Virtualization Technology News and Information
How to choose an EDR solution that suits your organization's needs

By Matthew Courchesne, Kaspersky North America

Cyberattacks targeting small and medium enterprises (SME) are becoming more sophisticated, meaning that they cannot be easily prevented by traditional endpoint protection mechanisms. In such cases, timely incident detection is essential to minimizing any potential negative impact. However, this challenging task cannot be done without enhanced endpoint visibility, exploring suspicious activities and understanding attack execution processes.

From our experience, SMEs understand that they need to improve their security capabilities and they usually contact sales representatives to enquire about products to best fit their needs. However, for an organization whose IT department is responsible for cybersecurity, translating this intention into practice can be challenging as they simply don't know where to start.

It may seem that the ideal plan is to buy a solution that combines all the high-profile features at once, but are there drawbacks to this approach? Will organizations be able to sift through all the data and events that modern Endpoint Detection and Response (EDR) solutions provide, as well as be able to distinguish between false alerts and real threats?

Serious functionality involves big investments - and it's not only about money

A recent report shows that, on average, the share of spending on information security equates to around a quarter of an entire IT budget. Spending on cybersecurity in organizations with 50-999 employees is estimated at $267,000, while their counterparts with more than 1,000 employees spend $18.9 million on average. As such, a solution intended for enterprise customers will likely not suit smaller businesses' budgets.

Moreover, required investments are not only monetary. Enterprise-grade products may be difficult to install and integrate with existing security solutions. In an enterprise with a large IT security department, some staff can devote their time to this task; however, it can be an issue for smaller companies as fewer employees are responsible for maintaining the whole infrastructure.

Don't use a sledgehammer to crack a nut

Of course, all these efforts are worthwhile when a new security solution benefits the company's level of protection. But even if an SME manages to secure a budget and implement an enterprise-grade solution, without sufficient expertise in information security, it will be difficult to fully leverage the scope of functionality.

First, the advanced functions may simply be irrelevant to their particular requests. For example, if a previously unknown suspicious object is detected, some organizations that are not very mature in cybersecurity just need to know if it is malicious, or needs blocking. Meanwhile others just need a full picture of the object's actions and background for a deep investigation. It is important to understand what an organization's requirements are and what its existing team can work with. Depending on their needs, a company can decide whether they are ready to purchase.

In addition, products that were created for security analysts are not appropriate for a "set-and-forget" approach. For example, a feature-rich EDR solution requires a team of expert analysts capable of tuning the detection logic and creating new rules to continuously improve detection levels. Without such specialists, the solution's ability to proactively search for indicators of intrusion will not be useful.

It is common in SMEs for a system administrator to manage an endpoint protection solution. But even EDR, which provides essential capabilities, requires an employee with basic cybersecurity knowledge. Of course, hiring a full team of threat hunters or advanced security analysts at once is hardly a feasible task as such professionals are highly-paid and quite rare to find. Therefore, it is worth starting with an employee who has knowledge in information security. Combined with an understanding of the IT landscape, this allows for validating alerts, eliminating threats while taking into account the risks of their actions, such as isolation of a certain workstation or server, or stopping a critical business process.

The bottom line

When EDR becomes a piece of shelf ware rather than an effectively-used solution, it is not just a waste of an SME's budget. Such a failure at the very beginning of implementation can discourage company leaders to develop cybersecurity initiatives in general: if they do not see a benefit, why should the business invest in other security products?

Therefore, an organization should first decide if it is ready to hire an employee who is responsible for information security issues. If not, the most effective option will be to ask for help from external incident detection and response professionals.

For those businesses that decide to develop this capability internally, it is essential to find a beneficial solution without making substantial investments in additional resources - both monetary and human. To avoid any of the above pitfalls, we recommend paying attention to the following guidance:

  • To provide visibility without ‘blind spots' and centralized response features, EDR needs to be integrated with an Endpoint Protection Platform (EPP). Enhancing cybersecurity capabilities should be a step-by-step evolution. Once a company can detect a malicious object with an endpoint protection solution, it can expand existing technology with the ability to understand where it came from and search for this threat on other workstations.
  • If an EDR solution can be smoothly integrated with existing endpoint security solutions in a centralized way, it cuts the time required for deployment. So, before purchasing a product, ask if it supports turnkey integration with your EPPs. 
  • If you have a limited number of staff responsible for security, make sure your chosen EDR solution provides good visibility and automation, but doesn't overwhelm a specialist with irrelevant information. All the incident information should be readily available from a single console and a path of the attack spread should be visualized to simplify threat analysis. Automated search for Indicators of Compromise and incident response features will speed up the work and increase staff productivity.


About the Author

Matthew Courchesne, Head of SMB and Channel Sales, Kaspersky North America

Matthew Courchesne 

As head of SMB and channel, Kaspersky North America, Matthew Courchesne is responsible for leading the programs of the SMB and channel sales across the U.S. He is accountable for growing the company's partner community, and leading a team of sales professionals to increase market share in the corporate sector.

Matthew brings more than a decade of sales and management experience in the computer software industry to the company. Prior to joining Kaspersky in 2018, Matt held sales management roles at SmartBear Software, Quick Base, and PC Connection, Inc.

Published Wednesday, September 09, 2020 10:22 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<September 2020>