8 Key Capabilities Managed Security Service Providers Need from their Endpoint Detection and Response Platform
Endpoint devices represent a significant attack surface for most enterprises. Many businesses don’t have the resources or the expertise to thoroughly monitor their own endpoints and to promptly respond as needed when threats are detected. Their logical course of action is to outsource the full range of activities for endpoint threat detection and response to a Managed Security Service Provider (MSSP) that specializes in providing 24×7 monitoring and response. For their part, MSSPs need the right tools with the right level of automation to augment the capabilities of their in-house security experts.
The market for Endpoint Detection and Response (EDR) platforms is both large and mature. The August 2019 Gartner Magic Quadrant report for this market features 20 products—and this certainly doesn’t cover every product that professes to provide protection and detection functionality at the endpoint. In such a crowded market that is still evolving in terms of capabilities, what should an MSSP look for when selecting a product?
Here are 8 key requirements that MSSPs need from their EDR platforms.
1. Speed and Ease of Deployment
The sooner a platform can be deployed and up and running, the sooner the service provider can begin to monitor for and respond to threats. Ideally, a platform should be in a position to begin inspecting an environment within minutes. This necessitates no “heavy lifting” to get up and running, but rather a simple configuration concerning what environment to inspect.
There should be minimal impact to a customer’s business and network operations when deploying and configuring such a security solution. Moreover, the platform should have the ability to quickly and automatically enumerate and identify all systems within an environment to ensure there are no gaps in monitoring and coverage.
2. Flexible Deployment Options
Some EDR platforms require a software agent on the endpoints while others do not. There are pros and cons on both sides of the agent versus agentless models.
On the plus side, agents enable the MSSP to capture extensive details about each device’s configuration and what’s happening on the device, along with all user activity taking place on or through the device. Agents also enable interactive intervention in a user’s session when needed; for example, to quarantine the device if malicious activity is suspected.
However, the agent-based approach has its drawbacks. Agents require installation and management. An agent may not work on devices and computers with unsupported operating systems, leaving gaps in coverage. What’s more, guests and owners of unmanaged devices may not agree to having the agent installed.
One downside of not having an endpoint agent installed is that some data cannot be collected, such as local user activity on remote computers. More troublesome is that without a presence on the endpoint device, the “response” capabilities of EDR platforms is limited and may require another tool.
Many enterprises find they need to use both an agent-based and an agentless model in order to cover all endpoints and network-based devices, and to overcome the shortcomings of each approach listed above.
3. In-Memory and System Forensic Detection
Because attackers have gotten clever and utilize in-memory-only malware, the EDR platform must have the ability to conduct deep forensic inspections of assets that focus on memory, running processes, files, user accounts, network connections, and drivers—essentially the entire running system.
We take a unique approach compared to many EDR security providers when it comes to our detection engine. Infocyte monitors and catalogs what is happening on the endpoint right now, while also providing a complete historical forensic analysis of what transpired on all endpoints we inspect—even before Infocyte was installed.
This historical forensic timeline provides MSSPs with a clear trail of evidence, starting with the initial attack, and helping security teams understand how long the malicious item dwelled in the environment and how the attack has moved inside their network
4. Historical Data and Trends
The EDR platform must have the ability to analyze historical data against newly discovered threats to determine whether a threat already exists in the environment, and if so, how long it has been there and what it has done. Threats can be lurking in the system and they may go undetected until new threat models or signatures are available to scrutinize the historical information.
5. Continuous and Real-time Monitoring
Some EDR platforms rely on analyzing historical data from logs and other static datasets. Cyberattacks such as ransomware attacks move quickly, so the EDR platform must provide analysis of security events in real-time to ensure timely detection of and response to suspicious activity.
Automation is a force multiplier for an overworked and understaffed security team. The EDR tool must support automated scanning of systems, updates of detection models, responses to threats, and mitigation workflows. What’s more, the automation capabilities must be able to scale to the size of the enterprise.
The platform must have the ability to integrate smoothly into the existing security ecosystem, becoming part of the overall security solution rather than acting in isolation or attempting to solve all of an organization’s security challenges.
Corporate executives are held accountable for security breaches, and so they want to deeply understand their enterprise’s security posture. They need visualizations that highlight key performance indicators on the overall security stance and progress toward improvement.
MSSPs provide a vital service in monitoring their customers’ endpoints for threats in real-time. The security team needs the right tools to complement their security expertise. Using the right type of EDR platform can be a real force-multiplier by automating many of the tasks involved in detecting and responding to threats before they become larger issues.