The market for Endpoint Detection and Response (EDR) solutions has grown rapidly in recent years and industry experts predict that this trend will continue. Gartner predicts that more than 60% of enterprises will have replaced older antivirus products with combined End Point Protection (EPP) and EDR solutions by the end of 2025 [1].
The need of an holistic Endpoint Security solution is driven both by attacks becoming more frequent and sophisticated and by EDR solutions becoming more accessible to mid-market companies. EDR is no longer a solution for only large enterprises as many cyber security vendors now offer an affordable EDR and EPP combination.
The following are the 10 most important aspects to keep in mind and question your vendor about when buying an EDR solution. These apply whether your organisation is looking to acquire this type of solution for the first time or is going through a regular benchmarking exercise or renewal process.
More details on why companies need an EDR solution are provided in the following article: 7 reasons why you need an EDR solution.
1. Integration with other security platforms
Making sure that whichever EDR solution you are considering is compatible with your current security systems is essential. Not only will this reduce the workload and increase efficiency for your IT/security team, but in order to work effectively EDR tools must offer integration with other security systems that track, orchestrate and execute actions to mitigate an attack.
Looking for a solution that offers API integration could be your best bet, especially if you’re already using a tool like a security information and event management (SIEM) system. That way the EDR solution can seamlessly feed data into your existing systems.
2. Agent vs Agentless
The agent of an EDR solution is the software component that is installed on every endpoint. It is not strictly necessary as an EDR solution can also be passively installed on the network. However, this will limit its functionality because having the agent installed directly on the endpoint allows it to capture a lot more data on user activity. The agent also enables stronger intervention in the event that an endpoint is compromised.
The main advantages of agentless EDR solutions are that they are quick to deploy and can be used to monitor endpoints that are impossible or difficult to install an agent on. However, because the agent is not installed directly on the endpoint, the solution’s response cannot be as robust and the data gathering is also weaker.
3. Operating system support
Linked to the previous point about endpoints that are impossible to install an agent on, one reason for this could be that their operating system is not supported by the EDR solution. If you can limit this problem by choosing a solution that is compatible with multiple operating systems, this is likely to be the better solution.
Almost all EDR solutions will have some operating systems they don’t support. If you have endpoints in your network that are using an operating system unsupported by your chosen EDR provider, then agentless EDR is a good solution to this.
4. Devices not covered
Similar to operating systems, some devices may not be supported by your chosen EDR solution. Most smartphones, including those that run iOS and Android operating systems, are usually not covered by EDR tools and IoT (internet of things) devices are also unlikely to be covered. Just as with operating systems, the best thing to do is ask your vendor what is not covered and work out how many of your endpoints this applies to.
5. Cloud support
It is important to know whether an EDR solution supports a cloud environment and to what extent. Even though several EDR tools are cloud-based, they might not be able to operate in the cloud.
60% of the enterprise EDR market is delivered by cloud already (Gartner Innovation Insight for Cloud Endpoint Protection Platforms, April 2019). This doesn’t necessarily mean that it can protect all of your other cloud systems as EDR is often difficult to install on the cloud and you may need additional protection for specific cloud applications.
6. System updates
The threat landscape is constantly evolving as attackers strive to breach security systems using new tactics, techniques, and procedures (TTPs), so any EDR system that is not regularly updated will be vulnerable to advanced threats and quickly become obsolete. Hence, in order to better respond to threats, you need an EDR solution that gets frequent updates on Indicators of Compromise (IoC).
Additionally, it is worth considering how much of your IT security team’s time will be taken up managing and installing these updates and to what extent they can be automated.
7. Scalability
82% of organisations aspire to have an all-in-one solution for their IT/Network Security needs (F-Secure 2020 B2B Market Research). This may not be possible at present, but if you are among the 82% of organisations with this aspiration then it is worth speaking to your vendor finding out what options your EDR system offers for adding new components and functionality in the future.
Furthermore, you should also consider how the solution will handle any increase in traffic especially in the event of future growth and rise in the number of remote devices.
8. Impact on endpoint performance
If you’re using an EDR solution that requires an agent to be installed on your endpoints, then you need to know what resources it will occupy. Does this mean you will need to invest in better hardware to keep your endpoints’ performance at a reasonable level? A reasonable level of CPU usage for an EDR solution is around 1% so if it’s regularly exceeding that it is likely that it is not well optimised. Memory usage can vary based on the weight of the agent but shouldn’t exceed 50MB. Your vendor should be able to show you performance data for systems that are like yours.
9. Customized threat detection models
Depending on the level of expertise you have in-house, you may want to design your own threat detection model, or at least tweak the present one. EDR vendors will tell you that the pre-sets are optimised for best performance, but all organisations are different and there is no default machine learning algorithm that is optimised for every possible situation.
10. Vendor support
This one really comes down to trust but there are certain indicators to look out for. What happens if your EDR solution is compromised? Will the vendor charge you for incident response services? There is a clear possibility for a conflict of interest here.
Make sure you understand in advance what level of support is available to you and what the expertise level of your account manager is. If you’re using a managed service provider, they are often in a good position to evaluate the relative levels of support available from different vendors, although bear in mind any incentives that may be present on their side of the transaction. Again, this really comes down trust between all parties being the most important factor.
We hope this article proves useful to you in your hunt for the best EDR solution for your organisation. And no matter which EDR solution you end up choosing, make sure it’s tailored towards your organization’s needs.
In case you want to learn about the F-Secure EDR solution, feel free to download the solution brief. And, if you would like to test our solution in a live environment, sign up for a commitment free 30-day trial.
Related articles – F-Secure Endpoint Protection