February 25, 2022
10 Considerations Before Buying an Endpoint Detection and Response (EDR) Security Solution – Part 1
Increasingly, enterprise organizations consider endpoint detection and response (EDR) security solutions to be a critical component in ensuring overall network security. Recently CISA designated EDR as a critical component for cybersecurity, yet many firms still do not have this capability. EDR cybersecurity tools are designed to detect and remove malware or any other form of malicious activity on the endpoints. More broadly, EDR tools collect and monitor data pertaining to potential cybersecurity threats to the network. This data can be analyzed to determine the root cause of security issues and used to support incident response and management strategies.
According to KuppingerCole and Forrester, EDR security solutions commonly include a number of key capabilities:
- Monitor and provide remote logging and analysis of Endpoint Behaviors
- Detect, prioritize, track and alert on Indicators of Compromise (IOCs) and Indicators of Attack (IOAs) in real-time
- Interoperate with other security tools, including endpoint anti-malware, forensics, case management, security incident and event management (SIEM), and Security Orchestration, Automation and Response (SOAR), etc.
- Allow for interactive IOC/IOA queries across all nodes
- Allow for natural language queries
- Support recording and playback of activities
- Support communications lockdown between suspicious nodes and management consoles
- Provide playbooks and configurable automated responses
- Provide agents for multiple operating systems
- Monitor the integrity of operating systems and other key files
In addition to a strong feature set, here are some considerations when deciding which EDR security tools to invest in and leverage for protecting your IT environment’s endpoints.
1. Agent vs. Agentless Endpoint Detection and Response, and Why You Need Both
Many enterprise EDR tools require use of an agent, while others take an agentless approach to gathering endpoint data. There are pros and cons to each approach.
An agent is a small software program that is installed on each device to be monitored. The agent’s primary functions are to collect data on user activity in all applications, webpages and system areas, and to transmit the data it collects about each session to a central server for processing, analysis and storage. Having an agent installed on a monitored device provides the ability to:
- Capture extensive details on the operating system, local file system, machine hardware and connected devices, as well as all processes running on the device
- Capture user activity regardless of how users connect to servers, i.e., via both local console login and remote-access login methods
- Record user activity to a local cache for later transmission when the device is offline or the network connection is interrupted
- Enable interactive intervention in a user’s session when needed; for example, to quarantine the device if malicious activity is suspected
Disadvantages to using an agent-based EDR security platform:
- Requires installation and management of agents on each monitored computer, system, and endpoint
- Agents may not work on devices and computers with unsupported operating systems
- Guests and owners of unmanaged devices may not agree to having the agent installed (in this case, a dissolvable agent might work)
- Introduces CPU and RAM utilization overhead on each computer
An alternative approach is to do agentless endpoint monitoring and collection of data. In this scenario, no agent software is installed on the endpoint device. Rather, the EDR tool passively monitors traffic coming onto and passing through the network as it flows between users’ client machines and the servers they are accessing. The advantages of an agentless EDR are:
- Faster deployment across your network, especially helpful during cyber security incident response investigations
- Doesn’t require resources on the endpoints being monitored
- Doesn’t require the overhead of installing and managing agents on every device
- Can be used with devices that can’t accept the installation of an agent
- Can record configuration changes to network devices, storage subsystems, hypervisors, etc. on which agents cannot be installed
There are drawbacks, too, of the agentless model:
- Doesn’t capture local user activity on the remote computer, or anything about locally running processes, hardware elements or other endpoint details of the device itself
- Encrypted data traffic is difficult to monitor and analyze
- Cannot gather data about endpoints when those devices are not connected to the corporate network
- Without a presence on the endpoint device, the “response” portion of EDR may be limited
Many enterprises find they need to use both an agent-based and an agentless model in order to cover all endpoints and to overcome the shortcomings of each approach listed above.
2. What Devices or Operating Systems are not Covered by the EDR Security Solution?
This question generally ties back to the matter of agent-based versus agentless. An agent would need to be available for specific operating systems. At a minimum, most EDR tools provide support for Windows (including older versions), Mac OS and Linux. The question to ask vendors is, what operating systems are not covered? Unfortunately, Apple iOS and Google Android are often among the unsupported operating systems, even though many workers use their smart phones and tablets on the corporate network. If no agent is available for a popular OS, the organization needs to fall back on a different way to monitor activity on and collect data from unsupported devices.
IoT (Internet of Things) devices may also not be supported by EDR security platforms, since few of them run an industry-standard operating system, like macOS, Windows, or Linux. What’s more, some IoT devices are CPU- and memory-constrained and they cannot support the installation of an EDR agent. Again, if it’s important to an enterprise to include these devices in their network data capture and analysis, an alternative method to an onboard agent must be used.
3. What About EDR Security in the Cloud?
Many EDR tools operate from the cloud, but they may not be able to operate in the cloud—yet cloud security posture management is of critical importance today. For those companies that have servers and workloads in the cloud, including containers and serverless workloads, it may not be possible or practical to install an agent on physical or virtual devices in the cloud. In short, the cloud is a different beast altogether.
4. Is the EDR Software Easy to Integrate with Other Security Software in your Ecosystem, Including SIEM Platforms and Ticketing Systems?
EDR tools are not meant to be standalone tools. There are many other tools in the cybersecurity ecosystem that are very complementary to what EDR brings to the table. This allows security managers to achieve a broader understanding of their security posture and helps automate responses to mitigate a range of security issues. Enterprises benefit by optimizing time to insight, achieving quicker incident response and realizing strengthened network security.
EDR security solutions must be able to integrate with the types of tools that can log, track, orchestrate and execute actions to mitigate an attack and clean the environment once the threat has passed. What’s more, many enterprises have a security incident and event management (SIEM) platform that is setup to be an overarching security platform, and other security systems feed data and analysis into the SIEM. Easy integration with such tools is essential. CSO magazine calls these integrations “force multipliers” of the EDR platform.
Check back for our other considerations for selecting the best EDR security tool or solution continues in part two of this blog…