If you’re considering moving to a next-gen endpoint security solution, it can be confusing. You’ll find a wide range of options from multiple vendors that offer similar capabilities, which can make it difficult to know where to start.
Next-generation endpoint detection and response (EDR) solutions are still relatively new, and the market is quite fragmented. However, as traditional solutions for endpoint protection are less effective against today’s advanced threats, it’s increasingly important for Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) to consider new options.
Here are some things to consider if you know you need to move beyond antivirus solutions, but aren’t sure where to start.
Why Antivirus Isn’t Working as Well
It’s clear that every business, regardless of size, is an equal opportunity target. Adversaries are doubling down on their efforts to gain a foothold in your network however and wherever they can. At the same time, your attack surface is growing, and legacy anti-malware solutions can’t keep up. To stay competitive, it’s likely your business has more remote workers now, as well as an ever-increasing assortment of endpoint devices like smartphones, laptops, and servers, and that your network is more connected than ever.In response, security vendors have developed new endpoint protection solutions in the past few years. They offer a lot more capabilities than traditional antivirus solutions to prevent cyber-attacks. These next-gen endpoint security solutions also enable faster response times to a security incident or breach, as we discussed in our recent post on Why It’s Time to Update Your Endpoint Security Approach.
The challenge for most security leaders is that there are too many technology options. Navigating a path to quick success is not straightforward.
At Delta Risk, we’ve been implementing and managing EDR solutions for several years now for our clients. We’ve developed a good understanding of the various technologies and how to achieve the most important business goals, including:
- More effective endpoint protection;
- Faster time to demonstrate value; and
- Reasonable operational costs.
Let’s take a closer look now at each of these goals and how you can meet them.
More Effective Endpoint Protection
The technology you choose isn’t necessarily the most critical decision, but it’s clearly front and center. Most EDR solutions today are cloud-based, with lightweight agents that have minimal impact on end-user devices. Most importantly, they can detect threats beyond malware to discover an adversary escalating privileges or exfiltrating data.
We’ve found that efficient threat hunting and the ability to respond quickly are equally important for day-to-day investigations and management. There are unique features between different vendors that may impact your choice, so we can help you determine which is best for your business. The EDR solutions we most commonly recommend are Carbon Black and CrowdStrike.
Faster Time to Show Value
You want to start with one functional area of the business for implementation. EDR technology looks at processes and deviations from normal behavior. Therefore, it will take some time to ramp up and discover what’s typical for each group in terms of what programs and operating systems those employees use or what code those servers run.
Implementing EDR across a relatively homogeneous group will allow you to set baselines for that group quickly. We recommend starting with the group that has access to your most sensitive data and moving out from there. EDR technologies are best utilized when different device policies are defined and applied based on the severity or purpose of the device (critical servers, workstations, etc.).
Reasonable Operational Costs
One of the big value drivers for next-gen EDR technology is that it will detect later stages of an attack beyond initial malware infections. It can detect remotely connected attackers attempting to access additional resources in your environment through lateral movement, which is something that firewalls and traditional endpoint solutions typically can’t.
This is exactly the insight you need. However, it comes with the overhead of creating false alarms that may, in fact, be legitimate activity by your users or programs. Deciphering the right response can be more of an art than science at times. Eliminating most of the false positives leaves more time to investigate actual alerts, saving time and money in the process while improving response times.
How Endpoint Security Services Help
EDR technology doesn’t develop baseline reporting on its own. It requires dedicated attention from analysts who are well-versed in endpoint security solutions to tune it to meet the needs of your business and unique network security requirements.
You’ll need experienced staff to investigate alarms and determine how to adjust policy specific to your environment so that you’re not constantly sounding the alarm at all hours of the day and night. Handling alerts haphazardly will distract your team and give the perception that this cost to manage endpoint security is higher than anticipated. You’ll either need to develop this experience across multiple individuals on your team or engage a SOC-as-a-Service provider that can co-manage EDR with you.
The bottom line is that without a proper plan and ability to follow through, you could spend thousands of dollars on the latest endpoint security technology and not get the protection you need. We’ve built endpoint security monitoring capabilities at Delta Risk as part of our managed security services to ensure you get optimal benefit from EDR and can quickly demonstrate the value of your investment.
We integrate several EDR next-generation solutions into our ActiveEye platform, including Carbon Black, CrowdStrike, and Sophos. This gives you and our security operations center (SOC) the ability to investigate and respond to threats from a centralized management console. The cost for SOC-as-a-Service is typically less than you would pay to staff and train even one cyber security expert. Plus, you’ll get a whole team with broad expertise responding to threats 24×7 to improve your overall security program.