You're fully aware of the need to stop threats at the front door and then hunt any that got through that first gate, so your company installed an EPP/ EDR solution.
But like most companies, you've already come across its shortcoming – and these are amplified since you have a small security team. More than likely, you noticed that it has its share of detection blind spots and limitations for which you need to tack on more detection technologies.
Remediation requires manual effort, and in terms of operation, it's become too much of an investment on your already resource-constrained staff. Deployment took you ages, so you're somewhat wary of introducing new technology and going through that process again.
What should you do – fight for more resources, flight from the EDR/ EPP combo to other technological solutions, or freeze by accepting this painful situation and updating the board that your risk levels remain high?
When fight and freeze are typically the directions you want to avoid taking, you need to know what to expect if you do move along.
The guide "Decided to move on from your NGAV/EDR? A guide to what's next" walks you through six steps in that transition process, so you come best prepared for that next protection level:
Step 1: Why are you moving? Before you justify to your team – and to the company – why you are transitioning, you need to justify this to yourself. According to a Cynet 2021 survey of CISOs with small security teams, the biggest pain point in operating threat protection products selected by 51% of companies, and with a significant gap of 38% from the second place, is the overlapping capabilities of disparate technologies. Following that response, in second and third place, companies suffer from operational challenges.
These are having too many dashboards (37%) and computing lag on deployed devices (36%). Are these also your main challenges? Always go back to that painful base point when evaluating your alternatives, as this is what started you off in the first place on the transition journey.
Step 2: Consider your options. Since you cannot rely solely on the EDR/ EPP stack, your alternatives boil down to two. The first, keeping your current solution and investing in compensating detection technologies to cover blind spots. On top of this, further stacking on solutions to automate investigation and other manual processes. The second, investing in an Extended Detection and Response (XDR) platform.
An XDR platform consolidates and rationalizes alerts into actionable incidents and automates investigation and response actions. XDRs include the EPP/ EDR component – but these are only components of the full breach protection platform. Go through the guide for a pros and cons list to help you decide which option you want to take, and make sure to add points to that table per your environment.
Step 3: Build the business case. Most companies with small security teams choose an XDR. An immediate question that then arises is where to get the budget for the new platform. This is where you build the business case and the guide helps you by providing three aspects to consider when allocating the budget. Make sure not to sell yourself short by reducing the budget to save costs. Rather, use the same budget to achieve more.
Step 4: List the XDR requirements. XDR technologies vary in their offerings. Some integrate more technologies than others, others are simpler to deploy and manage. Various XDRs range in levels of automation, and MDR service offerings differ as well from vendor to vendor. This is where you need to decide what are the most important XDR capabilities that suit your small security team.
As a start, you should make sure you consider the must-have four parameters and decide to which extent you're willing to compromise – ease of deployment, types of detection technologies, level of automated breach response, and MDR augmentation offerings.
Step 5: Shortlist the XDR vendors. Now that you have the requirements, it's time to shortlist the XDR vendors you'd like to evaluate. There are several ways to help you build this list: garner peer feedback, look at review sites, check if the vendor provides trial offerings such as a try and buy, and of course, bring cost considerations into account.
Step 6: Send out an RFP. This is an important step to assess the technology. RFPs are tedious but remember, you send out the same one to each vendor so it's enough to create just a single copy and then the comparison of the responses is quite straight-forward. As an incredibly time-saving tip, the guide also refers to an already created RFP template for XDR protection which you'll find relevant if you have a small security team.
Undoubtedly the EPP/ EDR combination is not enough for your small team. While they are important tools, you're starting to feel the combination as a double edged sword – one on hand it doesn't fully address your current needs and on the other creates a burden on your resource-constrained team. It's time to move.
This guide serves as a companion as you go through that transition process, providing the necessary insights based on experience to help you steer clear of any road bumps.
Download the eBook Decided to move on from your NGAV/EDR? A guide to what's next"