How To Choose An Endpoint Detection And Response (EDR) Service
The features of an EDR solution can seem overwhelmingly complex. So, what do you need to know when choosing an EDR service?
By Alex ZawalnyskiUpdated Dec 07, 2022
Cybersecurity attacks can strike organizations with very little warning and have catastrophic results. This isn’t a problem that is going away anytime soon – 83% of organizations have had more than one data breach, and the number of attacks has increased by 5% over the last year. These attacks include everything from phishing scams, business email compromise (BEC), and credential theft, to distributed denial-of-service (DDoS), and data loss.
With each type of attack exploiting a different vulnerability, insulating your organization from all threats can be an overwhelming prospect. However, endpoint detection and response (EDR) is a cybersecurity tool that can proactively protect your network from these threats.
EDR works by gathering real-time data from across your network. This data is then analyzed to identify threats on your network and decide how to best resolve them. As EDR is integrated with all of your endpoints, it is ideally placed to prevent threats from entering your network and respond quickly to those that do make it through.
The prospect of investing in a new cybersecurity solution, and trusting it to keep your entire network safe, can seem like a daunting prospect. And when providers release long lists of product features that claim to protect against an ever-evolving, ever-expanding range of cyber-threats, it can be difficult to know where to start when comparing solutions. In this article, we’ll explain five things to consider when looking to invest in an EDR solution and make it slightly less overwhelming. But first, we’ll explain what an EDR solution is, and who it is designed to help.
What Is An EDR Solution?
EDR takes an integrated approach to endpoint security. It works by continually monitoring your endpoints, then using advanced algorithms to identify threats, log indicators of compromise (IOCs), predict attack behavior, and identify network vulnerabilities. Once this intelligence has been gathered, the EDR solution can enact targeted and specific remediation actions. This keeps your network safe and ensures that any threats are dealt with effectively.
Some of the common features of an EDR solution include:
AV, anti-malware/ransomware technology
Effective integration with your existing security stack (SIEM, SOAR, etc.,)
Blocking executables that could act maliciously and fileless attack
Network segmentation and isolation
Endpoint data collection
Threat hunting using threat telemetry and intelligence networks
Analysis and forensics
AI policy automation
Automated response capabilities
To learn more about how EDR works, you can read our dedicated article here:
As EDR solutions provide comprehensive endpoint coverage, they can be an important cybersecurity tool for almost any organization with significant cyber infrastructure. You don’t need to be the largest, or most valuable, organization to be a tempting target for attackers. In fact, attackers will often avoid the largest organizations as they know these will generally be much better prepared for a cyber-attack, and, consequently, harder to breach.
EDR works by protecting endpoints – these are predominantly the computer systems that users engage with, such as workstations or servers. Organizations that have a large number of desktops, use mobile devices as part of their work, or rely on functioning computer systems for business operations should consider investing in EDR.
What To Look For In An EDR Solution
While all EDR solutions will offer slightly different feature sets to help target specific use cases, there are some features that any strong EDR solution should have. Let’s take a look at them.
A robust EDR solution begins by gathering data from your network’s endpoints. In order for this to be effective, it is essential that your EDR solution can integrate effectively and comprehensively with endpoints across your network. Without this, the rest of your EDR’s functionality is useless.
EDR solutions will install a lightweight piece of software – known as an “agent” – on all your endpoint devices. This software enables the gathering of data and will manage the EDR tool’s response on that endpoint. The agent will also conduct asset inventory, vulnerability management, policy compliance, secure configuration assessment, file integrity monitoring, and patch management. For an EDR solution to be user-friendly, the integration process should be streamlined. Otherwise, your IT team will spend most of their time installing and configuring software.
One of the reasons that EDR is such a useful tool is that it both detects and responds to threats on your network. It is essential that this integration works both ways, so that the tool can enact complex remediation procedures at each of your endpoints, in a robust and effective manner. Without complete integration (both deeply on each device, and widespread across your network), the capabilities of your EDR solution will be impeded.
The Bottom Line: Without a deeply integrated EDR solution, any advanced, technical features will be largely ceremonial.
It is all well and good for an EDR solution to gather thousands of pieces of data from across your network in real time – but if it doesn’t have the capacity to analyze and interpret this data, its ability to keep you safe will be limited.
EDR solutions should use a range of analysis techniques to increase the chances of identifying and responding to known attacks, as well as zero-day and fileless ones. The solution should build a profile of how an endpoint usually runs – this will include details of what systems and servers it interacts with, file types and sizes, even geographical and time-based information. This baseline profile – which will be continually updated – is used to highlight any anomalous activity that would indicate that an attack in progress.
Your EDR solution will be connected to a database of known threats and vulnerabilities. Like your baseline profile, this should be continually updated as the threat landscape evolves and new tactics, techniques, and practices (TTPs) are identified. This database will enable you to benefit from information gained in any cyberattack discovered or blocked by your EDR provider. If an account on the other side of the world encounters a zero-day threat, TTPs can be shared, meaning your network is protected with the most up-to-date information.
