Why Endpoint Detection and Response Is Not Enough
April 14th, 2021 by admin
A war cannot be won on one front with a single arsenal–you need a well-trained army, navy, and air force. Likewise, fending off criminal hackers requires a diverse pool of technologies, trained security experts, and tried and tested practices for the best results. That's why we partner with Arctic Wolf for full circle protection technologies.
Nevertheless, small and midsize enterprises (SMEs) are often forced to choose between tools and services that perform different functions. One of the more popular solutions they've settled on in the past few years, according to Gartner, is endpoint detection and response (EDR). While EDR is an important part of a security strategy, it isn't enough by itself.
Endpoint protection (EPP) focuses on preventing well-known attacks based on existing signatures. Firewalls, web filters, and application whitelisting and blacklisting identify known threats and stop them from executing. These tools are centrally managed and typically quick to deploy, making them convenient resources.
However, EPP solutions are not designed to detect unknown or zero-day attacks, and they provide no network visibility. So, for example, if an intrusion has already occurred, a hacker can exfiltrate critical data undetected. Likewise, keyloggers or entirely new forms of ransomware can communicate with command-and-control servers unbeknownst to anyone. In this way, EPP is necessary, but also very limited.
Unlike EPP, EDR enables customers to detect security incidents, investigate them, and even remediate them on endpoints. This provides a level of visibility into endpoints that EPP cannot; EDR solutions can detect unknown threats through forensics tools that detect anomalous behavior. So, while EPP holds down the fort against known threats, EDR identifies and interprets anything unusual living on an endpoint. There are caveats, though. First, EDR has blind spots. EDR cannot provide visibility into an endpoint without an EDR agent. Second, EDR requires security staff that is trained in detection and response. This is feasible for most large enterprises, but not for many SMEs. Finally, EDR doesn't provide network visibility. Threats that sneak through can move laterally across the network and clandestinely talk to a remote C&C server uninhibited.
The complement to EDR's functionality is continuous network monitoring. While EDR provides endpoint visibility, network monitoring shows you what is actually happening on your network. Simply put, you need both. Heavily regulated industries also need data and application protection that can safeguard their crown jewels: the actual data hackers would seek to steal and then sell on the dark web.
Lastly, there's security information and event management (SIEM). This is the hub that aggregates flow logs from EDR and network monitoring together into a single management platform. The only downside of this log data aggregation and correlation can take a long time to implement (6 to 12 months), and management and/or licensing is quite costly.
In a recent webinar Arctic Wolf's Senior Director of Product Marketing Narayan Makaram explained how managed detection and response (MDR) services help SMEs create the equivalent of a security operation center (SOC) at an affordable price with little-to-no security expertise in house.
Specifically, MDR supplies log aggregation (SIEM), remote continuous monitoring, threat triaging, and incident response, as well as 24x7 access to a skilled security team. Organizations can continue to use their existing EPP, EDR, and data protection solutions, but MDR will aggregate those logs, continuously monitor them, triage events, and provide incident response guidance.
Learn how to scale-up your managed detection and response today by requesting a network security evaluation!