As organizations look for better ways to defend against evolving cyber attacks, endpoint detection and response (EDR) is rapidly emerging as a solution. EDR promises to combine visibility, threat detection, and response across all of your endpoints. However, security teams often don’t realize that developing a true EDR capability can be challenging. It’s not something you simply buy off the shelf.
As an organization, you have three ways to implement EDR in your security program:
- Build it yourself, which may require a lot of effort and a fairly large team.
- Use a managed security services provider (MSSP), at least for part of it.
- Use managed endpoint detection and response (MDR), which is a new type of service focused on helping organizations improve their threat detection and incident response capabilities.
There are a variety of factors to consider when deciding which option is right for you. Let’s take a deeper dive into each approach.
1: Build and manage it yourself.
One of the first questions you must answer when implementing EDR is: do I build the capability internally or do I partner with someone? If you choose to build and manage it internally, you need to implement a number of things in order to do it effectively. First, you’ll need to buy EDR tooling to gain deep, low-level visibility into your endpoints. You’ll also need to host the equipment required for data collection— whether that’s a cloud-based solution or an on-premise approach with infrastructure and internal engineering requirements.
Next, you’ll want to integrate the data produced into your existing workflow. This may be as simple as shipping all alerts into your tracking system or your SIEM, or it could be much more complex. It may require custom SIEM integration, orchestration, and automation. The bottom line is, to implement your EDR capability right, you’ll need engineering resources and developers to build custom code, pull data together, and optimize the workflow.
You’ll also need to create and continuously update the detection rules and algorithms required to surface potential threats, which will most likely include researchers, as well as a team of analysts to work through false positives, and a repeatable, continuous investigation and response process.
What to consider:
- What are the infrastructure / engineering resource requirements?
- Do I have at least one full-time employee to manage this or will I need to hire additional headcount?
- Does my team have skillsets across detection, analysis, and investigation?
- Do we have a process to orchestrate and automate activities?
Is a managed EDR solution right for you? Watch a webinar: Outsourcing Endpoint Detection and Response
2: Use an MSSP to manage it.
MSSPs offer a layer of service to help check compliance boxes, implement basic capabilities, and manage traditional devices. They are a way to ensure your staff isn’t burdened with the management of infrastructure. Most have mature processes for escalation of threats, 24/7 phone numbers for assistance, and the ability to provide other services like incident response, breach response, or forensics.
While MSSPs have traditionally been focused on compliance and device management, they might be able to help with pieces on the EDR front. Many companies believe working with an MSSP is a good solution because they only want to use one managed solution and are looking for someone to do it all. However, when evaluating MSSP services that promise to offer managed detection and response, take a hard look at their offerings. Oftentimes, it includes basic things like managing the device, making sure it’s on, and potentially doing some log correlation.
What to consider:
- What exactly is included in the MSSP’s offering?
- What gaps in coverage will still exist that I may need to consider hiring internally?
- What is their level of expertise in EDR?
- Do they have a clear understanding of the tool’s capabilities?
Considering an MSSP? Read Five Guidelines to Evaluate MSSPs.
3: Use an MDR provider.
Gartner has defined MDR as a service focused on detecting threats once they bypass traditional perimeter security controls. MDR typically includes in-depth analysis of endpoint and/or network events to detect threats and attackers across the kill chain, expert investigation of potentially threatening events to eliminate the noise, and response tools for immediate endpoint isolation and remediation.
The benefit of MDR is that you get a very mature detection and response process and capability. You are leveraging resources that are extremely difficult to hire and avoiding the cost and time commitment to build the capability internally. Essentially, you are outsourcing everything except the hands-on remediation.
One word of caution: be somewhat wary of MDR vendors that say they are taking remediation off your hands. A lot of small decisions go into remediation, and you need to take that into account. Do you really expect a vendor to know your business well enough to know when it’s okay to shut off your domain controller? It’s important to think about your level of comfort with having an outsourced partner making those types of decisions.
What to consider:
- What EDR capabilities are most important to my organization?
- What burdens would MDR remove from my team?
- What is the most cost-effective approach in the long-term and short-term?
- Can I integrate MDR along with an MSSP?
Dig deeper: What are the differences between MDR and MSSP?
Deciding which choice is right for you
Implementing EDR in your security program is a non-trivial activity and it can be difficult to sort through the vendor noise to find reality. Deciding how much to build internally versus outsourcing is not a decision to take lightly. Without the right team and expertise, EDR tools can become little more than a black box recorder. Start with an honest assessment of your current security program and team to identify what constraints exist. From there you can work towards a decision on how to get the most out of your EDR initiative.
To learn more about the challenges and benefits of each approach, watch a webinar on outsourcing EDR with Chris Rothe, Red Canary CTO, and Rick McElroy, Carbon Black security strategist and former CISO.