often, your IT security team might suffer fatigue. The risk of missing real alerts rises exponentially after that point.
A good EDR system should have a way of categorising threat levels and the appropriate response. This way, there will be little wastage of IT resources on low-level threats. Using third party intelligence can greatly improve EDR systems’ ability to identify and categorise threat levels correctly.
7. Customising the threat detection model
A good EDR system should allow organisations to build out their own models for threat detection. Internal machine learning developers should switch, improve, or tweak these models as their operating environment and threats change.
8. Extensibility and scalability
It would be prudent to invest in an EDR system that allows for future functionalities to be included. When new features arise, they can be added through a simple update as opposed to investment in a new system altogether. The company gets a higher rate of return on the initial capital expenditure.
Organisations should also consider the scalability of their chosen EDR solution. How will it handle increased traffic? This is an important question for enterprises that expect to grow rapidly and have many remote users.
9. Cost of the End Point Detection and Response system
Organisations must consider the total costs of investing in an EDR solution. The most visible cost is the per endpoint figure charged by the provider. In a lot cases, this ranges between $5 and $30 depending on the provider. However, other costs, such as the IT experts, will come into play as well.
As mentioned, some organisations will decide to invest in a department to develop models to detect new threats and build integration models to fine-tune the workings of the security infrastructure. At some point, the organisation may need consultancy services from managed service providers (MSPs).
10. Usability for executives
An EDR system that comes with reporting features and a dashboard will be for executive-level decisions. Reports will help non-technical decision-making figures understand the company’s security position and what investments are necessary to eliminate risks. They can also keep track of how data security is improving over time with each investment.