When you think of Endpoint Detection and Response (EDR) tools, do you envision a CSI-style crime lab with dozens of monitors and people with eagle eye views of what their users and defenses are doing? For many, the idea of EDR seems like something for “the big players” with teams of highly trained people. This is based on the historical products and presentations of these tools in days gone by however, it’s no longer true.
For starters, threats and the need to investigate them to prevent a repeat of an outbreak or breach. Malware and attack methods became smarter to put it simply and stopping them became much more difficult. Threats don’t always look like threats anymore. The same type of attack might arrive through the web, email, as a different file type with a different name but with the same intent: avoid detection and compromise your endpoints.
Defenses have evolved as well, but as part of that growth another problem grew with it. More defenses means more reports, alerts and places to go to investigate and then remediate a threat. Economically, most organizations have not put more staff into the mix alongside this change. The “do more with less” mantra hasn’t left the minds of many, and the result is too many security practitioners drowning in noise and overwhelmed with management tools and data. Perhaps that’s why so many resort to simply re-imaging a machine instead of investigating or remediating a threat. It seems easier (and it probably is) for many. See our infographic ‘A Return to Endpoint Protection Platforms’ for more on how the use of disparate point tools increases operational complexity.
Lastly, the need to do things differently happened. The latest Gartner Market Guide for Endpoint Detection and Response shows a strong shift in the number of organizations that now consider EDR a need and plan to invest in it. Security Practitioners are shifting gears as the nature of threats and the need to know how they arrived, what they attempted to do and where else they may have attempted entry occurred.
It Doesn’t Have to Take a Village Anymore
Something else changed as these the landscape evolved – EDR solutions became easier and simpler to work with. EDR is no longer a tool that requires a dozen people or a Security Operations Center (SOC). Dashboard style management with prioritized, at-a-glance data has replaced lengthy reports and overwhelming alert volume. More integrated approaches have also cut down manual processes, replacing them with automated responses and automatic contextual insights. This also cuts complexity when delivered as part of an Endpoint Protection platform (EPP). For more details, watch a video on the role of EDR and Machine Learning and the Return to Endpoint Protection Platform Suites.
It no longer requires extensive training or expertise to use and realize value from EDR solutions. Security Practitioners can now simply log in, click to the heart of a threat and remediate it in a short period of time. Remediation can happen in as little as one click and setting traps, triggers and responses for future threats takes only a few minutes.
McAfee offers an integrated EDR solution that gives prioritized data and alerts with a dashboard view of your environment and makes it easy to click to the eye of a threat in seconds. One of our customers was able to go from using spreadsheets and manual processes to getting data in seconds.
If you’re ready to see how easy and effective EDR can be, check out this video below to see a Metasploit attack halted with a straight forward investigation.