10 Considerations Before Buying an Endpoint Detection and Response (EDR) Security Solution – Part 2

In part one of our blog about considerations before purchasing an endpoint detection and response (EDR) security tools or solution, we outlined four key factors:

• Agent vs. agentless monitoring
• What EDR systems can’t monitor
• Running an EDR in your cloud
• Integrating EDRs with other tools

In the second half of this two-part blog series, we’ll explore additional considerations when selecting an EDR tool:

5. Does the EDR Software Receive Frequently Updated Signatures and Models Designed to Detect Advanced Attacker Tactics, Techniques, and Procedures (TTPs)?

Threats change daily as attackers continuously work to improve their TTPs, and so, too, must the signatures and models that are used to detect the presence of threats in a network. The EDP platform must get frequent updates, preferably including well-sourced, high-quality Indicators of Compromise (IoCs) and Indicators of Attack (IoAs). Some products allow the enterprise to also incorporate its own IoCs/IoAs, which may be developed in-house or obtained from cyber threat intelligence subscription services.

Most tools today use machine learning (ML) to scrutinize endpoint and network activities to look for anomalies that could be indicative of risks and threats. ML uses algorithms, or models, to analyze the data, and these models need frequent tuning to continue to produce the most accurate possible results in detecting anomalies.

6. Does the EDR Solution Prioritize Threat Alerts to Reduce “Alert Fatigue?”

One problem that is notorious in the cybersecurity tools market is the tendency to surface everything that looks suspicious as an alert—whether the suspicious activity is an actual threat or not. This sends far too many alerts to security analysts, creating “alert fatigue” that results in many notifications – some of which could be important – being ignored for lack of time. An effective EDR software platform is able to collect and correlate sufficient data such that threats are validated before raising an alert to human investigators.

7. Can your EDR Security Software Accept Custom Detection Models and/or Rules for your IT Environment?

There is no “one-size-fits-all” machine learning algorithm that is optimized for every possible situation. Given that every enterprise environment is different, the threat detection models should, ideally, be customizable to meet each company’s needs. An EDR software vendor should allow for extensive customization by knowledge users and/or consultants.

8. Extensibility: Beyond Detection and Incident Response, What Capabilities can the EDR Security Solution Perform?

Wikipedia defines extensibility as a software engineering and systems design principle that provides for future growth without impairing existing system functions. Extensions can be through the addition of new functionality or through modification of existing functionality. Thus, the extensibility of an EDR system provides greater value and allows an enterprise to get a better return on its investment.

Endpoint Detection and Response is a category of security software tools that monitor end user hardware devices across a network for a range of suspicious activities and behavior, reacting automatically to block perceived threats and saving forensics data for further investigation. The vast amount of information such a solution collects and stores makes the system ripe for extensibility into many other capabilities.

9. Can the EDR Security Software Track Progress and Improvements in Data Security and Hygiene Over Time via Reporting and/or Dashboards?

Cybersecurity is being given Board-level scrutiny today. Corporate executives are held accountable for security breaches, and so they want to deeply understand their enterprise’s security posture. While a point-in-time assessment can be valuable, executives are more interested in seeing a trend over time. They ask, is the security posture improving or losing ground? A good EDR tool will provide executive reports and/or a dashboard that tracks progress over time and shows how data security is improving.

10. Price—How Much Does the Overall EDR Security Solution Cost?

Pricing can vary greatly from vendor to vendor and customer to customer. Solutions are often priced according to the number of endpoints being monitored. According to one consulting firm, some EDR licenses include cloud hosting, others do not. Budget $5-10/endpoint annually if hosting is not included; up to $30 per seat if hosting is included.

Of course, purchase price is only one factor; buyers should be aware that getting the full value out of an EDR solution will likely require dedicated experts and additional investments. The enterprise may need to staff up with threat researchers, threat hunters, data scientists (to tune detection models), incident responders, application developers (to build integrations and automation), and IT operations personnel.

Recall the earlier comments about the need to customize threat detection models to achieve the highest level of accuracy. Whether the enterprise has people on staff to do this, hires consultants, or outsources the solution to an MSP, some tuning and optimization will undoubtedly add to the overall cost.