An endpoint detection and response (EDR) solution is an essential tool in any organization that’s serious about security. EDR technology proactively monitors endpoint devices, gathering data about endpoint activity. It analyzes the data to detect patterns that indicate a threat and automatically responds by remediating threats and notifying security analysts. EDR provides advanced detection and response capabilities that allow organizations to respond more quickly to active and latent threats in their environments.
In our work helping organizations choose, integrate, deploy, and optimize cyber security solutions from a wide variety of vendors, we often encounter challenges companies face with EDR. We commonly see companies acquire EDR tools without fully understanding what they are getting into, what features they need, or how to fully benefit from the technology. This results in missed opportunities for learning, improving, reducing response time, and taking a more proactive approach to threats.
By being aware of and avoiding the following common pitfalls we see, companies can maximize their returns on what amounts to a significant investment.
Choosing the appropriate EDR tool for your organization is a critical part of having a solution that will meet your needs and stand the test of time. EDR solutions are not all created equal – features and capabilities can vary. Sometimes we see customers who chose an EDR tool based purely on its lower price point, but a year or two down the road, they realize the tool isn’t offering the best mix of features for their needs.
Tool selection comes down to discovering what your organization needs and comparing the available solutions to your list of use cases and KPIs. Examples of features to consider are remote remediation, automated workflows, vulnerability monitoring, guided investigation, or the ability to input custom rules. Factors such as whether you plan to feed EDR data into a third-party system like a SIEM also come into play. When we encounter organizations who aren’t sure where to start, we can help identify the proper use cases for their organization to ensure they’ll be happy with the tool they chose.
The tool selection process is time-consuming and EDR solutions are expensive – both are good reasons to make the extra effort to find a tool that’s as future-proof as possible.
We often see customers plug in their new EDR solution and think their job is over. But the truth is that while EDR does automate many detection and response tasks, it also needs skilled analysts to do the “care and feeding,” training the tool and reviewing the data it generates. Most companies need an EDR tool long before they’re willing to dedicate the staff required to make one work well.
To recognize malicious patterns in user activity, EDR tools track a range of events such as process launches, service launches, service and process terminations, folder accesses, DNS calls, network calls, and registry edits. Multiplied by every endpoint across the organization, we’re talking about a massive amount of data. Analysts are needed to check alerts, parse the actual incidents from the false positives (which tend to make up a significant number), and remediate infections on endpoint devices.
Even when companies have decent incident response processes in place, we usually see the process start to break down when it comes to threat hunting, which is an essential part of getting ahead of threats already in the environment. Threat hunters use the EDR data to proactively look for malicious activity before it even manifests itself in a detection.
Of course, finding skilled experts is difficult and expensive. Many of our customers rely on us for support with their EDR program. We can help them understand the TTPs to look for and the kinds of adversaries in their space. We can also jump on board to help maintain the tool, do threat hunting, and perform incident and detection triage.
It’s not uncommon to find smart security teams whose knowledge lives in their heads and not on paper. This is a mistake. Dedicated workflows and runbooks that are regularly updated define how your team will address the data the EDR solution generates. Your teams should capture steps for how to proceed in various scenarios, such as if there is an incident or detection or if suspicious indicators of attack or compromise are found.
Part of this documentation involves identifying escalation points. Security analysts need to know who to turn to if a situation is beyond their level of expertise, and if that person is unavailable, who the backup person is. Documenting clear roles and responsibilities eliminates speed bumps when an incident arises.
Capturing this knowledge also makes it easier to train new team members. What’s more, if your team is not taking the time to document their institutional knowledge, you run the risk of losing that knowledge when your smartest employee finds a new gig.
Organizations often give in to the temptation to turn their EDR protection up so high that it automatically blocks every possible threat. While doing so may keep the environment safe in the short term, it also means companies are missing out on the chance to analyze and learn from the attacks that are hitting them, limiting the opportunity for better protection in the long term.
Turning protection up to 11 and tuning out alerts prevents security teams from seeing failed attack attempts, precluding them from gathering ongoing intel about an attack’s source, methods, and target. Block one attack, and the adversary will launch another. It may take hundreds of attempts, but eventually an attack will be successful. When that happens, will your team know there were hundreds of tries? Will you have a catalog of attack attempts and source IP addresses? Will you have enough data to predict which systems and services the attacker will target next?
We recommend seeking a balance between prevention and visibility. This might, for example, take the form of allowing a malicious executable to download, but detecting and quarantining it when it’s executed. Detonating the executable in a sandbox for behavioral analysis gives your EDR tool a chance to gain insight that analysts can use and react to. Many EDR tools are great at drawing visual representations of malicious behavior, chaining parent processes to child processes, and letting you know what methods are being called where.
Knowing our adversaries and their tactics is critical and must be an ongoing effort. Gathering the details of their methods and tactics allows a well-informed team to formulate effective plans and playbooks to counter real-time threats. If your team is placing so much emphasis on prevention that they are no longer studying and learning from the attacks they are attempting to prevent, they are missing out on a rich source of threat intelligence – the one in your own backyard.
Any EDR tool brings a learning curve. To constantly improve, security teams should purposefully implement a regular feedback loop to ensure learnings are incorporated into future processes. Once you have resolved an incident or closed the gap on an IOC or IOA, take some time to step back and review – was the process more efficient than last time? Which parts of the process can be streamlined for next time? Do steps need to be added? Then add these learnings to your runbooks so the whole team can benefit.
Regularly assessing the big picture will help ensure your processes make sense. A process for continuous improvement will also help progressively bring down response time, which is, after all, what EDR is all about.