Key elements of effective endpoint detection and response
By Cameron Hunter, Senior Technical Product Manager, Advanced SOC Services
Bad actors are constantly devising new ways to break into corporate systems: from advanced malware and ransomware to new AI-driven tactics that make it possible to launch attacks at the press of a button. If your firewall or email security measures fail, the last line of defence is the endpoint detection and response (EDR) solution running on the employee device the attacker is targeting. That makes it paramount to select the right EDR solution – and the right EDR provider.
What should you look for when investing in an EDR solution for your business? In this blog, I’ll go over five key elements of an EDR solution and four important qualities to look for from an EDR provider.
What is EDR?
Every physical device connected to your corporate network – whether it’s a computer, laptop, smartphone, tablet, sensor, server or other kind of device – is an endpoint. For a hacker, each endpoint is a potential door into your network.
EDR solutions are key to preventing that from happening. Running on connected devices, they continuously monitor for malware and suspicious activity based on the latest threat intelligence and behaviour analytics. This makes them effective against many of the tactics attackers use, including malicious scripts, infected email attachments and stolen credentials. Modern EDR solutions also use artificial intelligence (AI) to accelerate threat detection, investigation and response.
EDR solutions are often part of a broader extended detection and response offering, known as XDR. In addition to EDR, an XDR platform also includes email protection and network defence.
What to look for in an EDR solution
With multiple EDR solutions on the market, it can be difficult to know which one will effectively identify and prevent intrusion attempts on your employees’ devices. Here are five elements to look for:
- Support for a wide variety of devices and operating systems
It’s very likely that the connected devices in use across your business include more than just PCs and laptops running Windows. Ensure whatever EDR solution you invest in is compatible with a broad range of devices (including virtual machines and cloud sources) as well as various operating systems, such as macOS, Linux and Unix. - High-quality threat intelligence feeds
An EDR solution is only as good as the threat intelligence fed into it. Favour solutions from vendors who are committed to ensuring their threat intelligence sources are comprehensive, reputable and up to date. They should have their feeds verified by external experts, publish information regularly about current threats, and have a proven track record of identifying emerging threats early through close evaluation of hacker trends and activity. - Automated responses to suspicious behaviour
During any given day, an EDR solution can flag numerous instances of suspicious behaviour. Some of these are clearly malicious. In those cases, a solution that can automatically respond (for instance, by quarantining the file) can free up analysts to focus on more complex or ambiguous events that require closer attention. - Behavioural AI for analysis and response
Signature-based detection has long been the standard for EDR, but this approach is limited because it can act only on previously known threats. Complementing signature-based detection with behavioural AI overcomes this limitation by establishing a baseline of a user’s typical activities and comparing that to what they’re doing in real time. For instance, if an employee who typically uses just email and a word processor suddenly opens the registry editor, an AI-enhanced EDR solution can detect this unusual behaviour and respond accordingly. - Interoperability with other security services and technologies
An EDR solution that integrates with your security information and event management (SIEM); security orchestration, automation and response (SOAR); and other solutions can contribute to a big-picture view of system and threat activity. This streamlines operations and accelerates response to anomalous events.
What to look for in an EDR provider
The strength of an EDR solution comes from more than just its technology. The team behind it is equally important. For that reason, look for these four qualities in an EDR solution vendor:
- 24/7 support
Attacks aren’t limited to a business’s operating hours. In fact, many attacks happen outside of them due to attackers operating in different time zones or specifically choosing to strike outside of business hours, when they expect security to be thin. That’s why it’s critical to ensure your vendor can provide around-the-clock EDR support. - Continuous review and improvement of technology and processes
Threats are constantly evolving. Solutions (and their vendors) need to evolve to stay a step ahead of the attackers. The right vendor will be constant in their pursuit of accelerating response times and adapting to emerging threats. One example of this is the use of AI to generate use cases or playbooks based on attack activity across their clients. - Proper tuning
A vendor should never hand you a solution and leave you to it. To be effective, an EDR solution must be configured to your specific technology environment, security policies and existing security controls. This facilitates automation, minimizes impact on your core systems and reduces false positives. The right vendor will start with a comprehensive assessment of your environment before configuring solutions. - Proactive threat hunting
Even if a threat has yet to be identified, it’s possible it made it through your defences in the past. Some vendors will look back for past evidence of newly identified threats to make sure that no trace remains on any of your endpoints.
Secure your endpoints with Bell Managed Threat Detection and Response
Not all EDR solutions or providers are alike. By focusing on the qualities that support optimal performance and adaptability, you can find an EDR solution that will help protect your business as Canada’s threat landscape continues to evolve.
Protect your business against even the most sophisticated attacks with Bell Managed Threat Detection and Response. Our solution combines the real-world experience of our 24/7 national security operations centres (SOCs) with SentinelOne’s industry-leading XDR technology and Mandiant’s world-class expertise in threat hunting and incident response capabilities. A dedicated Bell security delivery manager will be there to provide support and answer any questions you have, and integration with Bell Security Unified Response Environment (BSURE) gives us greater visibility across your network for faster threat detection and response.
Contact us today to learn more about how Bell Managed Threat Detection and Response can keep your business safe.