An endpoint detection and response (EDR) platform significantly improves your security team’s ability to find the most subtle and dangerous threats lurking in your network. However, not all EDR platforms are created equal. When evaluating EDR platforms, you should consider capabilities including the level of visibility, investigation and response effectiveness, ease of deployment, impact on the environment, and the strength of the servers.
Deep Visibility of an Environment Enables Attack Detections at all Stages of the Kill Chain
An EDR platform must collect crucial information across the IT environment to deliver deep visibility of what is occurring at any given point in time. The platform needs to include the capability to:
- Automatically detect cutting-edge prevalent threats, such as fileless malware and lateral movement.
- Spot unknown threats that don’t have an easily definable signature using statistical and behavioral analysis.
- Correlate associated suspicious activities across multiple endpoints, regardless of operating system.
- Run continuously to catch short-lived processes. No visibility gaps. No snapshots needed.
- Monitor memory and file-based activity.
Effective Investigation and Response Enables SOC Teams to be Heroes
An EDR platform should allow Security Operations Center (SOC) teams to efficiently hunt for threats and quickly respond to attacks. The platform needs to include the capability to:
- Proactively monitor your environment for you.
- Prioritize alerts for you, while still providing full visibility into all suspicious behavior.
- Provide Level 1 and Level 2 analysts with the context and capability to fully investigate and address detected threats, with a complete suite of remediation tools, like the ability to: kill processes, quarantine files, remove persistence mechanisms, isolate endpoints, and block executables.
- Allow Level 3 analysts to dive into the details of the most subtle attacks.
- Automatically identify and collect suspicious activities associated with a suspicious user, machine, or network connection.
- Support the full lifecycle of detection, investigation, remediation and re-infiltration.
- Guide SOC analysts through manual investigations.
Easy Deployment Enables Significant Value to Be Gained in a Short Period of Time
An ideal EDR platform needs to be easy to roll out and gain acceptance by your peers in the IT organization. The solution should reduce your management burden. The solution should:
- Have sensors that do not disrupt the endpoint and do not have an impact on other programs or the operating system. It is important that the EDR sensor is easy to deploy and support.
- Deploy quickly to tens or hundreds of thousands of endpoints, in a scalable and cost effective way.
- Work immediately out-of-the-box, using pre-existing behavioral models to address the unique characteristics of your environment.
- Provide support services, such as monitoring and incident response, but designed to be used by itself.
Low-Impact Sensors Minimize the Impact on Users
An ideal EDR platform should have minimal or zero impact on your endpoint users, and deployment methodologies. The endpoint sensor needs to minimize the risk of causing user outages, and minimize integration testing requirements prior to rollout. The solution needs to use an endpoint sensor that:
- Operates in user space, offering full visibility without either the risk of causing a “blue screen” by conflicting with other software or the need to spend significant time on integration testing before rollout and system updates.
- Does not consume a significant portion of endpoint resources.
- Does not interfere with any user tasks by slowing down activity conducted by the user.
- Shares information with the server in real time, with minimal network performance impact.
- Provides deep, on-demand access for forensic information gathering.
Powerful, Centralized Servers Correlate All Endpoint Data to Efficiently and Effectively Detect, Remediate, and Prevent Threats
An ideal EDR platform should do more than analyze data on the endpoint. The solution needs to analyze data centrally to identify patterns and anomalous behavior across endpoints. The platform needs to include servers that:
- Ensure constant information availability by storing crucial information on the server.
- Correlate malicious activity across sensors, identifying threats before more aggressive threat activity occurs in additional locations.
- Leverage threat intelligence to enrich information gathered from endpoints.
Buyer Checklist
Detection
Does the solution automatically detect fileless malware and lateral movement?
Does the solution perform statistical and behavioral analysis?
Does the solution correlate activities across multiple endpoints?
Does the agent run continuously on the endpoint?
Does the solution monitor memory as well as file-based activity?
Investigation & Response
Does the solution proactively monitor and alert on security incidents?
Does the solution prioritize incidents and provide visibility into suspicious activity?
Does the solution allow you to kill processes, quarantine files and delete registry keys on affected endpoints?
Deployment
Does the agent deploy quickly without impacting end users?
Does the solution come preconfigured to detect and hunt for threats?
Does the solution come with the option to deploy in the cloud or on-premises?
Does the solution offer the option of a managed service?
Environment Impact
Does the endpoint agent run in user space?
Does the solution use less than 5% of CPU resources and 50MB of memory?
Does the solution transmit less than 10MB in network traffic?
Server Processing
Does the solution store critical information centrally?
Does the solution perform centralized threat analytics and behavioral analytics?
