Adoption of endpoint detection response (EDR) solutions became top of mind for many as a more diverse workforce was created, due to the pandemic. Andy Bogdan, Head of UK Channel, Kaspersky, explains how EDR can help companies but only when it is strategically embedded into a managed, licensed and already hardened IT environment – and not just adopted as a silver bullet.
Before the pandemic pressed pause on much of our lives and forced us to retreat to the safety of our homes, limitations of staffing was held accountable as the primary reason why 61% of businesses weren’t already adopting endpoint detection response (EDR) solutions. In effect, the skillsets of employees couldn’t match up to the sophistication of the tool enough to leverage it to its full potential.
Looking ahead a few months, and with a number of days spent in lockdown, research has found that nearly three-quarters (73%) of workers hadn’t received any additional IT security awareness training, despite a mass migration to homeworking and a panicked change of mind towards EDR’s adoption.
So, what changed? In part, the accelerated transition to remote working and the desperate need to protect a dispersed device network backed enterprises into a corner. Businesses naturally felt obliged to take action and to discard their previous concerns about readiness.
At first glance, this is an understandable defence plan. By the middle of 2020, sensors had already recorded more than 726 million cyberattacks launched on online resources, due to a struggle among IT teams to secure their now-at-home endpoints from malware. And with flexible working set to continue, IT teams need to increase the safety of their workspaces.
Endpoint detection response naturally seemed to be the solution to businesses security flaws, having been reaffirmed for its use after claims it was outdated. EDR is now finding favour over traditional anti-virus and can indeed play its part in mitigating the challenges exposed by the turbulence of a year in lockdown. However, the focus now should be on ensuring that it is strategically embedded into a managed, licensed and already hardened IT environment – and not just adopted as a silver bullet.
Keeping tabs on an ever-growing EDR market
It is the rush towards EDR as an all-encompassing white knight that has exposed the knowledge gap that exists in many organisations. Businesses have needed a solution and have often failed to analyse their wider digital infrastructure before leaping to its adoption.
This chain of events has been exacerbated in part by an additional, worrying trend where next-generation and firewall vendors are pushing EDR into organisations after obtaining more universal endpoint solutions. Firewall vendors are impacting the endpoint protection platform (EPP) market through the acquisition of EDR companies that strengthen their solution, but that are missing the comprehensibility of full EPP solutions. Instead of being enacted as part of a multi-layered EPP product, EDR as a standalone function is therefore generating alerts that then depend on behavioural detection and manual analysis. This potentially leads to an increase in false positives, and a decrease in employee productivity as workers strive to filter the urgent threats from a deluge of detected warnings.
It means that, instead of acquiring a solution to their device dispersion predicament, IT teams are facing more alerts than ever, at an already stressful time, without the requisite guidance and internal skillset to benefit from their investment.
EDR continues to keep its spot on the shortlist
Missing features in EDR, like device and application hardening, are a must-have in order to overcome the current IT skills gaps within organisations. Increased efficiency and a reduction of business threat exposure must top the list of priorities, and EDR can help, but only if it’s integrated into a wider established infrastructure.
“EDR solutions are not the solution to organisational security. However, they form a valuable and indispensable layer that wards off the worst that cybercriminals and APT actors have to throw at an organisation with exposed services and endpoints that surf the Internet every day,” explained Ian Thornton-Trump, CISO at threat intelligence company, Cyjax. “Without the prerequisites in place, the EDR that some organisations experience will be sub-optimal, with a plethora of false positives as AI mistakes poorly-managed IT environments as compromised.”
Thornton-Trump explained that, when misapplied, EDR can have significant operational impacts and can disable core functions. However, this is not to say that it doesn’t have a place at the table. He added: “On the whole, EDR is effective in preventing ransomware and especially detecting and preventing ‘living off the land’ lateral movement. Organisations still have to realise that technology from three or five years ago is not advanced enough to deal with modern malware. Investment in security technologies like EDR are required because, in technology, ’good’ becomes ‘poor’ very quickly as cybercriminals sprint to new capabilities monthly.”
A tool in the armoury, not a silver bullet
This is why education, training and filling the skills gap is so critical for businesses, especially as more and more choose to work flexibly in the future. It’s not that EDR isn’t relevant; it’s just that it’s not a standalone solver of all IT security problems.
It is critical for businesses to enter into discussions about what they need as the central focus. More often than not, what they will find they need is a solution built around, or integrated with, skills development, so a solution doesn’t get lost in the dark and employees understand how to properly implement into their systems. By entering into these conversations, companies can offset the vendor concern and their own dispersed network challenges, simultaneously. In many cases, what they will end up with is education and protection, courtesy of dedicated solutions that provide awareness training as well as the EDR product itself.
Managed detection and response (MDR) solutions are also a solution looked over by businesses who already have a solution in place. As the name suggests, the same level of detection and response is achieved, only with additional managed assistance from the vendor. This vendor assistance can provide invaluable insight into where the threat is and how it can be solved. The subsequent mix of automated and guided response extracts the best out of EDR in situations where internal skill sets can’t. Ultimately, the combination of upskilling a workforce combined with better protection, can convert EDR from an outdated, misused piece of software, to a critical tool in a business’s arsenal.Click below to share this article