EDR: an overview of visibility improvements and economic benefits

Endpoint Detection and Response (EDR) is one of the most talked about cybersecurity topics in the last few years; it is on the agenda of most security officers as one of the first improvements to embrace in their organization, if not yet done.

Why, though? What has made EDR the number one must-have security solution? Let’s have a look at the reasons why EDR tools are so important, which benefits they bring and what the ROI is, security wise, for your organization.

Recent evolution of the IT world

We have recently witnessed a revolution of the business and IT world as we used to know it. Over the past few years, most desktops have been replaced by laptops, homeworking has become a must and covid-19 has greatly accelerated the transition process. Furthermore, smartphones, tablets and wearable devices have entered the landscape of our daily job tasks, allowing us to always be connected. While work mobility is dramatically increasing, security followed suit and moved its attention from monitoring network devices (switches, routers, firewalls, etc.) to the various mentioned endpoints.

While this is already a major challenge, the future will most likely not put a stop to this transition. With the rise of the 5G networks and future technologies (like 6G), our mobility will continue to reach new peaks, which will be accompanied by new security challenges. The continuously growing endpoints of our network will acquire a primal role in the cybersecurity landscape.

Increasing your endpoints visibility

The amount of data that we can collect from endpoints today is much larger than, for instance, information from more traditional endpoint devices such as firewalls. Not only are endpoints the first point of access for a broad range of attacks, which means that when alarms are triggered by an endpoint registering suspicious activity we can detect intrusions at their start, we can also promptly isolate the compromised device which can significantly reduce the impact of an attack.

This is exactly what a good EDR tool helps to do. Enhanced visibility and advanced automation capabilities are the foundation for the future of endpoint protection and these features should be assessed first when choosing your tool.

It is often said that EDR has a lot in common with traditional antivirus software and, indeed, they are born from the same principle of protecting endpoints. However, EDR takes this concept further and not only protects the device, but also gives a centralized overview of our entire endpoints environment. With this overview, it is much easier to identify any suspicious movement within our systems or networks. A good example of this is detecting lateral movement and privilege escalation, while also giving us data to track and identify attackers’ footprints.

Various vendors are available, and you can find the last Gartner Magic Quadrant for EDRs below. A new quadrant is expected to be published on the 20th of August. See useful links for more information.

Gartner Endpoint Protection Platforms Magic Quadrant

Return on Investment (ROI)

Now that we know which security improvements we obtain by using an EDR tool in our ecosystem, let’s move our attention to the financial aspect of this security upgrade.

Without a doubt, an EDR implementation implies a significant investment in terms of licencing fees and/or maintenance. Nothing is for free, right? Still, there are counterbalancing benefits that will save us time (and therefore money) in other security tasks. Automated response plays a critical role in this. There are three metrics where the cost/time will be drastically reduced thanks to prompt detection and response through EDR.

Incident Response Time: detecting a breach takes 206 days on average, while containing it requires 73 days (see the Ponemon Institute research 2020 in useful links). Another interesting figure, as SANS reported, is that 62% of attacks could be solved in real-time, if instantly tackled. Can you imagine how the impact can be reduced, and how many man-days could be saved by automatically isolating a compromised device?

Disruption of Production and Loss of Data: when an endpoint is discovered to be breached, you necessarily have to switch it offline until system recovery is complete. Various factors come into play here: How long must a resource stay offline? How many resources are simultaneously offline? A breach can have a huge impact in terms of productivity: automation helps us in avoiding a severe outage by instantly reacting to suspicious activity, before too many resources are compromised.

Moreover, some EDR tools have the capability to isolate the machine so that it only interfaces with the EDR appliance. This will prevent loss of valuable information that could be gained from memory-based acquisition during a forensic investigation. The loss of the latter can imply a tough impact for production and side recovery costs.

False positives: when monitoring your system, false positives are part of the game. You can set the right strategy to reduce them, but they will still heavily pollute your monitoring activity. In a scenario where you are using a SIEM tool to monitor your environment, ingestion of logs should be ideally reduced so to have less costs, especially if the SIEM pricing license is based on data ingested or Events Per Second (EPS).

By automating the analysis of, and response to, false positives, security analysts will be able to better focus on what is really critical for your security. Reduction of time dedicated to the triage of false positives implies further cost reduction for data ingested and dedicated verification time.

Finally, as we already mentioned how close antivirus and EDR are, the latter usually includes several security capabilities of the first, meaning that once moving towards the new automated and centralized technology of EDR, in some cases we can dismiss the antivirus cost, compensating the investment on EDR. However, this capability is not included in all EDR tools, and should thus be picked up as a potential requirement when choosing the correct one.

To conclude

Given the ROIs discussed above, rapid detection and response on endpoints can save you money on the medium/long term. Not only because some threats (like NotPetya ransomware) attack much faster than any manual remediation can contain, but also because of business interruption, recovery cost and reputational damage that EDR will prevent.

Especially if combined with a SOC activity and threat hunting, EDR pushes security, visibility, and response performance to the next level.

How can NVISO help you?

Thanks to our expertise with several EDR products, we can help you find the right solution, considered your budget, your prioritized goals and your current assets.

Moreover, our holistic knowledge and deep experience in security can help you to fine-tune an environment in which an EDR coexists with other security assets, like a SIEM tool and threat hunting activity, so to obtain the best from your efforts towards security.

Useful links

About the author

Alfredo is a Security Consultant in the Cyber Architecture and Cloud Security team at NVISO. His professional experience is a combination of law, business and cybersecurity, components of a balanced yet eclectic profile. You can find Alfredo on LinkedIn.

Leave a Reply