The EDR Balancing Act: Impact vs. Ability to Execute

By on May 11, 2017

A new breed of advanced malware has its sights on your business. It’s been cleverly crafted to evade standard defenses, burrow into your endpoints, and hide undetected, indefinitely, waiting to spread to other systems. Unfortunately, this is now day-to-day reality for most organizations. The question is what to do about it.

Here’s the way organizations would like to respond: A top security investigator identifies a new malware threat. Using the latest and greatest endpoint detection and response (EDR) tools, she hunts for similar threats in the environment and roots out every other infected system. She learns exactly what the malware did and how, remediates the problem everywhere it exists, and updates defenses to block similar attacks in the future.

Unfortunately, here’s what actually happens: An endpoint administrator encounters an infected machine. He re-images the endpoint and puts the user back online. In the back of his mind, he knows he didn’t actually solve the problem that allowed the infection in the first place. He knows there’s a good chance it’s spread to other endpoints. But the few expert investigators in the organization are already buried in work. And sifting through mountains of data to manually search for the threat would take weeks.

You can see the disconnect. Modern EDR tools can provide amazing defense capabilities. But there just aren’t enough people out there who can use them effectively. According to a 2016 global survey from McAfee and the Center for Strategic and International Studies, 82 percent of organizations report a shortage of cybersecurity skills. Meanwhile, threats continue to increase.

There’s a way out of this catch-22, but it requires a different way of thinking about EDR. Incident detection and response doesn’t have to be limited to advanced toolsets for specialized experts. By taking advantage of integrated EDR capabilities integrated into modern endpoint security platforms, you may be able to accomplish a lot more than you realize.

Generally, incident response falls across four categories: detect, contain, investigate, remediate. Modern endpoint platforms can integrate with EDR to provide more visibility and automated capabilities across all those categories, so that front-line administrators can shoulder a lot more of that burden than they used to.

Modern integrated endpoint solutions include:

  • File search: If an administrator can use Google, they should be able to use basic EDR interface to search for a known malware file. With literally one click, the should be able to see a graphical map of every endpoint where the file resides.
  • Hash search: In the same way, any administrator who can copy and paste a file hash should be able to search malware they’ve encountered on an endpoint to see, in seconds, everywhere else it’s spread.
  • Automated remediation: When an admin does identify an infection, he’ll want to remove it from every infected endpoint with one click.
  • Automated inoculation: With another click, the administrator could update every other endpoint and security system in the environment to recognize that malware in the future and block it before it executes.

Compare that to the status quo, where each of these activities—correlating a suspected threat, discovering all endpoints it’s infected, removing it, tuning other security solutions (IPS, firewall, web gateways, endpoint agents) to detect it in the future—requires enormous manual effort.

Integrated EDR in Action

How much EDR should happen as part of everyday endpoint operations versus projects spearheaded by specialized experts? There’s no single right answer—it’s about balancing the potential impact of a given activity with your ability to execute. If you’re going to find the right EDR formula for your organization, you need to be honest with yourself about your personnel and investments.

State-of-the-art EDR platforms can provide amazing visibility and incident response capabilities—they can have a huge impact. But the cost to execute is extremely high. Alternatively, endpoint defense platforms with integrated EDR capabilities may not deliver exactly the same impact, but the cost to execute is much lower. With integrated EDR tools and automated workflows, many aspects of investigation and response can be handled by administrators with minimal training.

Integrated EDR may not replicate everything a skilled investigator can do with the most powerful EDR platforms. But if you can accomplish 80 percent of the results with a fraction of the effort, at a fraction of the cost, that’s a pretty good balance of impact and ability to execute.

About the Author

McAfee Enterprise

McAfee offers industry-leading cybersecurity solutions for all business and enterprise needs. See our blog to stay up-to-date with the latest security trends

Read more posts from McAfee Enterprise

Subscribe to McAfee Securing Tomorrow Blogs