10 things to consider before buying an EDR solution

The market for EDR (Endpoint Detection and Response) solutions has grown rapidly in recent years, and industry experts predict that this trend will continue. Gartner predicts that more than 60% of enterprises will have replaced older antivirus products with combined EPP and EDR solutions by the end 2025 [1].

The need of a Holistic Endpoint Security Solution is driven both by attacks becoming more frequent and sophisticated and by EDR solutions becoming more accessible to mid-market companies. EDR is no longer a solution for only large enterprises as many cyber security vendors now offer affordable EDR (Endpoint Detection & Response) and EPP (Endpoint Protection Platform) combination.

For a top-level overview of core EDR capabilities and why companies need an Endpoint Detection and Response solution, see our article 7 reasons why you need an EDR solution.

In this article we’ll outline 10 of the most important things to keep in mind and question your vendor about when buying an EDR solution. These apply whether your organization is looking to acquire this type of solution for the first time or is going through a regular benchmarking exercise or renewal process.

1. Integration with other security platforms

Making sure that whichever EDR solution you are considering is compatible with your current security systems is essential. Not only this will reduce workload and increase efficiency for your IT/security team, but in order to work effectively, EDR tools must offer integration with other security systems that track, orchestrate and execute actions to mitigate an attack.

Looking for a solution that offers API integration could be your best bet, especially if you’re already using a tool like an SIEM (security information and event management) system. That way the EDR solution can seamlessly feed data into your existing systems.

2. Agent vs Agentless

The agent of an EDR solution is the software component that is installed on every endpoint. It is not strictly necessary, as an EDR solution can also be passively installed on the network, however this will limit its functionality. This is because having the agent installed directly on the endpoint allows it to capture a lot more data on user activity. The agent also enables stronger intervention in the event that an endpoint is compromised.

The main advantages of agentless EDR solutions are that they are quick to deploy and can be used to monitor endpoints that are impossible or difficult to install an agent on. However, because the agent is not installed directly on the endpoint, the solution’s response cannot be as robust and the data gathering is also weaker.

3. Operating system support

Linked to the previous point about endpoints that are impossible to install an agent on. One reason for this could be that their operating system is not supported by the EDR solution. If you can limit this problem by choosing a solution that is compatible with multiple operating systems, this is likely the better solution.

However, almost all EDR solutions will have some operating systems they don’t support. If you have endpoints in your network that are using an operating system unsupported by your chosen EDR provider then agentless EDR is a good solution to this.

4. Devices not covered

Similar to operating systems, some devices may not be supported by your chosen EDR solution. Most smartphones including those that run iOS and Android operating systems are usually not covered by EDR tools and IoT (internet of things) devices are also unlikely to be covered. Just as with operating systems the best thing to do is ask your vendor what is not covered and work out how many of your endpoints this applies to.

5. Cloud support

It is important to know whether an EDR solution supports a cloud environment and to what extent. Even though several EDR tools are cloud-based, but they might not be able to operate in the cloud.

60% of the enterprise EDR market is delivered by cloud already (Gartner Innovation Insight for Cloud Endpoint Protection Platforms, April 2019). This doesn’t necessarily mean that it can protect all of your other cloud systems as EDR is often difficult to install on the cloud and you may need additional protection for specific cloud applications.

6. System updates

The threat landscape is constantly evolving as attackers strive to breach security systems using new tactics, techniques, and procedures (TTPs), so any EDR system that is not regularly updated will be vulnerable to advanced threats and quickly become obsolete. Hence, in order to better respond to threats you need an EDR solution that gets frequent updates on Indicators of Compromise (IoC).

Additionally, it is worth considering how much of your IT security team’s time will be taken up managing and installing these updates and to what extent they can be automated.

7. Scalability

82% of organizations aspire to have an all-in-one solution for their IT/Network Security needs (F-Secure 2020 B2B Market Research). This may not be possible at present, but if you are among the 82% of organizations with this aspiration it is worth speaking to your vendor finding out what options your EDR system offers for adding new components and functionality in the future.

Furthermore, you should also consider how the solution will handle any increase in traffic especially in the event of future growth and rise in the number of remote devices.

8. Impact on endpoint performance

If you’re using an EDR solution that requires an agent to be installed on your endpoints then you need to know what resources it will occupy. Does this mean you will need to invest in better hardware to keep your endpoints’ performance at a reasonable level?

A reasonable level of CPU usage for an EDR solution is around 1%, if it’s regularly exceeding that it is likely not well optimized. Memory usage can vary based on the weight of the agent but shouldn’t exceed 50mb. Your vendor should be able to show you performance data for systems similar to yours.

9. Customized threat detection models

Depending on the level of expertise you have in-house, you may want to design your own threat detection model, or at least tweak the preset one. EDR vendors will tell you that the presets are optimized for best performance, but all organizations are different and there is no default machine learning algorithm that is optimized for every possible situation.

10. Vendor support

This one really comes down to trust but there are certain indicators to look out for. What happens if your EDR solution is compromised? Will the vendor charge you for incident response services? There is a clear possibility for a conflict of interest here.

Make sure you understand in advance what level of support is available to you and what the expertise level of your account manager is. If you’re using a managed service provider they are often in a good position to evaluate the relative levels of support available from different vendors, although bear in mind any incentives that may be present on their side of the transaction. Again this really comes down trust between all parties being the most important factor.

We hope this article proves useful to you in your hunt for the best EDR solution for your organization. And no matter which EDR solution you end up choosing, make sure it's tailored towards your organization’s needs.

In case you want to learn about our EDR solution, feel free to download the solution brief. And, if you would like to test our solution in a live environment, sign up for a commitment free 30-day trial.

F-Secure Elements Endpoint Detection and Response

Monitor your IT environment status and security, detect targeted attacks swiftly, and respond with contextual visibility and automation.

Reference

[1] Gartner, Competitive Landscape: Endpoint Protection Platforms, 18 Feb 2021.