It's clear cyber criminals are targeting Australian businesses.
The latest report by the Office of the Australian Information Commissioner (OAIC) reflected a five per cent increase in reported data breach notifications from the previous reporting period, with 58% of those notifications attributable to malicious or criminal attacks.
While Managed Service Providers (MSPs) are fighting the good fight, they also feel they must expand their security offerings beyond standard layers like firewalls, active directory protocols, DNS filtering and others. This can lead MSPs to seek out buzzwordy new acronyms floating around endpoint detection and response, or EDR, as they look for new solutions to help protect clients against modern threats.
The question is, what is EDR, and what can it do for MSPs and their clients? Here are five considerations for MSPs to keep top of mind evaluating EDR solutions and tailoring to fit various client needs.
1. All security tools with an endpoint agent are basically EDR.
The job of endpoint agents is to detect malicious code, scripts and files and then make a status determination on the fly. Agents tend to use methods like scanning file hashes and file content, as well as watching behaviors and other techniques to determine if a file is good or bad.
MSPs must really consider how the endpoint agent reports what it finds, which comes down to the EDR tool being used. Not all tools are created equal, and while many security tools claim they offer an EDR solution, their endpoint agents must add value to the MSP by determining the threat level and the action taken.
2. Understanding the EDR hype.
Simply having a security vendor who claims to support EDR isn’t enough. The top three reasons for going through the time and expense of implementing a comprehensive EDR solution are:
- Cybersecurity Insurance: As the OAIC report shows, breaches and security incidents are on the rise, which also means that more and more businesses are investing in cybersecurity insurance. Many insurance providers require some form of EDR as part of their coverage.
- Good Practice: Customers demand MSPs provide layers of protection. Extending security offerings by adding an EDR solution will provide some of those additional layers.
- Managed Security Service Provider (MSSP): An increasing number of MSPs are expanding by providing cybersecurity services. With ever-increasing threats, MSPs can increase revenue and provide a greater security posture to their customers through an EDR solution.
3. Is the EDR information actionable?
Data is useless if MSPs can’t make decisions with it or act on it. Installing an agent is only half the equation and gathering the information the agent generates into a suite or tool can be a daunting task.
If a solution provider has tools like alerts, reports or an API, these are the best place to start mining actionable insights. Too often, however, the tools are limited and need to be supplemented by a solution with higher performance or a faster response time.
One high performance solution is to set up log gathering tools feeding into a single system. Once that’s in place, the next step is to create rules for sifting through millions of data points. Rules give human reviewers the power they need to make decisions about cyber threats.
4. It’s all about the response
Reporting and alerting are commonplace across security tools, but the level of response is a critical factor when evaluating an EDR solution. A security agent that provides minimal information for decision making is of limited use and often not worth the investment. Rather, tools providing a dashboard that afford MSPs insights into how the agent responded and allowing them to review and compare threat data and approaches are much more valuable.
Auto remediation is key to an effective response. If alerts go out and are not acted upon in a timely fashion, it could be too late. When security solutions make automated decisions as part of the response, security concerns are averted, demands and requirements by an industry or customer are met.
Additionally, any solution with a comprehensive API gives MSPs the ability to integrate agent responses into dedicated threat review tools. APIs also provide additional information to help security personnel make informed decisions.
5. Next steps
Ticking an EDR box won’t contribute to client security. MSPs must do a comprehensive EDR evaluation to see how EDR fits into offered services, and then do the work to implement it. EDR on its own isn’t a solution. Doing it right requires teamwork, caution and planning.
MSPs should review existing solutions to see if they’re being used and optimized properly, and then evaluate the need for an EDR solution and the existing vendor landscape. From there it will be important to determine the effort needed to adopt EDR and plan accordingly. And if introduced, MSPs must deliver proper training so IT personnel can manage the EDR solution and respond to its findings.
Shane Cooper is Manager, Solutions Consulting, Webroot.
