We asked our industry experts about where and how EDR (endpoint detection and response) can strengthen their cybersecurity. This article offers some of those insights. You can view our discussions in the CyberShare Series one EDR here.
Ian Thornton-Trump, chief information security officer at Cyja: “We're in this weird situation now where businesses have a challenge of justifying going to another vendor, when the argument can be made that security technology exists in something that they already have.”
Since the move to cloud computing, the likes of Microsoft, Amazon, and Google are adding security into their offerings. “Slowly, over time, Microsoft put more and more security into its operating system. While the cloud wars were going on about who was better, Windows started building a pretty credible security capability with something called Windows Defender which has gone on to become a Windows ATP defender,” said Ian.
It doesn't seem like there will be a case where native cloud providers have sole control over all of the market. There might be a Google house or AWS house for certain parts of the business, but for cybersecurity the market is always likely to want the best of breeds. However third-parties have certainly changed the game.
On the EDR ownership point, when considering how to fully understand, detect and respond to any situation, where does the actual responsibility lie: Is it with the third parties, the individual organisations, or should it be a combination when determining how to detect and respond to any situations?
Goher Mohammad, head of information security at L&Q Group highlighted that, where third parties are involved, there can be instances where monitoring your own tech estate becomes limited. He said: “If a third party is looking after it you can't always throw monitoring at it because the third party will say: 'I'm sorry you can't do that because we look after it,'or 'it's part of the bigger security estate and there are parts of that we can't give you access to.'”
Michael MacPherson, chief information security officer at Insurwave: "Historically we had multiple footprints like: on-premises, cloud, hybrid environments that we had to protect. Defence in depth was to have different products. Whereas people would be afraid to adopt a pure Amazon, Google, or Microsoft environment because they were told that you had to have defence in depth. Which meant you had to have one AV solution for this, you had to have solutions for your firewalls etc. Now, as because we're all cloud adopted, we can put all our eggs in one basket.”
Is there a case for one EDR ecosystem?
The concept of working towards one EDR ecosystem would benefit from added intelligence. That intelligence comes from the businesses that feed telemetry into an ecosystem to become a reinforced collective and therefore a combined strength.
Lee Rendell, senior pre-sales manager at Kaspersky UK: “What we're going to start seeing is more of an introduction of correlating the endpoint telemetry from an EDR solution, alongside network telemetry from a network analysis tool into one native engine, where the same vendor is across both areas correlating that data to provide a more complete vision of what's happening from a malicious or suspicious perspective across the network.”
Bronwyn Boyle, head of security and counter-fraud at OpenBanking highlighted the stress point by adding: “I think that a lot of organisations now are really under pressure to converge their tech stacks, simply, really lean down the operation cost rules and efficiency and move to native capabilities in those cloud providers wherever possible.”
“I think that by having a very clearly articulated USP that says, 'this will only get you so far, here's how we can overlay additional control', that narrative is really missing from a lot of old legacy technology right now. It would be very welcome,” she said.
Four checkpoints to help maximise EDR right now
While many businesses invest in the right tools, those tools are not always configured correctly, rendering them virtually useless. Here are four points to help maximise EDR now and for the future.
- Extra intelligence needs to be managed. While EDR can generate a lot of additional insight it can also bring additional overhead in terms of effort. Having a strategy to manage EDR output and target the responses to find the most valuable pieces of information that EDR is surfacing for you, can really help to streamline the effort required to keep up with the vast benefits that EDR can deliver.
- It might sound painfully obvious, but make sure to lock out network access from countries where you have no remote workers and where it is illegal to trade (with known hostile countries for example). This is the kind of checklist management that serves asa basic hygiene task. Simple but wise words from Ian: “If you see a terabyte of data going off to Finland - and you don't have any customers in Finland – then maybe that's a problem that needs to be stomped on right away. “
- Two-way accountability: Hold the vendor accountable for promises made, and be sure to be responsible to alert them to any changes in your business (such as digital transformations, and mergers and acquisitions). It might mean that a new piece of technology is required, additional training or even to switch on more functions.
- Be sure to update your EDR on the regular basis that the vendor suggests that you do it. The more features and more potential security issues, based on data that they've received from customers, could save you from an actor that is using the same technique to get on to an endpoint.
Well placed and well-chosen EDR, combined with the right approach and analytics, can deliver a wider snapshot of the current state of a business than ever before. The main advancements in EDR are the capabilities to highlight profit opportunities and guard against would-be perpetrators across all endpoints.
L&Q Group's Goher summed up the role that EDR plays for an organisation: “Security gives assurance. If you can give assurance to investors, customers and other relevant parties, your business grows – that's a win-win for everyone.”
