There is a lot of buzz around the endpoint detection and response (EDR) market of late. The legacy endpoint market, traditionally dominated by large anti-virus (AV) vendors, has always been one that security professionals love to hate. Recently, however, several new players have entered the market with a variety of different approaches. These new entrants have shaken up the market and reinvigorated it with hope and cautious optimism for the future.
Perhaps not surprisingly, with the endpoint market estimated to be somewhere between a $5B and $20B market (depending on source of research), hype and noise around it have quickly filled the air. Every potential buyer is bombarded by a long list of vendors, each one of which uses nearly the same marketing language as the other. So how can a security manager make sense of the options, dig deeper, and separate fact from fiction? You guessed it - by playing a game of twenty questions, or in some cases show and tell.
Conceptually, viable EDR solutions need to provide three broad buckets of functionality:
Prevent/Detect to block malicious code and prevent infection with a high rate of detection (true positives) and a low rate of both false positives and false negatives. This has long been the bailiwick of legacy anti-virus vendors, though detection rates and overall product efficacy have fallen sharply in the last few years due to a number of different factors. Among these factors are the ability for attackers to morph their malicious code to avoid signature-based detection approaches, as well as the gradual move by attackers away from malicious code and more towards theft of stolen credentials and other techniques involving no malicious code at all.
Analysis that provides the capability to analyze, investigate, and perform forensics on the endpoint and across multiple different endpoints seamlessly.
Response that gives you the ability to contain and remediate endpoints remotely.
As you might have guessed, every EDR vendor will say they cover all three of these categories better than their competitors. Let’s play that game of 20 questions to understand how to find truth amidst the hype and noise:
1. How easy is your solution to deploy? Whether I have hundreds of thousands of endpoints within my enterprise or far fewer, I need a painless deployment process.
2. How easy is your solution to manage? With the number of agents I’m deploying, I can’t afford sloppy or immature management.
3. How easy is it to configure rulesets and tune the solution once deployed? Aside from the fact that threats are continually evolving, if there are activities that appear malicious elsewhere but are benign in my environment, I need a way to filter those out.
4. How easy is it to update your solution’s knowledge base or take advantage of the latest knowledge around attacker activity? If you can’t make it easy for me to operationalize what you’re selling me on, then your solution isn’t going to work for me.
5. What additional load on the endpoint does your agent introduce? I can’t impact business productivity
6. You want me to install yet another agent? I would be willing to do that if you articulate how you can consolidate functionality that I currently get from multiple different agents into one agent.
7. How does your solution integrate with my existing security infrastructure? I have a complex ecosystem of products deployed and yours needs to play nice with it.
8. Not all intrusions involve malware. What is your strategy to detect intrusions that use no malware at all?
9. Is your solution part of an overall platform, or is it just another point product that I need to figure out how to integrate into my operational workflow?
10. Does your solution leverage and facilitate correlation with other data? I have a lot of great data elsewhere in my enterprise. Do you know how to take full advantage of it to improve your efficacy?
11. Is your solution based on knowledge of attacker tactics, techniques, and procedures (TTPs)? If not, how do you identify that type of activity?
12. How does all the knowledge you’re selling me on make its way into the product to help me mitigate risk?
13. Do you really have behavioral analysis and machine learning built into your solution, or is it just signatures and rulesets behind the scenes?
14. Do you provide ability to remotely contain and remediate endpoints?
15. How efficient and powerful is your enterprisewide search? If I have an incident, or even if I don’t, I need to be able to slice and dice the data collected by my endpoint solution in an instant.
16. How effective is your solution in a real enterprise against binaries you’ve never seen before?
17. What is your true positive detection rate in the wild? Results from your lab don’t interest me here.
18. What percentage of events and alerts that you fire are false positives? Again, results from your lab don’t interest me here.
19. What is the upgrade path for your solution? It should be a smooth and straightforward transition from one version to the next.
20. How does your solution facilitate my information sharing initiatives?
It’s not surprising that the endpoint market is a hot one. Changing attacker behaviors, historical disappointment with legacy endpoint products, the move to the cloud and the resulting loss of network visibility all combine to make endpoints a more critical target than ever before. Playing a good game of 20 questions with prospective EDR vendors will lead you to an educated decision that meet the specific requirements of your organization.