What to look for in an EDR solution
Emerging threats and advanced targeted attacks (ATAs) are sweeping through the cyber landscape faster than security teams are prepared to deal with them. In a blink of an eye, your infrastructure can be compromised, putting your vital corporate information assets at risk. An advanced endpoint detection and response (EDR) provides uninterrupted visibility into your environment, offers automated, rapid response, and enhances your ability to contain future threats. EDR should be part of everyone’s security arsenal. In this three-part blog series, we’ll explore key EDR feature sets that will up-level your ability to detect threats and respond faster and with greater agility.
A worst-case scenario outlook may not serve you well in your personal life, but it’s a positive trait when it comes to defending your enterprise against advanced targeted attacks (ATAs) and emerging threats that may lead to a potential data breach. So go ahead and assume the worst, and start investigating an EDR to help you get more proactive about detection and response.
As you’re well aware, not all EDRs are alike, and it’s easy to get lost in the jargon and noise of the marketplace. In an effort to ease your decision-making process, we’ll explore some critical must-haves.
Collect It. Find It. Use It.
Collectors and search are important components of an EDR solution. These two capabilities can be likened to a Google search. The EDR reaches out to indexes, all the data is collected, and then it’s served up in an interface for forensic investigation. Some EDR solutions stop there, which is not good enough. An ideal EDR solution will help you use this rich data soup for protection. If you’re especially concerned about a particular type of nefarious malware, your EDR should allow you to search for specific parameters associated with that threat, set a trigger, and launch a reaction or response when indicator of attacks (IoAs) are identified.
Sherlock Holmes or Inspector Clouseau?
Think of collectors as detectives. They should be able to look beyond the obvious as they examine program executables, running processes, and dormant or deleted files and objects. You want to make sure they are smart enough and capable enough to discover useful clues. Add a strong measure of efficiency and continuity, and you have an ideal collector. Here are some features to look for:
- Agent-based model: In some EDRs, collectors use servers to remotely scan the endpoint. An agent-based model, where the endpoint is doing the work locally, is best—there’s no need to weigh down or expand your infrastructure.
- Local storage and indexing of collected data: This capability eliminates the need to send the data to the cloud or to an on-premises data storage appliance and makes scaling up easier.
- Persistent collection: You’ll want collectors to be always on, so there’s never a lapse and never a worry about important data falling through the cracks. “Point-in-time” solutions, on the other hand, often miss events outside a particular window. Running collectors slow and low is also preferable. It’s better if collectors use a little bit of resource all the time to avoid spikes in consumption that can disrupt user processes and productivity.
- Write your own script: Out-of-the-box persistent collectors should meet about 99% of your needs and can save you a boatload of work. Generally speaking, you probably don’t need a custom collector, but there are times when you want to write your own scripts to pinpoint the exact information you want to gather and how much of it—especially during a malware outbreak. Your best bet is an EDR that’s based on an open architecture.
Find It Fast.
Search mechanisms work hand in glove with collectors. When you choose an EDR solution, make sure the search is fast—it should return results to you in less than 20 seconds. And the information you receive should provide you with an accurate picture of the current state of your environment. When would you use a search? Here are two common use cases:
- Reactive: You receive an alert from a security product that indicates an endpoint may be infected. You can then do some investigation, such as a search to determine if anyone is connected to a bad IP address.
- Proactive: As you participate in intelligence-sharing activities, you find out about a new threat out in the wild. To preclude possible malware infection at your organization, you can search for the exact combination of characteristics that correspond to the threat.
There’s more to come. In part two of our blog series, we’ll discuss triggers and reactions and how they come into play in disrupting an attack chain.
As part of Intel Security’s integrated and connected architecture, McAfee Active Response provides continuous visibility and insights into endpoint activity to help you act more quickly to remediate issues in a way that works best for your business. Intel Security unifies Protect, Detect, and Correct through the McAfee ePO platform into an adaptive feedback loop, enabling security to evolve and learn in an iterative cycle that improves over time. McAfee Active Response is the Detect and Protect component of this threat defense lifecycle, helping organizations identify compromises more effectively and implement quick remediation.