Thinking of adopting endpoint detection and response? Here are some pro tips
- 02 November, 2018 14:53
There are many elements that can complicate enterprise security efforts. From the increasing sophistication of cybercriminal strategies and activities to the wide range of components connected to the network, data protection and infrastructure security has become an uphill battle.
Another key factor to consider here is the array of different endpoints connected to and communicating through the network. Previously, administrators needed only concern themselves with on-premise desktop computers. But with the rise of BYOD and enterprise mobility, endpoint protection and associated data security has become much more complex.
What’s more, it’s not just endpoints that IT admins must worry about: any device that connects and leverages the corporate network should be a part of detection and response strategies.
Today, we take a closer look at detection and response, including from an endpoint perspective, and how organisations can utilize best practices to bridge internal gaps and better ensure that key assets and the overarching network are safeguarded.
What is endpoint detection and response? How does it work?
It’s important to begin with the basics. As Digital Guardian contributor Nate Lord explained, the concept of endpoint detection and response (EDR) first emerged in 2013 thanks to Gartner researcher Anton Chuvakin. He defined it as “the tools primarily focused on detecting and investigating suspicious activities (and traces of such) [and] other problems on hosts/endpoints.”
In this way, detection and response focuses on the ability to identify potential threats and activity that can point to possible intrusions or attacks, and how to respond to these problems or dangers. While different tools will work in their own unique ways – and include different features and capabilities – endpoint protection and response includes a few key processes:
• Monitoring: The cornerstone of this process is continual monitoring of activities and events taking place within the network. This includes the integration and use of different endpoints, software platforms, hardware elements or digital environments.
• Recording events: Events taking place within the network, through the array of different endpoints are recorded into a central database.
• Analysis: The recorded events are then analysed for potential threats and intelligence that can be leveraged to inform protection strategies. Analysis may also include or inform other processes like the investigation of detected threats, reporting and associated alerting.
Considerations and best practices
Focus on endpoints as well as users
One of the weakest links involved with endpoint protection and response processes isn’t necessarily the endpoints themselves, but the users leveraging them. Enterprises can implement a variety of protection, detection, and response strategies, but these should be deployed upon a foundation of user education and awareness.
It’s imperative to include user training and awareness education with an organisation’s security posture. Users should be taught about the potential risks in the current threat environment and the possible impacts their actions can have on the business, its reputation, and its customers.
Consider building upon EDR with root cause analysis
Not only do enterprises want tools to guard against and identify potential threats, but when a security event does take place, they want to understand how it happened and how they can prevent it in the future.
EDR requires the right resources: part of a larger security posture
It’s also important for enterprises to understand that endpoint detection and response should not be undertaken as an ad hoc strategy, and should be incorporated into larger, overarching security considerations.
A failure to properly include endpoint security into the company’s main security program is a top error that many enterprises make.
A contributing factor to this is the fact that a robust endpoint detection and response strategy can be particularly resource- and operationally-intensive, and it requires the right expertise and tools. When you combine that with a global skills shortage in cybersecurity and the high level of skills needed to use the root cause tools, many customers can’t keep up with EDR.