This blog is part of a series to help organizations of any size optimize their security. Our experts provide insights and recommendations based on common security use cases, customer questions, and security software developer needs.
As every security professional understands, securing and protecting servers, workstations, mobile devices, IoT devices, and anything else that may join an organization’s network is a full-time exercise in vigilance.
Security operations teams must also consider on-premises and offline environments, many locations, and the data that is continuously added through every endpoint.
A good solution for endpoint detection and response (EDR) support is invaluable in any Security Operations Center (SOC).
What should I look for in a good EDR solution?
There are two key areas for EDR: the solution architecture and the product capabilities.
EDR solution architecture consists of a server (or cloud) and agents that are installed on endpoints. The agents serve as information envoys between anything that happens on an organization’s network and their designated server or cloud.
EDR product capabilities should easily gather data from endpoints in real time, record all activity and actions from all users and endpoints on the network, alert security teams of threats, and provide reporting for investigative analysis. They should also be able to stop malicious activity by isolating files, breaking network connections, and containing any damage to minimal levels.
What should I expect from my EDR solution in the event of an attack?
A great EDR solution includes visibility, rapid response, and scalable threat-hunting capabilities, similar to those provided by VMware Carbon Black EDR.
Visibility must be comprehensive through real-time visualizations. Rapid response is just that: threats should be contained quickly and damage repaired and remediated. Finally, scalable threat hunting that incorporates automated watchlists and threat intelligence through machine learning is vital.
Good EDR solutions typically follow a well-known framework and best practices such as those defined by MITRE. MITRE ATT&CK has a one-stop interactive matrix detailing security techniques as a comprehensive resource for security professionals.
A solution is only as good as its usability, so look for something that is either familiar to your security team or a solution that can be installed with ease and managed through easy-to-understand training. An accelerated path to getting the full value of your solution can also include professional services.
Once we have an EDR solution, how can security teams learn to find threats?
To prepare for possible attacks, it’s important to rehearse real-time scenarios to be able to quickly recognize vulnerabilities in the case of a real attack. Threat-hunting simulations can help security professionals practice identifying threats, malicious code, and nefarious activity. Simulations can also be good team-building activities as security professionals collaborate to find threats in a gamified environment.
What are the common use cases for EDR?
- Centralized access, monitoring, and recording: visibility in the SOC as well as an archive for all recorded data to use in breach investigations
- Live response and remediation: secure connection for kill processes and memory dumps with remediation available remotely
- Attack visualization: good visualizations for teams to identify a root cause of an attack, identify attacker behavior, and close security gaps
- Automation: open application programming interfaces, or APIs, allow integration into an organization’s unique IT ecosystem and security stack
What is the role of user access and privilege management in EDR?
Because the great majority of breaches begin at an endpoint, managing user access should play a large role in any EDR implementation. A modern least privilege policy maintains that users should only have access to the specific resources they need to complete required tasks, and it’s imperative to EDR success.
This type of policy aligns with Zero Trust models and minimizes risk. In addition to a least-privilege policy, constant monitoring of end user changes is necessary to adjust privileges and access according to current role. Often overlooked, this last point is a common security gap and vulnerability that is easily remedied with enhanced vigilance and collaboration with people management teams within an organization’s IT environment.
Learn more about identity and access management in a previous post in The Security Toolbox series.
What about open-source EDR tools available at no cost?
While there are multiple EDR solutions and resources available online as open source, their reliability and safety are currently unknown and untested. However, some of these open source solutions have been developed or supported by established corporations and may provide an EDR option.
Learn more about security for your unique environment
Get the basics at-a-glance in this infographic. If you’re not sure about your security posture or the level of vulnerability in your organization’s IT environment, a security assessment can help you develop a clear view of your current state and possible remediations needed. You can also rehearse real-time scenarios and threat-hunting through our Cyber Defense Simulation service. Visit the Professional Services for Security resources section for overviews on the different types of assessments available, and contact us at SecurityPSInquiry@vmware.com to learn more.
For more support, read the other blogs in this series:
- The Security Toolbox: Building a SOC on a Budget – Learn about the common tools and methodologies for a security operations center
- The Security Toolbox: Meet Cybersecurity Mesh Architecture – Discover the promise of better security through the concept of CSMA
- The Security Toolbox: Slow the Risks of Attack Surface Expansion with AI – Read about the benefits of AI and machine learning for mitigating cyber risks
- The Security Toolbox: Facing the Real Business of Ransomware – Mitigating ransomware risks starts by understanding how cybercriminals operate and incorporating security best practices
- The Security Toolbox: Raising Preparedness with Wargaming – Learn how practice detecting and hunting threats in realistic scenarios raises security posture
- The Security Toolbox: Multi-Cloud Security Basics – Review the three basics for security within multi-cloud environments
- The Security Toolbox: Upskilling – Learn what to do to grow your career as a cybersecurity professional
- The Security Toolbox: Achieve Identity and Access Management Maturity – Review easy tips to get to IAM maturity within a Zero Trust environment
One comment has been added so far