It is important that data is uploaded to an isolated area in real-time as some attacks can block this flow of information. If you are monitoring the network in real-time, you can gain intelligence up until the moment that the attack was initiated. This leaves you in the best possible position to remediate the attack and restore network access.
The Bottom Line: The more accurate, comprehensive, and advanced your EDR solution’s analysis is, the more effectively your organization will be able to respond to threats.
So, you have effectively and deeply integrated your EDR solution with your endpoints, and now it is successfully gathering useful, actionable intelligence – the next thing you need is some means of responding to an attack. Your EDR should have robust and automated response capabilities. It is the combination of data analysis with automatic, intelligent remediation that sets EDR apart from many other cybersecurity products.
Your EDR solution should be able to, in the first instance, isolate an infected area from the rest of the network. This ensures that a threat is contained and cannot spread laterally across your network to affect other endpoints. By segmenting the network in this way, unaffected areas can continue to operate as normal, thereby minimizing disruption to your business.
To ensure a threat is fully eliminated, EDR will monitor a threat timeline. This shows key information regarding how a threat entered a network, which files it interacted with, and if it replicated or was concealed somewhere along this journey. The EDR tool can ensure that there is no trace of this attack left on your network after remediation, be it conventional or fileless.
EDR solutions will also offer protection against ransomware, phishing, viruses, file-less and credential attacks. Unknown software can be detonated in an isolated sandbox to identify how a program operates and decide if it is malicious or not.
If the idea of monitoring remediation is filling you with dread, many providers offer a managed detection and response (MDR) service. This offers all the functionality of an EDR solution, with the key difference being that you don’t need to employ cybersecurity professionals to run the service. Your provider will be responsible for installing, configuring, and managing the cybersecurity set up to keep you safe.
To learn more about MDR and find out if it’s the right solution for your organization, you can read our article here:
The Bottom Line: You can have all the information regarding what a threat is, how it works, and what it’s going to do next, but if you don’t have a way of responding to this threat, your network is still vulnerable.
Alerts And Reporting
One of the benefits of EDR is that it will gather intelligence and remediate certain threats automatically, without any admin or SOC input. Because it has this level of independence, you will want to ensure that there are clear alerts and notifications to inform you of network activities, and how security posture can be improved.
While admins will not need to be updated on how every single attack has been prevented, it is important that they receive summary reports so they can address any trends and adjust policies and response playbooks appropriately. Additionally, admin or SOC involvement will be required to resolve more complex attacks. When this is the case, notifications should be quick to arrive, and clearly convey all available information.
It is important that alerts and notifications are triaged and prioritized – this ensures that admins can respond to the most critical threats, rather than spending time on false positives and less pressing tasks.
The Bottom Line: EDR solutions are very powerful tools that are entrusted with protecting your entire network. As such, you will want to know what they are doing, and how well they are doing it.
Once an attack has been remediated and your network is secure again, EDR has the capacity to investigate what happened to ensure that it doesn’t happen again. This will involve gathering data from various endpoints to understand where an attack originated. The EDR solution will then trace the attack’s journey through the network, allowing you to identify vulnerabilities and tighten security infrastructure. In some cases, this may require the implementation of another security tool; in others, certain policies will need to be adjusted.
Some providers will call this “attack visualization” as they will use engaging graphics to illustrate the attack timeline. This example from Qualys clearly illustrates where the attack started, and the endpoints that have been affected as a result. Such complete visibility ensures that analysts are able to respond to future attacks and ensure that no endpoint remains infected.
This analysis should be linked to the MITRE ATT&CK framework –a universal guideline for describing and classifying attack types. By using this system, analysts can easily understand how an attack came to be, and its potential effect if unresolved.
Attack forensics is an incredibly useful feature as it ensures that you can understand how an attack was carried out, and therefore be in a better place to respond in future. It allows for an ongoing understanding of security posture, ensuring that SOC and IT teams can make security improvements whilst the network is attack-free.
The Bottom Line: The best way to stop an attack happening again is to fully understand how it came about. With threat forensics, you can identify the specific actionable factors that will keep your network safe.
Endpoint detection and response solutions identify the most vulnerable sections of your network, then add intelligent analysis and comprehensive remediation to keep you safe. Entrusting a piece of software to do all of this can be a daunting decision. It is, therefore, essential that you consider your organization’s needs, and what is on the market.
For more information about what EDR solutions are available on the market, read our article:
The level of security that EDR provides is impressive, but it does require a good level of cybersecurity knowledge to effectively implement. For organizations without the resource or capacity to achieve this, many providers offer a managed EDR service: managed detection and response (MDR).
As Copy Manager with Expert Insights, Alex writes and edits articles relating to cyber security and technology solutions to ensure they are clear, authoritative, and informative. Alex was awarded a First Class MA (Hons) in English and Scottish Literature by the University of Edinburgh.