Endpoint detection and response (EDR) products give IT staff visibility into endpoints for detecting malicious activity, analyzing data and providing appropriate response. EDR is part of a burgeoning security market, peppered with well-known vendors such as Carbon Black, Cisco, CrowdStrike and FireEye.
Anyone looking at EDR today has come across the term "threat hunting," the process of searching through voluminous amounts of data to find signs of a threat actor or emerging attack rather than relying on known threat signatures. It's a combination of threat intelligence and big data analytics. Threat hunting is a critical component of a comprehensive EDR solution and a key differentiator from endpoint protection platforms (EPPs), with which they are often confused.
However, EDR solutions are also undergoing a period of flux. In 2016, Gartner pointed out that "EDR is not a replacement for other endpoint security tools; it is often a detection and visibility complement to other tools providing endpoint security capabilities." But Gartner's 2017 Magic Quadrant for Endpoint Protection Platforms states that "By 2019, EPP and EDR capabilities will have merged into a single offering, eliminating the need to buy best-of-breed products for all but the most specialized environments."
We asked some security experts to share their insights about what questions you should ask yourself and prospective EDR vendors before you buy.
1. What business problems are you trying to solve?
Daniel Clayton, director of cyber security at Rackspace, emphasizes that the first step in evaluating an EDR solution is to identify the problems you want to solve. (Note that while Rackspace is an EDR customer, the company also partners with its EDR vendor for its Rackspace Managed Security offering.) CIOs of large organizations are tasked with arming the security operations center (SOC) with the proper tools to solve problems, keeping in mind that security isn't just a tools issue anymore, it's a people issue. Sooner or later, someone will misconfigure a system, allowing an emerging or advanced persistent threat (APT) to infiltrate. Even the best network visibility tool cannot entirely prevent an attack motivated and well-trained adversary.
Paul Calatayud, CTO of network security company FireMon, agrees with this pain point, which also applies to smaller organizations. "EDR solutions aid in the discovery and identification of cyber threats, but they aren't a silver bullet. Trained staff and processes are highly important to help guide response and follow-up. Thus, expectations need to be established that, once this technology is in place, you may still need to invest in more people or training and develop a comprehensive incident response plan to truly realize the return on EDR investments."
2. What is the EDR solution's lookback period for data?
Clayton says an EDR solution must offer more than point-in-time data to be effective. He suggests looking for a solution that takes a continuous forensic picture and can provide at least 30 days of live data for analysis. Some vendors can deliver 90 days to one year of historical data from archives for investigative purposes.
3. Does the EDR solution integrate with threat intelligence platforms and other existing tools?
Calatayud mentions that, because EDR tools are designed to assist in threat hunting, "it's important that those tools integrate with threat intelligence feeds or platforms (if the capability isn't built in) to quickly analyze indicators of compromise (IOCs)."
Jarret Raim, director of managed security at Rackspace, adds that security platforms usually have a lot of tools, so how do you get data out of the management portal? EDR tools need to integrate with existing tools, including antivirus, and it's important to know, before you buy, that the tools will work together.
4. How many resources will the EDR solution require to support the technology?
Implementing and running an EDR solution can be cumbersome. You might have to attend training and work with the vendor's engineer to get it up and running. From there, it takes time and a certain amount of resources to run the software in visibility mode, learn to decipher results and determine how to troubleshoot when necessary.
"Security resources are always in high demand," says Calatayud. He points out that, when evaluating any security solution, it's important to understand if the solution will detract from your resources by requiring a lot of support versus allowing your team to focus on the data within the solution as a consumer.
Raim suggests that prospective buyers consider support carefully. "For this tool to be of value, what do I need? Analysts? Who's going to respond to alerts? EDR requires people, processes and tools, but tools are only part of the picture."
5. Does the solution disrupt endpoints?
Both Clayton and Raim warn against solutions that disrupt the endpoint during agent deployment or threat investigation. To counter this issue, Clayton recommends a solution that uses a kernel-level agent.
6. What operating systems does it support?
Calatayud points out that "it's common to have a mix of Microsoft and Macintosh computers in corporate environments. One has to ensure proper coverage of all endpoints to include server OS types." Raim agrees that support for multiple operating systems is key. "EDR requires visibility into the environment. A solution might support Windows but not Linux, for example. Make sure your desired solution supports your systems and patch schedule."
7. Are there any scalability issues I should be aware of?
Raim urges EDR buyers to inquire about management in a scaled-up environment. For example, what does the management portal look like with 3,000 endpoints compared to 30,000? Ask prospective vendors to describe their biggest deployment and number of endpoints/agents involved.
8. Does the solution offer workflow reporting or interact with other ticket systems?
Calatayud points out that usability is an important element to any security solution. "IT resources are always slim. A solution that includes reporting dashboards or integration into other ticketing systems makes life easier. A solution that's not easy to use is a risk because users may get frustrated and move on or abandon the solution."
9. Does the solution offer multitenancy?
Cloud-based solutions often use multitenancy to keep customers separate. Raim says that EDR customers often say they don't want multitenancy, but they will when they realize what it allows them to do. With multitenancy, a customer can separate its own infrastructure, such as by city or business unit, for better organization, control and flexibility. But the decision must be made up front because retrofitting multitenancy is difficult.
10. Can my organization afford an EDR solution?
Considering that the cost of an enterprise SOC can easily hit $3 to $5 million, Raim points out that some customers zero-in on "find and forget" solutions because they're much more affordable. A managed service provides EDR capabilities on the customer's behalf, including analyst input, reducing the customer's need for in-house expertise. These types of services may be rolled out on a predictable 12-, 24- or 36-month contract, or the cost may fluctuate based on an organization's architecture and infrastructure needs.
This story, "10 must-ask questions for evaluating EDR tools" was originally published by CIO.