Can your Endpoint Detection and Response protect itself?

EDR, of course, stands for Endpoint Detection and Response. EDR tools enable organizations to address the increased complexity and frequency of attacks. It does this by providing unparalleled visibility and detection across their endpoints. Corporate Armor offers several top-line solutions, such as Palo Alto, Check Point, Sophos, and ESET.

Picking the right EDR so;ution for your organization requires a thorough understanding of a few things. This article is not exhaustive, but might provide a few things to think about in your decision about which EDR system is right for you, or even if you need EDR at all.

Endpoint Detection and Response is a full-time job. An EDR product alone doesn’t give your organization an EDR capability. So you need to consider your business needs, technical requirements, and internal capabilities. In other words, do you have sufficient IT staff to manage and operate your EDR, and get the most out of it? If not, you may need to consider a managed solution. Sophos (link) and Fortinet (link) are two very good ones.

You need trained security professionals and sound processes to get the most out of your investment. Without the right team and time commitment, EDR products can amass data and alerts, increasing costs, and fatiguing analysts.

How does the EDR integrate with prevention?

Endpoint Detection and Response solutions are increasingly part of Endpoint Protection Platforms. This makes them more effective than standalone tools. The benefits of an “all-in-one” EDR solution with a single agent are important, and understandably so.

However, you don’t want to compromise capability in favor of deployment simplicity. You can have both in a single product, but evaluate carefully so you don’t end up with sub-par EDR. Some things to consider:

• Are potentially threatening applications prevented by runtime inspection (AV, static binary analysis, sandboxing, etc.)? Or by application policies (trusted publishers, installers, etc.)?

• How does the EDR tool prevent execution? Whitelisting or blacklisting?

• Does it stop threats before they execute, during execution, or both? If before, how much delay will it introduce in an application’s startup?

• What is the process when the solution prevents a legitimate application or behavior from executing?

• Do EDR prevention capabilities continue to function even when the endpoint’s connection to the Internet / corporate network is out?

These are just a few considerations. Reach out to Corporate Armor at 877-449-0458 if you need to know more.

How does the EDR solution detect threats?

The ability to understand the threats an EDR solution detects, and what techniques are used are hugely important to your evaluation. Many solutions take a very limited approach to detection. Ask yourself:

What types of threats will it detect? Malware, misuse of legitimate applications, unwanted software? File-based attacks, suspicious user activity, and insider threats?

And what technologies and techniques are used for detection? Look for things like behavior analysis, user behavior analytics, sandboxing, network threat intelligence, longtail analytics/anomaly detection, and so on.

You might ask a vendor, “What is your false positive/false negative rate?”

Can the EDR protect itself?

What tools does the EDR solution use to defend itself from attackers? Believe it or not, an EDR solution can be a large security risk to your organization if it isn’t designed. Be sure that the solution has strict security policies that are frequently tested by external parties.

Find out if the EDR solution uses role-based access controls to separate admin, visibility, and response capabilities.

Also find out if user activities are auditable. The activities of your users, the EDR solution, and the vendor should have an audit trail available for review.

Is mandatory multi-factor authentication available? EDR products record sensitive data from across your organization and often have the ability to affect your endpoints.

Can the EDR solution detect tampering or attempts to avoid detection by attackers? As EDR products have become more popular, attackers are now attempting to avoid detection by targeting the EDR product itself. It’s important for your EDR system to defend itself from attackers by implementing tamper detection / prevention.

A couple more questions:

If the EDR vendor is compromised, what level of access would an attacker have to your endpoints? What safety measures are in place to ensure an attacker cannot use the vendor as the attack vector into your organization?

How does the EDR solution secure the data collected from your endpoints? There are three points the vendor needs to lock down to ensure proper data security: collection and storage on endpoints, transmission of data to the central analysis and storage system, and long-term storage of data.

A breach of your EDR vendor can quickly result in the exposure of your organization’s data and allow direct attacks on your endpoints. So choosing well is obviously important. The above considerations are just a few of the questions that need to be answered before making a choice on what is, after all, Fortunately, there are numerous very good Endpoint Detection and Response systems available to you, and Corporate Armor is happy to answer all your questions.

With well-known vendors like Sophos, Fortinet, Palo Alto, and Check Point, we can introduce you to the trustworthy, powerful industry leaders that have innovated the whole EDR / MDR family of technologies. So feel free to email us, or call Corporate Armor at 877-449-0458. Thanks for reading!