10 Considerations Before Buying an Endpoint Detection and Response (EDR) Security Solution – Part 2
In part one of our blog about considerations before purchasing an endpoint detection and response (EDR) security solution, we outlined four key factors:
- Agent vs. agentless monitoring
- What EDR systems can’t monitor
- Running an EDR in your cloud
- Integrating EDRs with other tools
In the second half of this two-part blog series, we’ll explore additional considerations when selecting an EDR solution…
5. Does the EDR Software Receive Frequently Updated Signatures and Models Designed to Detect Advanced Attacker Tactics, Techniques and Procedures (TTPs)?
Threats change daily as attackers continuously work to improve their TTPs, and so, too, must the signatures and models that are used to detect the presence of threats in a network. The EDP platform must get frequent updates, preferably including well-sourced, high quality Indicators of Compromise (IoCs) and Indicators of Attack (IoAs). Some products allow the enterprise to also incorporate its own IoCs/IoAs, which may be developed in-house or obtained from cyber threat intelligence subscription services.
Most tools today use machine learning (ML) to scrutinize endpoint and network activities to look for anomalies that could be indicative of risks and threats. ML uses algorithms, or models, to analyze the data, and these models need frequent tuning to continue to produce the most accurate possible results in detecting anomalies.
6. Does the EDR Solution Prioritize Threat Alerts to Reduce “Alert Fatigue?”
One problem that is notorious in the cybersecurity tools market is the tendency to surface everything that looks suspicious as an alert—whether the suspicious activity is an actual threat or not. This sends far too many alerts to security analysts, creating “alert fatigue” that results in many notifications – some of which could be important – being ignored for lack of time. An effective EDR software platform is able to collect and correlate sufficient data such that threats are validated before raising an alert to human investigators.
Infocyte reduces the likelihood of false positives as well as false negatives – thus ensuring that alerts are warranted – in a number of ways. First of all, we leverage numerous third-party threat intelligence sources and have our own analysis engine to ensure that threats that are identified are valid and true. We check, and check again, to avoid causing alert fatigue.
We collect massive amounts of data and compare what we see across different customer environments to better understand what is and is not a real threat. Our system learns on an ongoing basis from every environment where we’re deployed, not just from your own environment. Just last year we did over 500,000 forensic inspections and this gives us very broad and deep knowledge about actual threats.
Next, we use machine learning and artificial intelligence to compare what we find against billions of samples of malicious and good code to understand what is and is not a real threat. This helps us to further hone our threat models for accuracy.
Another aspect is that the Infocyte platform can be specifically tuned to whitelist or blacklist threats, processes, and artifacts, i.e., specific things that it needs to look for or ignore in your environment based on your specific rules. You can fine-tune the system yourself to increase the accuracy of threat detection.
7. Can your EDR Software Accept Custom Detection Models and/or Rules for your IT Environment?
There is no “one-size-fits-all” machine learning algorithm that is optimized for every possible situation. Given that every enterprise environment is different, the threat detection models should, ideally, be customizable to meet each company’s needs. An EDR software vendor should allow for extensive customization by knowledge users and/or consultants.
8. Extensibility: Beyond Detection and Incident Response, What Additional Capabilities can the Chosen EDR Solution Perform?
Wikipedia defines extensibility as a software engineering and systems design principle that provides for future growth without impairing existing system functions. Extensions can be through the addition of new functionality or through modification of existing functionality. Thus, extensibility of an EDR system provides greater value and allows an enterprise to get a better return on its investment.
Endpoint Detection and Response is a category of security software tools that monitor end user hardware devices across a network for a range of suspicious activities and behavior, reacting automatically to block perceived threats and saving forensics data for further investigation. The vast amount of information such a solution collects and stores makes the system ripe for extensibility into many other capabilities.
In terms of the Infocyte platform, the capabilities are practically endless. Extensibility allows you to tie-in to other systems that you’ve got in your environment, whether it be a SIEM, SOAR, IR or other platform. For instance, if you have a SOAR platform, when infocyte detects a threat you can apply an extension that will automatically kickoff a particular IR workflow or create a ticket within your ticketing system or even trigger your EDR platforms to update their whitelisting or blacklisting of rules to tighten your defenses. Another thing is that you can initiate custom YARA detection rules so you can build your own queries to analyze or take action from the data that you find.
Infocyte has a built-in UI that is similar to the Lua programming language and you can actually write the extensions yourself. You can develop, deploy, and share custom Collection and Action Extensions on Infocyte’s Extensions GitHub.
9. Can the EDR Security Software Track Progress and Improvements in Data Security and Hygiene Over Time via Reporting and/or Dashboards?
Cybersecurity is being given Board-level scrutiny today. Corporate executives are held accountable for security breaches, and so they want to deeply understand their enterprise’s security posture. While a point-in-time assessment can be valuable, executives are more interested in seeing a trend over time. They ask, is the security posture improving or losing ground? A good EDR tool will provide executive reports and/or a dashboard that track progress over time and show how data security is improving.
10. Price—How Much Does the Overall EDR Solution Cost?
Pricing can vary greatly from vendor to vendor and customer to customer. Solutions are often priced according to the number of endpoints being monitored. According to one consulting firm, some EDR licenses include cloud hosting, others do not. Budget $5-10/endpoint annually if hosting is not included; up to $30 per seat if hosting is included.
Of course, purchase price is only one factor; buyers should be aware that getting the full value out of an EDR solution will likely require dedicated experts and additional investments. The enterprise may need to staff up with threat researchers, threat hunters, data scientists (to tune detection models), incident responders, application developers (to build integrations and automation), and IT operations personnel.
Recall the earlier comments about the need to customize threat detection models to achieve the highest level of accuracy. Whether the enterprise has people on staff to do this, hires consultants or outsources the solution to an MSP, some tuning and optimization will undoubtedly add to the overall cost.
Infocyte’s pricing information is pretty straightforward—the solution is priced per node per month, billed annually. In addition, we offer a service layer called the Command Plan, which is a subscription that essentially includes MDR, which is supported by our network of partners. Command Plan pricing starts around five dollars per endpoint but is ultimately based on the level of services that you need, the size of your environment, and other factors that would be custom tailored to your business’ needs.