The Endpoint Detection & Response (EDR) is becoming essential for the protection of endpoints (whether on desktops, servers, mobiles or tablets) against threats and cyber-attacks. But how can we make sure that we make the best use of this powerful solution that provides a large volume of information?
EDR requires appropriate monitoring
Many softwares on the EDR market compete in power: they generate many alerts and require effective security policies, especially to manage false positives. We have indeed measured a very variable rate of false positives at the installation, going from 20% to 90%. The first weeks of use of the EDR make it possible to considerably reduce these rates thanks to a learning of the context but also to the implementation of exclusions on business applications. After the parameterization phase, it is possible to go below the 4% false positive mark. From our experience, the presence of a next-generation antivirus (NGAV) can also strongly impact the number of alerts, the configuration of the tool and its level of sensitivity. The quantity of alerts and the philosophy of the tool, closer to the SIEM for endpoints than to the antivirus, therefore require appropriate follow-up. This must be carried out by competent resources, trained within the solutions in place and in good security analysis practices.
Remediation isn’t automatic
The promise of remediation (or response) carried by the R of EDR is attractive but is not a magic formula. This dimension of course makes it possible to gain in reactivity but human decision-making remains necessary in view of the potential impacts. It is for this same reason that a complete automation of the response is not desirable even if it remains technically possible. So how can you strengthen your ability to react in these conditions? First, we recommend that you distinguish critical assets from others to know on which perimeter the reaction must be controlled from A to Z (and therefore probably cannot be automated). We also invite you to take into account the time slot and the priority level of the alerts. Once these elements have been clarified, you will have hypotheses that will help you precisely define the response policies during the implementation phase of the tool. In the case of an EDR deployed in an emergency during a crisis, this definition will have to be reviewed at the end of the crisis. To do this work as at every stage of a EDR project, it may be more comfortable to rely on a specialized trusted third party.
Delegate management with EDR-as-a-Service
A specialist like Advens can assist you in the choice, implementation and day-to-day management of your EDR thanks to a “EDR-as-a-Service” offer. It seems key to us to be able to rely on several technology partners, to choose the publisher whose solution will be the most relevant to a given context and IS. Our feedback and managed services for our clients have led us to work with the following four vendors:
- Cybereason : this EDR pure-player has enriched its offer to integrate antivirus functions; its ultra-ergonomic interface, designed to fight against cyber-fatigue, is appreciated by analysts;
- SentinelOne : its Singularity platform deploys very quickly, which is valuable in the event of an attack, to gain visibility into the impacted assets. The editor is also distinguished by its file restoration capabilities and the very fine granularity of its configuration.
- Microsoft Defender for Endpoint : this software includes an EDR and is highly relevant in recent environments. It also has an advanced Azure cloud dimension.
- Harfang Lab : this French startup offers a sovereign EDR certified by ANSSI.
Beyond a team capable of managing the tool and processing alerts, it is valuable to have a CSIRT, capable of reacting in the event of critical alerts and proven attacks. Advens has chosen to bring together these skills and technologies in a fully integrated EDR-as-a-Service service. At the end of the month of implementation of the solution, your organization benefits from all the visibility and capacity for action of the EDR, and from our long-term support. Ultimately, choosing this managed EDR formula makes it possible to make the software investment profitable by entrusting its management to specialists.