Beyond prevention. How and when to use endpoint detection and response
Beyond prevention. How and when to use endpoint detection and response

Today's cyber-security leaders are struggling with the burden of widening attack surfaces from the ever-growing number of endpoints in their networks. Organisations are limited by time, resources and budget whilst trying to keep its networks current in order to combat the ever-changing threat landscape.

This is why managed Endpoint Detection and Response (EDR) is so valuable, by empowering organisations to cost effectively find and isolate compromised endpoints before any real damage is done.

It gives Chief Information Security Officers (CISOs) visibility into the most vulnerable targets, such as PCs, mobile devices and Point of Sale (POS) terminals. Cyber-criminals are becoming increasingly sophisticated in their attacks. They choose endpoint devices to establish a beachhead from which to gain access to more valuable assets such as databases and servers.

Endpoints are preferred targets for attackers because they're numerous, generally full of software vulnerabilities, and prone to human error. It's for those reasons that endpoints can undermine a solid corporate security strategy. Once attackers take control of endpoints, they can easily move laterally throughout a network, launching attacks and compromising critical information assets that reside throughout the enterprise.

What is endpoint detection and response?

The US Commerce Department's National Institute of Standards and Technology (NIST) Cyber-security Framework, suggests that an effective security programme should follow a methodology that includes not just prevention capabilities, but also detection and response. This is because nowadays, attackers can easily bypass prevention controls set in place.

That's why detection and response capabilities are an important addition to a robust cyber- security strategy to identify and stop attacks before serious damage is done. EDR is an emerging technology that leverages tamper-resistant endpoint agents that capture and record core system activity and analyse it for suspicious activity indicative of malware or an attacker.

When an attacker is identified, the endpoint can be quarantined to block the attack until remediation can be carried out.

While many global companies are adopting EDR, it is often out of reach of many mid-sized organisations, requiring significant capital investment, sophisticated management processes and hard-to-find security expertise to manage the technology.

In reality, looking at an EDR solution that is fully managed can remove these adoption barriers. Fully-managed EDR's are more affordable to the mid-sized enterprise, based on consumption-based pricing model.

There is only so much that resource-restricted internal security organisations can handle on their own – and it may not be enough to effectively detect and defend against attackers.

Why managed security is the optimum approach

That position is bolstered by what we now know about the growing use of security outsourcing services:

  • Close to three-quarters of respondents in a recent Forrester survey indicated they relied on third parties for 20 to 80 percent of their security, with those relying most heavily on outside help planning to increase their use of external vendors.
  • In a survey conducted last year by CIO, CSO and Computerworld, 56 percent of the respondents said that their organisations are enlisting outside consultants to help with information security strategy, and 40 percent said they're turning to MSSPs.
  • Computer Economics IT Outsourcing Statistics 2016/2017 study shows that IT security outsourcing is increasing at the fastest rate of all outsourced functions and that no organisation already engaged in security outsourcing reported plans to decrease usage. IT security also ranked among the top three outsourcing functions with the greatest potential for improving service.

Many organisations are changing strategies from primarily threat prevention to rapid threat detection and response, which requires another skill set and solutions. IT departments are responding to this need for a wide variety of specialised skills by outsourcing more.

It can be challenging to find the right EDR solution for your business however, but start by looking for EDR solutions that are part of a wider suite of detection and response security tools that can take advantage of state-of-the-art machine-learning-enabled security analytics technology.

If you do you opt to work with a managed security services provider, look at providers that can provide pricing which includes 24/7 continuous EDR alert monitoring and response, as well as bundled monthly “Threat Hunting” hours – the process of proactively searching for advanced threats - for highly proactive threat defence. Not only this, work with the providers that have well-defined process integration between their own Security Operations Centres (SOC) and your own security teams to ensure optimal security outcomes.

Hackers continue to find new paths to get past prevention-only tools via cloud services, mobile devices, and even business partner emails. Organisations need to consider adding EDR to ensure their security efforts are not futile.

Contributed by Nicolas Capitoni, director for southern Europe, Masergy Communications

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.