Do I even NEED Endpoint Detection and Response?

Endpoint Detection and Response refers to the protection of internet-connected devices such as PCs, workstations, servers and smartphones from cyber threats. As you you can imagine, there are many options out there to choose from. Some of our big ones are Sophos, Palo Alto, Fortinet, Check Point, and Avast.

Endpoints are vulnerable to a wide range of attacks. As a result, they are commonly targeted by criminals. Endpoint Detection and Response is an integrated security solution that detects and blocks threats at device level. Typically this includes antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention and data loss prevention.

Traditional Endpoint Protection is inherently preventative. Also, most of its approaches are signature-based. That is, they identify threats based on known file signatures for newly discovered threats. However, the latest Endpoint Protection has evolved to include a broader range of detection techniques.

Endpoint Detection and Response

Endpoint Detection and Response boasts additional abilities, as well. For example, you can also expect real-time anomaly detection and alerting, forensic analysis and endpoint remediation capabilities.

By recording every execution and modification, every registry change, and network connection across an entire organization, EDR improves threat visibility beyond the scope of Endpoint Protection.

The benefits of proactively searching an organization to identify hidden threats and shut them down before they cause damage and disruption are easy to see. For example, it helps to greatly reduce both mean time to detect (MTTD) and mean time to respond (MTTR) to threats. It’s a lot easier to defend your organization’s assets and reputation when you are constantly uncovering security events and highlighting gaps in threat visibility and coverage.

On the face of it, the distinction between EPP and EDR is relatively straightforward – EDR is sort of like a detective whereas EP is like an armed guard patrolling your wall. EP is a front-line, brute force defence defense, effective at blocking known threats. EDR is the next layer of security, providing additional tools to hunt for threats. It forensically analyzes intrusions and respond swiftly and effectively to attacks.

Do you need Endpoint Detection and Response?

You have to ask yourself some questions. For example, why are you investing in EDR?

  • Your team has little visibility into what is happening on your endpoints
  • Compliance requirements or large fines are mandating the use of continuous monitoring and threat detection
  • Leadership is focused on preventing a public breach and the associated costs, negative headlines, and brand damage
  • You have good tools and processes in place, but are concerned that threats are still slipping through on your endpoints

These are just a few possible (and good) reasons. Another question is; What level of time and expertise can you commit to the EDR solution? Remember, and EDR product alone does not give you an EDR capability. Well-trained security professionals and sound processes are needed to maximize your EDR investment and really improve your security. And by a large margin, organizations looking to add endpoint detection and response capabilities cite “staff knowledge” as the top impediment to EDR adoption. Here’s some other questions to consider:

What is the business impact of deploying the solution?

EDR solutions should be easy to deploy to your endpoints using any native or third-party utility. Any EDR solution that requires a reboot of the endpoint can have major business impacts.

Can the EDR solution replace existing endpoint security investments?

Many of today’s EDR solutions don’t. Instead, they strengthen a part of your security posture. For example, can it replace your existing Antivirus, DLP, File Integrity Monitoring, or Network Threat Detection?

What will the impact of an EDR solution be on your endpoints?

Nearly all EDR solutions use an endpoint agent. It will be tightly integrated into the endpoint’s operating system, meaning it can have serious performance impacts and cause instability if it is not well-designed. The vendor should be able to show you performance data of their product in scenarios comparable to your own. Is the EDR solution agentless? If it claims to be, you should tread carefully. Agentless solutions will generally compromise on performance and visibility.

Also, how much CPU and memory does it use? And Typical agents may consume 2% or 2GB of storage and are configurable.

When combined with mature security operations processes, EDR tools can help you better defend against today’s rapidly evolving threats. However, many organizations lack the internal resources to build a true EDR capability. Hopefully, this will help you carefully consider your organizational needs, and your abilities to support a true EDR posture. It is also worth considering a Managed Threat Response solution, which takes the job of running an EDR program out of house, to specialized security experts. Sophos offers a very good one. And Corporate Armor can help you make these choices, so email us or call 877-449-0458. Thanks for reading!