June 9, 2017 Detection and response
Suzanne Strobel

What’s the Cost of Endpoint Detection & Response?

Every security team is constrained by staff and budget. It’s not surprising, then, that one of the most common questions we hear from security teams is around the cost and ROI of an Endpoint Detection & Response (EDR) investment. For every company considering EDR, it is important you know that it’s far from being a “set it and forget it” solution. Getting the full value requires dedicated experts and additional investments. But the promise of EDR is worth the investment: deep visibility into endpoint activity and the ability to quickly detect attackers at the moment they compromise your laptops and servers.

So what are the true costs of EDR?

Calculating EDR Cost for a Mid-Sized Organization

Like most other security products, EDR requires people to be truly effective. Regardless of an organization’s size, it’s very challenging to find people with EDR expertise. On top of finding and training the right people, security leaders then have to build the full capability.

Here’s a high-level overview of the resources and costs for the most basic EDR capability supporting 1,500 endpoints:

    • Daily responsibilities include triaging EDR alerts, responding to or coordinating response to legitimate threats, researching new threats and how they manifest on the endpoint, tuning and improving EDR detection
    • Cost: $125,000 fully loaded (salary+overhead)
    • Daily responsibilities include IT support and troubleshooting, integrating endpoint telemetry and intelligence across security program, supporting automation, custom tool development
    • Cost: $31,250 salary (quarter time, $125,000 salary+overhead)
    • Some EDR licenses include cloud hosting, others do not. Budget $5-10/endpoint if hosting is not included.
    • $30/endpoint/year = $45,000
  • TOTAL ANNUAL COST: $201,250

An important point to keep in mind: This is the cost to build a basic EDR capability. And while a basic EDR capability will help an organization defend its endpoints, it will not revolutionize the security program like a fully mature capability can.

Beyond the Basics: What Else Goes Into a Full EDR Capability?

EDR collects so much valuable information from your endpoints. You can use this information for a variety of purposes: broad detection (behavioral, threat intel, anomaly detection/UBA, binary analysis, organization specific use cases), forensics, endpoint/user information, application information, network connections, and environmental trends. All of this is critical to helping an organization truly understand what is happening on its endpoints, improve its security program, and ultimately reduce its risk.

Additional investments required to achieve a full EDR capability include:

  • Threat researchers focused primarily on understanding the behaviors attackers use when compromising endpoints
  • Threat hunters to hunt for potentially threatening activity not identified by the EDR product
  • Incident responders and a strong IR process
  • Data scientists who can use the data to build anomaly detection and understand organizational trends
  • Developers to build integrations and automation
  • Additional software and security investments (SIEM, threat intel, UBA)
  • IT operations to manage and maintain hardware and software

To learn more, read EDR Shopping List: 4 Items to Budget and Scope

Many of these additional investments are unrealistic for most organizations, but they represent the potential of what can be done. EDR products are unique in that they can help to up-level a security program in multiple areas. It is up to each organization to determine how far they want to mature their EDR investment.

Building EDR vs Outsourcing EDR: Factors to Consider

Given the additional investments that can and should be made around EDR, the next question many organizations face is: “Should I build internally or look to partner with a managed offering?” This will depend on exactly what an organization is hoping to accomplish. If a basic EDR capability is sufficient, then building internally is very feasible as long as they find the right team. However, the organizations that hope to use EDR as a launching point for a more mature security program will be the ones who struggle when trying to build.

Teams that are looking to build internally should clearly understand:

  • Rough timeline to implement: defining processes, training your security team, building integrations, and making improvements
  • Additional resources required: as outlined above
  • The benefits of the intimacy the internal team will have as they build the EDR capability

Outsourcing is increasingly becoming a more viable option for organizations. With the right partner, organizations are finding that outsourcing is the best way to immediately gain a complete and mature EDR capability. It can take significantly less effort to deploy a Managed EDR solution across an entire organization and security teams can go from no EDR capability to a complete, mature EDR capability in days to weeks. And best of all, it often costs less than building an EDR capability internally.

Take a deeper dive into the Build vs Buy debate

Options for Outsourcing: MDR vs MSSP

If you decide that outsourcing EDR is the best path for your organization, your next step will likely be to select a partner. Organizations that are working with a Managed Security Service Provider (MSSP) often consider using them to manage EDR. However, it’s important for these organizations to know there are new, specialty managed offerings focused solely on EDR. These Managed Endpoint Detection and Response (MEDR) solutions are custom-built and differ significantly from traditional MSSP offerings. The good news for organizations is that they can choose what is best for them.

If you need someone monitoring the EDR tool, an MSSP offering might be best. But if you are looking to get a full EDR capability, consider MEDR. While many MSSPs market that they can deliver a full EDR capability, make sure you are confident they know how to work with endpoint data, have EDR experts on staff, and have a solid process for detection, investigation, and response. An MSSP’s offering may appear to be equivalent and cheaper than MEDR, but this is a good time to remember the old adage: You get what you pay for.

Considering an MSSP for Managed Detection and Response? Read this first.

Key Takeaways

EDR is critical to the modern security program. Many organizations struggle to build an EDR capability internally due to the significant investments required in people, processes, and technology. Forward-looking organizations are starting to include managed EDR offerings in their EDR evaluations. The worst thing that can happen is to invest a large amount of your security budget in an EDR product and then not be able to take advantage of its full power.

Red Canary MDR Demo
A Guide to Effective Incident Response Planning
Endpoint Detection & Response (EDR) Buyer’s Guide
First Look: 2020 Threat Detection Report

Subscribe to our blog