The secret ingredients to making EDR an effective tool for businesses in the fight against cyber crime are upskilling and education, writes Andy Bogdan, Head of UK Channel, at the cyber product company Kaspersky.
Before the pandemic pressed pause on much of our lives and forced us to retreat to the safety of our homes, staff limitations were held accountable as the primary reason for why 61 per cent of businesses weren’t already adopting Endpoint Detection Response (EDR) solutions. Essentially, the skillsets of employees couldn’t match up to the sophistication of the tool to leverage it to its full potential. But now, as we continue to live amid the pandemic, research has found that nearly three-quarters (73pc) of workers haven’t received any additional IT security awareness training – despite a mass migration to home-working and a panicked change of mind towards EDR’s adoption.
So, what changed? In part, the accelerated transition to remote working and the desperate need to protect a dispersed device network backed enterprises into a corner. Businesses naturally felt obliged to take action, and to discard their previous concerns about readiness.
At first glance, this is an understandable defence plan. By the middle of 2020, sensors had already recorded more than 726 million cyberattacks launched on online resources, due to a struggle among IT teams to secure their now-at-home endpoints from malware. And with flexible working set to continue well into the future, IT teams must increase the safety of their workspaces.
EDR naturally seemed to be the solution to many business’ security flaws, having been reaffirmed for its use after claims it was outdated. EDR is now finding favour over traditional anti-virus solutions, and can indeed play its part in mitigating the challenges exposed by the turbulence of a year in lockdown. However, the focus now should be on ensuring that it is strategically embedded into a managed, licensed and already hardened IT environment – and not just adopted as a silver bullet to cyber defence.
It is the rush towards EDR as an all-encompassing white knight that has exposed the knowledge gap that exists in many organisations. Businesses needed a solution, and have often failed to analyse their wider digital infrastructure before leaping to its adoption.
This chain of events has been exacerbated in part by an additional, worrying trend where next-generation and firewall vendors are pushing EDR into organisations after obtaining more universal endpoint solutions. Firewall vendors are impacting the Endpoint Protection Platform (EPP) market through the acquisition of EDR companies that strengthen their solution, but that are missing the comprehensibility of full EPP solutions. Instead of being enacted as part of a multi-layered EPP product, EDR as a standalone function is therefore generating alerts that then depend on behavioural detection and manual analysis. This potentially leads to an increase in false positives, and a decrease in employee productivity as workers strive to filter the urgent threats from a deluge of detected warnings.
It means that, instead of acquiring a solution to their device dispersion predicament, IT teams are facing more alerts than ever, at an already stressful time, without the requisite guidance and internal skillset to benefit from their investment.
Missing features in EDR, like device and application hardening, are a must-have in order to overcome the current IT skills gaps within organisations. Increased efficiency and a reduction of business threat exposure must top the list of priorities, and EDR can help, but only if it’s integrated into a wider established infrastructure.
“EDR solutions are not the solution to organisational security. However, they form a valuable and indispensable layer that wards off the worst that cybercriminals and APT actors have to throw, at an organisation with exposed services and endpoints that surf the internet every day,” explains Ian Thornton-Trump, CISO at threat intelligence company Cyjax. “Without the prerequisites in place, the EDR that some organisations experience will be sub-optimal, with a plethora of false positives as AI mistakes poorly-managed IT environments as compromised.”
Thornton-Trump explains that, when misapplied, EDR can have significant operational impacts and can disable core functions. However, this is not to say that it doesn’t have a place at the table. He adds: “On the whole, EDR is effective in preventing ransomware and especially detecting and preventing ‘living off the land’ lateral movement. Organisations still have to realise that technology from three or five years ago is not advanced enough to deal with modern malware. Investment in security technologies like EDR are required because, in technology, ’good’ becomes ‘poor’ very quickly as cyber-criminals sprint to new capabilities monthly.”
This is why education, training and filling the skills gap is so critical for businesses, especially as many continue to work flexibly in the future. It’s not that EDR isn’t relevant; it’s just that it’s not a standalone solver of all IT security problems.
It is critical for businesses to enter into discussions focussing on what they need as the central focus. More often than not, what they will find they need is a solution built around, or integrated with, skills development, so a solution doesn’t get lost in the dark, and employees understand how to properly implement it into their systems. By entering into these conversations, companies can offset the vendor concern, and their own dispersed network challenges, simultaneously. In many cases, what they will end up with is education and protection, courtesy of dedicated solutions that provide awareness training as well as the EDR product itself.
Managed Detection and Response (MDR) solutions are also an option frequently overlooked by businesses that already have a solution in place. As the name suggests, the same level of detection and response is achieved, only with additional managed assistance from the vendor. This vendor assistance can provide invaluable insight into where the threat is, and how it can be solved. The subsequent mix of automated and guided response extracts the best out of EDR in situations where internal skillsets can’t. Ultimately, the combination of upskilling a workforce, combined with better protection, can convert EDR from an outdated, misused piece of software, to a critical tool in a business’s arsenal.
