Press "Enter" to skip to content

The endpoint detection response enigma

Andy Bogdan, Head of UK Channel at Kaspersky, discusses mitigating the remote working transition and the security skillset challenge

Prior to the onset of COVID-19, a Ponemon Institute study revealed that 61 per cent of businesses cited staffing limitations as a primary reason why they weren’t adopting endpoint detection response (EDR). Put simply, the sophistication of the tool wasn’t matched by the skillsets available to fully leverage its functionality.

Fast forward just a few months and research conducted for the Kaspersky ‘How COVID-19 changed the way people work’ report found that nearly three-quarters (73 per cent) of workers hadn’t received any additional IT security awareness training this year, amid a mass migration to homeworking and a panicked change of mind towards EDR’s adoption.

So, what changed? In part, the accelerated transition to remote working and the desperate need to protect a dispersed device network backed enterprises into a corner. Businesses naturally felt obliged to take action, and to discard their previous concerns about readiness.

726 million cyber-attacks
At first glance, this is an understandable defence plan. By the middle of 2020, sensors had already recorded more than 726 million cyber-attacks launched on online resources, due to a struggle among IT teams to secure their now-at-home endpoints from malware.

Endpoint detection response naturally seemed to fit the bill as a deterrent, having recently debunked an industry myth about it having had its day. EDR is now finding favour over traditional anti-virus and can indeed play its part in mitigating the challenges exposed by this year. However, the focus now should be on ensuring that it is strategically embedded into a managed, licensed and already hardened IT environment – and not just adopted as a silver bullet, as we have seen over the past few months.

Staying alert to the EDR market
It is the rush towards EDR as an all-encompassing white knight that has exposed the aforementioned knowledge gap that exists in many organisations. Businesses have needed a solution, and have often failed to analyse their wider digital infrastructure before leaping to its adoption.

This chain of events has been exacerbated in part by an additional, worrying trend where next-generation and firewall vendors are pushing EDR into organisations after obtaining more universal endpoint solutions. Firewall vendors are impacting the endpoint protection platform (EPP) market through the acquisition of EDR companies that strengthen their solution, but that are missing the comprehensibility of full EPP solutions. Instead of being enacted as part of a multi-layered EPP product, EDR as a standalone function is therefore generating alerts that then depend on behavioural detection and manual analysis. This potentially leads to an increase in false positives, and a decrease in employee productivity as workers strive to filter the urgent threats from a deluge of detected warnings.

It means that, instead of acquiring a solution to their device dispersion predicament, IT teams are facing more alerts than ever, at an already stressful time, without the requisite guidance and internal skillset to benefit from their investment.

A place at the table
A place at the table

EDR still has a place at the table
Missing features in EDR, like device and application hardening, are a must-have in order to reverse some of the aforementioned skills gaps. Increased efficiency and a reduction of business threat exposure must top the list of priorities, and EDR can help, but only if it’s integrated into a wider established infrastructure.

According to Ian Thornton-Trump, CISO at threat intelligence company Cyjax, EDR solutions are not the solution to organisational security. However, he argues that they form a valuable and indispensable layer that wards off the worst that cybercriminals and APT actors have to throw, at an organisation with exposed services and endpoints that surf the internet every day. “Without the prerequisites in place, the EDR that some organisations experience will be sub-optimal, with a plethora of false positives as AI mistakes poorly-managed IT environments as compromised,” he warns.

Thornton-Trump explains that when misapplied, EDR can have significant operational impacts and can disable core functions. However, this is not to say that it doesn’t have a place at the table. On the whole, he believes that EDR is effective in preventing ransomware and especially detecting and preventing ‘living off the land’ lateral movement. “Organisations still have to realise that technology from three or five years ago is not advanced enough to deal with modern malware. Investment in security technologies like EDR are required because, in technology, ’good’ becomes ‘poor’ very quickly as cyber-criminals sprint to new capabilities monthly,” he notes.

A tool in the armoury, not a silver bullet
This is why education, training and filling the skills gap is so vital. It’s not that EDR isn’t relevant; it’s just that it’s not a standalone solver of all IT security problems, especially in the current climate, and organisations are slightly behind the curve in maturing and understanding the wider ecosystem around that product.

The answer for most simply revolves around engaging in the conversation more concertedly. It is critical for businesses to enter into discussions that begin with what they need. More often than not, what they will find they need is a solution built around, or integrated with, skills development. By entering into these conversations and exploring offerings that instil requisite guidance, companies can offset the vendor concern, and their own dispersed network challenges, simultaneously. In many cases, what they will end up with is education and protection provided in situ, courtesy of dedicated solutions that provide awareness training as well as the EDR product itself. To bridge the training/solution gap further, businesses could alternately opt for a solution designed for those with limited expertise in cybersecurity. This option would convert base level EDR into improved insight, simplified root cause analysis and both automated and manual response options.

Often included hand-in-hand with the above, managed detection and response (MDR) solutions are also a viable option when bolted on to EDR technology. As the name suggests, the same level of detection and response is achieved, only with additional managed assistance from the vendor to help the customer understand what is being detected and what the threat really is.

The subsequent mix of automated and guided response extracts the best out of EDR in situations where internal skill sets can’t. Ultimately, this combination of upskilling with enhanced protection can convert EDR from being a misunderstood enigma to being a pivotal tool in your arsenal as businesses continue to navigate the growing cyber threat landscape.