May 27, 2020 Security operations
Suzanne Moore

A guide to evaluating EDR security tools

Endpoint detection and response (EDR) can be a highly effective way to strengthen your security posture. These critical questions will help security teams find the EDR solution that is right for them.

The adoption of endpoint detection and response (EDR) security tools has rapidly increased over the past several years. According to a leading market research firm, EDR has been adopted by more than a third of security teams as of 2020, and the number of organizations using an EDR tool is expected to double over the next five years. The tools can be a highly effective way to help organizations address the increased complexity and frequency of attacks and gain visibility across their endpoints.

However, growth does not come without challenges. As with any enterprise platform, turning a tool into a capability is difficult, and many security teams struggle to define the right questions to ask when looking to add EDR to their security posture.

Red Canary’s technical team has guided hundreds of organizations through successful EDR evaluations and implementations. We keep constant tabs on the EDR market and are always assessing new technology. To help security professionals in their evaluation process, we worked with our security operations and technical account teams to develop an EDR Buyer’s Guide. It walks buyers through 14 questions to ask and provides worksheets, resources, and tips to reference during evaluations.

Critical questions to answer before investing in EDR

1: Why are you investing in an EDR program?

Understanding your goals is the first step to narrowing the field of EDR security tools. Once that is out of the way, you can move on to evaluate the business case, technical performance, support, and vendor requirements.

Below is an example worksheet you can use to rank your team’s concerns and align your use case with EDR security tools that have stronger capabilities in those areas.

ProblemLevel of concern
Problem:

Existing endpoint security products (AV, NGAV, HIPS, EPP, etc.) are failing to stop an increasing number of threats

Level of concern:
  • High
  • Medium
  • Low
Problem:

Your team has little visibility into what is happening on your endpoints

Level of concern:
  • High
  • Medium
  • Low
Problem:

You have good tools and processes in place, but are concerned that threats are still slipping through on your endpoints

Level of concern:
  • High
  • Medium
  • Low
Problem:

Frequent incident analysis and response costs are distracting your team from focusing on the right priorities

Level of concern:
  • High
  • Medium
  • Low
Problem:

Your team does not have the capacity or expertise to build the solutions needed to respond to increasingly sophisticated threats

Level of concern:
  • High
  • Medium
  • Low
Problem:

Compliance requirements or large fines are mandating the use of continuous monitoring and threat detection

Level of concern:
  • High
  • Medium
  • Low
Problem:

Leadership is focused on preventing a public breach and the associated costs, negative headlines, and brand damage

Level of concern:
  • High
  • Medium
  • Low

2: What level of expertise and time commitment is needed to use the solution?

It’s important to remember that an EDR security tool alone does not give your organization an EDR capability. Well-trained security professionals and sound processes are needed to maximize your EDR investment and truly improve your security. Without the right team and time commitment, EDR products can amass data and alerts, increasing costs and fatiguing analysts.

Expertise and disciplines required:

  • Security engineering: Integrating the EDR product into other parts of your security infrastructure, including SIEMs, ticket tracking systems, or other threat intelligence sources
  • Security operations: Workflow definition and execution for detection, investigation, and response across your organization
  • Security analysis and incident response: Triage and investigation of the hundreds to tens of thousands of potentially threatening events identified by the EDR product
  • Security research: Continuous curation and development of sources of intelligence, detection techniques, and behavioral patterns to accurately identify threats
  • IT operations: Managing and maintaining hardware and software for EDR products and their deployment across your organization
  • Threat hunting: Hunting for potentially threatening activity not identified by the EDR product’s detection capabilities

In short: EDR is a 24/7 job. If your team does not have at least one full-time employee to triage, investigate, and respond to alerts detected by an EDR security tool, you may want to consider a managed detection and response solution.

 

3: How does the solution detect threats to your organization?

Understanding the types of threats an EDR security tool detects—as well as the technologies and techniques used—is often a central point of evaluation. Many solutions take a very limited approach to detection and are handicapped against solutions that provide broader coverage of threats.

Below are a few examples of criteria to understand when evaluating threat detection capabilities.

Types of threats detected:

  • Malware (crimeware, ransomware, trojans, exploit kits, etc.)
  • Misuse of legitimate applications (PowerShell, WMI, mshta.exe)
  • File-based attacks (Microsoft Office, Adobe PDF, etc.)
  • Unwanted software (browser toolbars, PUPs)
  • Insider threats (malicious employee, compromised credentials, accidental release of data)
  • Suspicious user activity
  • Suspicious application behavior

Technologies and techniques used for detection:

  • Behavioral analysis
  • User behavior analytics
  • Long tail analytics and anomaly detection
  • Dynamic binary analysis (“sandboxing”)
  • Static binary analysis
  • Network threat intelligence (known bad domains, IP addresses)
  • Binary threat intelligence (known bad MD5s/SHAs, file paths, binary signing data, YARA, etc.)

The EDR Buyer’s Guide also includes specific scenarios to ask vendors about and helpful tips for gauging false positive rates, tuning, and understanding the benefits and drawbacks of broad versus narrow detection coverage.

Support for evaluating EDR security tools

Red Canary was built to support organizations struggling to manage the complexities of threat detection and response. We hope this guide helps you through your evaluation and purchase. If you have additional questions, we’re here to help. Contact us anytime with questions or to request a conversation to help guide you during your EDR evaluation.

Editor’s note: This blog post and the related EDR Buyer’s Guide were originally published in February 2017. Both resources have been updated based on changes in the EDR market and continuing evolution in the endpoint security space. We hope the information helps security teams navigate their evaluations.

 

A practical approach to threat modeling

 

Expediting false positive identification with string comparison algorithms

 

Endpoint Security vs Network Security: Where to Invest Your Budget

 

Meet Greg Bailey: former red team lead, now director of incident handling

Subscribe to our blog