In a recent webcast, “The Maturing of Endpoint Detection and Response (EDR): Choosing the Right Solution,” Forrester Senior Analyst Chris Sherman and CrowdStrike Senior Director of Product Marketing Con Mallon discussed selecting an effective EDR solution, and how it can help organizations prevent “silent failure” situations.
The Problem of Silent Failure
In the webcast, Mallon and Sherman asserted that organizations can no longer protect their endpoints and networks by relying on prevention alone. “As the old adage says, defenders have to be right 100 percent of the time, attackers only have to be lucky once,” Mallon said. “EDR rights this asymmetry by assuring that even if a bad guy does succeed in penetrating your defenses, you’re not dead in the water.”
Mallon went on to explain that EDR is fundamental to mitigating “silent failure,” an occurrence that can prove devastating to an organization. He explained that silent failure happens when prevention fails, security is breached, and an adversary lingers in your network unseen, with the ability to wreak havoc and return at will. “An adversary can move around your network for weeks or months doing damage, and often you learn of the breach from a third-party such as law enforcement, customers or suppliers,” he said. When the organization does finally learn of the breach, he explained, remediation can take months, because the organization doesn’t have the visibility to discern exactly what happened, how it happened, or how to fix it. “The real kick in the teeth is that the attacker can often return in a matter of days because of the organization’s lack of visibility,” he added.
Mallon defined effective EDR as encompassing four basic capabilities: “First is finding anomalies; second is analyzing behaviors — finding what is errant or malicious; third, remediation is key but it can vary in its scope and capabilities; fourth is giving IT security professionals the ability to discover and stop potential threats with real-time visibility into their endpoint environments,” he said.
ESG Survey Results
A survey taken during the webcast found that 80 percent of attendees are using EDR either actively or lightly, or are considering adding it to their security strategy, signifying a strong belief that EDR should be included as part of comprehensive endpoint protection. Mallon also addressed a recent survey done by the Enterprise Strategy Group (ESG), an analysis and research organization that polled IT security professionals to garner their views on EDR. Echoing Forrester’s findings, outlined in a previous blog, those surveyed said they are looking for EDR that can provide speed – so that remediation can happen as close to real time as possible. They also expressed an interest in having more contextual information around threats and wanted solutions that included managed hunting capabilities. “Both of these features can help an organization become more proactive and have the information they need to harden their systems against future attacks, “ Mallon said.
The EDR Maturity Model
Mallon then explained that EDR is evolving fast and that CrowdStrike has focused on these changes to construct an “EDR maturity model.” The model follows a continuum from “no EDR” to “limited EDR,” to “intelligent EDR” and finally, EDR that includes managed hunting and response. His discussion included a demonstration of how CrowdStrike’s intelligent EDR with managed hunting and response operates. Mallon also explained that the maturity model can help an organization find the right level of EDR based on its size and IT staff capabilities.
Mallon concluded his portion of the discussion with a focus on four key takeaways:
- EDR is a journey: “Organizations need to assess their internal resources, their expertise and the types of threats they are facing to determine a level of EDR implementation that will best suit their needs,” he said.
- Look closely at the level of automation provided: Mallon explained, “The level of automation regarding detection and remediation is crucial as well as having a seamless handoff between the security operations center and security teams.”
- Look for strong behavioral detection and blocking capabilities: “One of the biggest mistakes organizations make is to focus too much on detection, failing to understand that if you can detect, you can also block,” he said.
- EDR enables hunting – and that’s a very good dynamic: “Once again, you need to assess your internal resources and expertise, but having a solution that includes managed hunting can enable you to add this capability without burdening your internal staff,” he said.
View the on-demand webcast: The Maturing of Endpoint Detection and Response (EDR): Choosing the Right Solution