cft

The Fortifying Fifteen: EDR Solutions

Endpoint Detection and Response is the next evolution in protecting the end users and devices.


user

Logan Daley

2 years ago | 6 min read

Part 11 of 15: Endpoint Detection and Response Software

What Is It? Endpoint detection and response (EDR) software, in one form or another, is nearly ubiquitous these days. I say “nearly” because there are some instances where it is not used and that can either be intentionally or unintentionally. Regardless of the rationale, it has value and many modern platforms, such as Windows, have EDR capabilities built-in. When we talk about EDR, the common train of thought is Anti-Virus / Malware / Spam software such as that on offer from Symantec, McAfee, Kaspersky, Sophos, Trend, and many others.

These days, EDR software is far more capable yet few seem to take full advantage of the suites. Modern suites include not only the Anti-X above, but also application whitelisting, host-based intrusion detection/prevention system, firewalling, and application sandboxing. Funnily enough, even though few take advantage of the whole range of services at their fingertips, those that do often run into strife trying to use them.

Endpoint protection, while sounding simple, is anything but and can be incredibly powerful when designed, implemented, and maintained correctly. One also needs to think outside the box called “workstation” and think about servers and mobile users such as those with laptops, tablets, and mobile phones. Very few of us simply sit in an office all day on a traditional PC connected to a hard-wired corporate network and then leave it there when we leave for the day. Dynamic workspaces require dynamic EDR solutions.

Where Do I Start? The last thing you want to do is run out and buy an application and install it then deploy a bunch of clients to the computers in your network. In fact, clientless solutions are becoming popular along with systems that may not be able to have a “client” installed. Cloud-based solutions are popping up and there is no shortage of options. That said, there is still a place for the traditional systems, especially if you’re installing them in a mainly fixed environment such as a data centre on servers or on fixed workstations. Even a hybrid solution may be worth looking into.

You need to begin by asking some questions to figure out what solution works best for you. For the record, a “solution” does not have a SKU or come in a fancy box. A solution is a combination of tools and materials designed, implemented, and managed by skilled resources to address both proactive and reactive situations. Now that I have that out of the way, let’s begin.

Be forewarned that there are a lot of new players in this market over the past several years doing some amazing things and the traditional vendors are taking notice, adapting their offerings to match. Are these new and exciting systems the be-all and end-all? Yes and no. Proper analysis of your requirements, cyber security strategy, the market, and the resources to put it all together is crucial. A little time in the beginning can save you a lot of time down the road.

  • Ask whether the product created logs and other useful metadata that can be integrated into your existing tools for performing aggregation and analysis. The intel you can get from these systems is only useful if you can process it in a meaningful way, such as feeding it to a managed security services provider or a SIEM.
  • Ask whether the system can search for and detect the presence of Indicators of Compromise (IOC) specified by the organisation. You need to be able to look for and find specific details that are not always obvious to alert you about something that smells a little fishy.
  • Ask whether the product and the responsible vendor will exist in 6, 12, 18, or 24 months. There is no point in investing in a fly-by-night organisation that won’t be around when it matters, gets absorbed by another vendor that may not support the product, or is able to offer you the support you need when it all comes off the rails.
  • Determine how mature the system functionality is, and whether customer support team is willing and able to add key features that are missing. The evolving threat landscape needs a solution that will change, evolve, and adapt accordingly.
  • Ask how scalable the product is, and whether it overwhelms your systems and network resources. There is little point in using something that bogs down everything else and renders the systems useless. Why do the attacker’s job for them?
  • Figure out whether the product generates enough forensic data to enable the identification of cyber security incidents without too many false positives, distracting your incident response team. I’ve found that organisations that run off in all directions soon become tuned out to the noise and end up ignoring the real threats.

Once you have a bearing on these points, you can investigate choosing a solution and a partner, if needed, to help make it all work for you.

How do I make It Work? Once you figure out the solution that works best, know where it is going to be installed, and have a good understanding of the features and policies you need to create, it’s time to set about installing your EDR solution. In some cases, you need to build up a management server and deploy agents, perhaps deploy some apps to mobile devices, connect to cloud based services, or any of another number of options ranging from on premise to hosted to cloud to hybrid. Proper analysis and planning before you get to this point is critical.

Because there are so many ways to approach this strategy and just as many vendors and combinations of services, I’ll simply recommend that you spend the time to discuss, plan, test, implement, and maintain the solution to make sure it does exactly what you need it to do without causing undue interference in your business operations.

Regardless of the solution you decide to put in place, make sure you don’t adopt a set-and-forget mentality and assume it will protect you. At the same time, once properly configured, you shouldn’t must obsess over it and spend endless time working on it. If you can feed the data into a SIEM or managed security service, a lot of the heavy lifting can be done for you. I would also recommend that whichever solution you put in place is regularly reviewed, patched, and updated to the current stable versions just like all your other applications.

Pitfalls? The biggest one I have seen is trying to do too much, too soon rather than prioritising your protection at the endpoint and gradually rolling in features and rules. A lot of this can be avoided by proper testing but often IT is under tremendous pressure by management to roll out the EDR solution, seen as “Just another IT project”. While it needs to be supported at the upper levels, it should also be understood why it is being put in place.

The other common pitfall I see are outdated implementations that have not been upgraded or replaced “because nothing bad has happened”. Yet. Even EDR solutions must be updated to take advantage of the latest features and defences. It would be like installing Anti-Virus on your home computer and never updating the signatures. Sure, it will block most things that have been around since the last update, but may miss newer threats. Make EDR updates part of your routine. 

Ghosts in the Machine? Solutions from different vendors may seem like a good idea in principal by thinking that one will miss the other will catch, but most of the current EDR solutions worth their salt are looking for the same things, for the most part and it’s rare that one will catch something another won’t unless you are using two vastly different offerings, such as only Anti-Virus from one but advanced malware protection from another. More likely, these kids won’t play well together and like your favourite politicians, will spend more time fighting with each other than doing their job. Choose a vendor wisely that best suits your needs and use them enterprise wide. If they don’t appear to be meeting your expectations, find out why and adjust or change to another vendor product, but don’t leave yourself exposed.

Anything Missing? Remember to think beyond your traditional Windows desktops. Are there other platforms such as Mac and Linux? Do you have a lot of mobile devices such as phones and tablets? What about including your servers? Remember that an endpoint is any consumer of data on your network whether storing or using the data and should be protected. Chose the solution that works best for you and covers ALL your systems if possible.

Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party.  The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such.  Appropriate legal advice should be obtained in actual situations.  All images, unless otherwise credited, are licensed through ShutterStock

Upvote


user
Created by

Logan Daley

Information Security Manager

Information Security Manager. Cybersecurity Writer & Presenter. Humanity, not machinery.


people
Post

Upvote

Downvote

Comment

Bookmark

Share


Related Articles