The market for Endpoint Detection and Response (EDR) solutions has grown rapidly in recent years and industry experts predict that this trend will continue. Gartner predicts that by the end of 2025, more than 60% of enterprises will have replaced legacy antivirus products with combined EPP and EDR solutions .
The need for a holistic endpoint security solution is driven by more frequent and sophisticated attacks as well as EDR solutions becoming more accessible to medium-sized businesses. EDR is no longer just a solution for large enterprises, as many cybersecurity vendors now offer an affordable combination of EDR (Endpoint Detection & Response) and EPP (Endpoint Protection Platform).
For a top-level overview of key EDR capabilities and why businesses need an Endpoint Detection and Response solution, look at our article ‘7 Reasons You Need an EDR Solution‘.
In this article, we outline 10 of the most important things to keep in mind and ask your vendor when buying an EDR solution. These apply whether your organization is purchasing this type of solution for the first time or is going through a regular benchmarking or refresh process.
1. Integration with other security platforms
Ensuring that the EDR solution you are considering is compatible with your current security systems is essential. Not only will this reduce workload and increase efficiency for your IT/security team, but to work effectively, EDR tools must integrate with other security systems that track, orchestrate, and execute actions to avert an attack.
Looking for a solution that offers API integration can be your best bet, especially if you already use a tool like a SIEM (security information and event management) system. That way, the EDR solution can seamlessly feed data into your existing systems.
2. Agent vs Agentless
The agent of an EDR solution is the software component that is installed on each endpoint. It is not strictly necessary, as an EDR solution can also be installed passively on the network, but this limits its functionality. This is because if the agent is installed directly on the endpoint, it can capture much more data about user activity. The agent also enables stronger intervention in the event that an endpoint is compromised.
The main advantages of agentless EDR solutions are that they can be quickly deployed and can be used to monitor endpoints where an agent is difficult or impossible to install. However, because the agent is not installed directly on the endpoint, the response of the solution cannot be as robust and the data collection is weaker.
3. Operating System Support
Linked to the previous point about endpoints that are impossible to install an agent on. One reason for this may be that their operating system is not supported by the EDR solution. If you can mitigate this problem by choosing a solution that is compatible with multiple operating systems, this is probably the better solution.
However, almost all EDR solutions have some operating systems that they do not support. If you have endpoints in your network that use an operating system that is not supported by your chosen EDR provider, then agentless EDR is a good solution.
4. Devices not covered
As with operating systems, some devices may not be supported by your chosen EDR solution. Most smartphones, including those with iOS and Android operating systems, are usually not covered by EDR tools, and Internet of things (IoT) devices are unlikely to be covered. As with operating systems, it’s best to ask your vendor what isn’t covered and find out how many of your endpoints this applies to.
5. Cloud Support
It is important to know whether an EDR solution supports a cloud environment and to what extent. Even though several EDR tools are cloud-based, they may not be able to work in the cloud.
60% of the enterprise EDR market is already delivered by the cloud (Gartner Innovation Insight for Cloud Endpoint Protection Platforms, April 2019). This does not necessarily mean that it can protect all of your other cloud systems, as EDR is often difficult to install in the cloud and you may need additional protection for specific cloud applications.
6. System Updates
The threat landscape is constantly evolving as attackers strive to breach security systems using new tactics, techniques and procedures (TTPs), so any EDR system that is not regularly updated, is vulnerable to advanced threats and quickly becomes obsolete. So to better respond to threats, you need an EDR solution that gets regular updates on Indicators of Compromise (IoC).In addition, it’s worth considering how much of your IT security team’s time will be spent managing and installing these updates and how much they can be automated.
82% of organizations are seeking an all-in-one solution for their IT network security needs (F-Secure 2020 B2B Market Research). This may not be possible at the moment, but if you’re among the 82% of organizations with this ambition, it’s worth talking to your supplier to see what options your EDR system offers for adding new ones components and functionality in the future.In addition, you should also consider how the solution copes with an increase in traffic, especially in the case of future growth and increase in the number of external devices.
8. Impact on Endpoint Performance
If you are using an EDR solution that requires an agent to be installed on your endpoints, you need to know what resources it will consume. Does this mean you need to invest in better hardware to keep your endpoint performance at a reasonable level?
A reasonable level of CPU usage for an EDR solution is around 1%, if exceeded regularly it is probably not well optimized. Memory usage may vary based on agent weight, but should not exceed 50MB. Your supplier should be able to show you performance data for systems that are similar to yours.
9. Custom Threat Detection Models
Depending on the level of expertise you have, you may want to design your own threat detection model, or at the very least modify the preset model. EDR vendors will tell you that the presets are optimized for the best performance, but all organizations are different and there is no standard machine learning algorithm optimized for every possible situation.
10. Supplier Support
This one really comes down to confidence, but there are certain indicators to watch out for. What happens if your EDR solution is compromised? Does the supplier charge for incident response services? There is a clear possibility of a conflict of interest here.
Make sure you know in advance what level of support is available to you and what the level of expertise of your account manager is. If you use a managed services provider, they are often in a good position to evaluate the relative support levels of different providers, although you should consider any incentives that may be present on their side of the transaction. Again, this really boils down to trust between all parties being the most important factor.