Many companies rely on Endpoint Detection and Response (EDR) solutions as their primary security tool to protect their organizations against cyber threats.
EDR was introduced around eight years ago, and analysts now peg the EDR market size as $1.5 to $2.0 billion in annual revenue globally, expecting it to quadruple over the next five years. The recent introduction of Extended Detection and Response (XDR) solutions, however, will certainly cut into a significant portion of that spend.
A new provocative eBook: "5 Questions to Determine: Is Your EDR Providing the Best Bang for Your Buck?" (Download here) helps security executives who currently use an EDR solution determine if they're continuing to get their "bang for the buck" from their EDR provider when compared to newer, equally-priced technologies as XDR. It's also an excellent resource for companies who are in the steps of choosing an EDR solution to deploy.
A live webinar around the same topic will be held in the next few weeks; register for the webinar here.
The five questions to ask
Let's quickly look at the five questions you should ask to help decide if you should stay with your EDR solution or consider upgrading to an XDR solution. Read in the Cynet eBook the discussion of how alternative approaches might improve on the capabilities of your current EDR solution.
1. Does your EDR provide sufficient visibility and protection?
EDR solutions focus on endpoint threats and have been highly valuable in preventing and detecting many forms of endpoint attacks. But today, new advanced threats are able to bypass your EDR.
For example, could your EDR solution detect the lateral movement of a successful attacker that has successfully bypassed EDR and is now probing your network for higher value assets? Does your EDR solution detect malicious insider activities that could lead to a data breach?
2. Does your EDR provide automated playbooks to take all necessary remediation actions across endpoints, networks, and users to eliminate threats fully?
Many EDR tools can detect and remediate a variety of endpoint threats automatically. For example, EDR solutions might automatically perform specific file remediation actions (delete, quarantine, kill the process) and host remediation actions (isolate, run command, run script).
Full remediation sometimes requires actions to be taken at the network and users levels.
Does your EDR provide full host remediations beyond those listed above (ex., restart, change IP, delete\disable service)? Does your EDR apply remediation actions to networks (ex., block traffic, clear DNS cache), users (ex., disable/enable, reset password), and other environment components (ex., firewall, proxy, active directory)?
3. Does your EDR solution provide automated investigation and response actions?
EDR platforms detect threats and then apply remediation actions to address the identified threat. Then what? An identified and remediated threat should not represent the end of the process. Any alert generated by your EDR solution may be indicative of a larger, more serious security incident and therefore warrants some level of investigation - even if the threat itself was remediated. And how do you know the remediated threat did not perform a malicious action prior to it being discovered and terminated?
Does your EDR automatically investigate high-risk threats to determine the root cause and full extent of the attack across your environment? Can your EDR automatically take remediation actions to eradicate all components of the attack fully?
4. Does your EDR vendor charge extra for MDR services?
Larger enterprises can leverage Managed Detection and Response (MDR) to help overburdened security staff and augment their skills.
Smaller enterprises can leverage MDR service to add missing cybersecurity expertise and Incident Response tools.
Does your EDR vendor provide optional MDR services for a fee? And if so, does it include:
- Proactive 24x7 monitoring of your environment to ensure no threats are overlooked?
- Full guidance on implementing the remediation actions necessary to eliminate detected threats?
- Ad-hoc research on suspicious files and any other questions your security team may have?
5. Does your EDR solution include Deception Technology?
Large enterprises rely on Deception technology to detect attackers that have successfully infiltrated the environment. Deception technology uses decoy hosts, files, networks, etc. that, when accessed by an attacker, expose their presence. While Deception technology is very beneficial, it's expensive, difficult to deploy and manage, and usually only leveraged by large enterprises with deep pockets.
Does your EDR solution provide Deception technology? Is your organization prepared to add another layer of security technology on top of the existing stack?
To summarize:
Security organizations always seem to be under-budgeted and understaffed. And, they're generally too busy to take a step back and re-evaluate their approach. An emerging trend in security is around the consolidation of technologies and automation of manual processes. Newer XDR solutions check these boxes and could very likely provide more value than your current EDR solution, without the need to increase your budget.
Download the eBook: "5 Questions to Determine: Is Your EDR Providing the Best Bang for Your Buck?" here.
Register for the webinar here.