In response to Kim Lindros’ article, 10 must-ask questions for evaluating EDR tools posted on CIO.com, I’ve summarized how the Cybereason solution addresses these questions.
1. What business problems are you trying to solve?
Cybereason helps organizations answer the question “Am I under attack?” Unfortunately, many organizations today are not able to confidently answer this question---and even worse---if they’re suspicious that they may be under attack, they often don’t have the ability to see how an attacker got in, what they’re doing, what machines have been affected, or what damage has been done.
The Cybereason solution helps organizations quickly gain the visibility necessary to answer these questions by providing real-time situational awareness.
2. What is the EDR solution's lookback period for data?
Cybereason stores historical data for a certain period of time depending upon the organization's size and specific requirements. While keeping historical data is important for compliance requirements and investigation purposes, the Cybereason platform focuses on delivering real-time intelligence so you know if you’re under attack today - not 3 weeks or 3 months ago.
3. Does the EDR solution integrate with threat intelligence platforms and other existing tools?
The solution is designed to easily fit into a Security Operation Center (SOC) and can certainly incorporate threat intelligence feeds to detect, block, and classify threats. Integrating with threat intelligence can help reduce the noise by blocking known threats, but Cybereason does way more than just that. The solution constantly conducts behavioral analytics on data from across an entire enterprise to identify malicious behavior. Instead of looking just at what the data is - Cybereason looks for what the data is doing. This enables the solution to uncover and surface malicious activities that expose the attacker.
4. How many resources will the EDR solution require to support the technology?
Cybereason is an automated solution that does not require a massive team of analysts to support. The solution automatically prioritizes threats to help reduce alert fatigue and reduces the amount of time analysts waste chasing dead ends. With Cybereason, analysts can quickly become aware of and respond to the most urgent incidents. Cybereason also provides analysts with the ability to easily pivot between data points in the investigation console, substantially decreasing the time it takes to thoroughly investigate a threat when more details are needed.
5. Does the solution disrupt endpoints?
Many EDR solutions require a kernel-level agent to be deployed on all endpoints, but this inherently makes endpoints susceptible to crashing. Cybereason is the only EDR solution that deploys in user space. This minimizes the impact to the endpoint and enables the solution to collect a vast amount of data for analysis.
6. What operating systems does it support?
Cybereason supports a range of operating systems including Windows, Linux, and OSX. This is particularly important for organizations that have a mixed environment and require the ability to detect and remediate attacks across the entire enterprise.
7. Are there any scalability issues I should be aware of?
Large organizations have a lot of endpoints, which by no surprise generates tons of data. Scalability quickly becomes an area of concern when looking at EDR solutions. The Cybereason platform was built to easily scale and support the largest organizations who have hundreds of thousands of endpoints. With Cybereason's proprietary Hunting Engine, the solution can quickly correlate massive amounts of data and detect malicious operations in real time.
8. Does the solution offer workflow reporting or interact with other ticket systems?
Usability is extremely important. Cybereason has an API to build integrations with all tools in your SOC including reporting tools, SIEM solutions, ticketing systems, etc.
9. Does the solution offer multitenancy?
This is a critical consideration when purchasing an EDR solution. Cybereason supports multitenancy and ensures that every single customer has their own, unique instance. This is really important because you don’t want your data to cross-pollinate with other organizations. Any organization that values security and privacy---I hope is all of them---should ensure that their EDR platform supports multitenancy.
10. Can my organization afford an EDR solution?
Absolutely. Cybereason is a SaaS platform and is priced per endpoint. So, the solution is designed to be affordable for both small and large organizations. The other factor to consider is the opportunity cost of not having a threat detection platform in place. How much will it end up costing you if an attacker is able to get into your network and execute an attack before you’re able to stop them?
