Is Endpoint Detection and Response Important for Security Analytics?EDR is important, but by itself, not enough. By: Sheila Droski
Endpoint Detection and Response (EDR) is like a flight recorder for your endpoints. Most days it quietly listens and logs activity on the endpoint, but that data can be critical to security analytics if anything bad happens. EDR can answer important questions like:
- Is there an advanced threat actor present on my endpoints?
- Who are they and how did they get in?
- Which endpoints have been compromised and what was taken?
- How do I evict the threat actor and keep them from returning?
Endpoint security and visibility are important to security analytics. With remote workforces, weak passwords and end user error, the endpoint is often an easy path to compromise an organization. Our incident response team observed ample evidence of this in the months after COVID-19 forced many businesses to go fully remote.
EDR telemetry is a rich source of data, but sifting through the benign noise to find potential threats while monitoring information from hundreds or thousands of endpoints isn’t easy to do manually. It requires a lot of time and skill, and frankly, looking through so much data can be tedious and probably isn’t the best use of limited in-house security resources. In the past we solved the problem of securing your endpoints on and off the corporate network by having an MSSP manage EDR tools.
While it’s clear EDR is important to security analytics, it isn’t all you need. Most organizations have some endpoints without any EDR software, and even those endpoints which do have EDR, can still miss cyberthreats without network and cloud telemetry to build a full picture. This is why an increasing number of organizations are replacing managed EDR with more inclusive security analytics platforms like Extended Detection and Response (XDR).
Let’s use Secureworks® Taegis™ XDR Detectors to illustrate what we’ve discussed so far. Detectors are security analytics playbooks, designed to automatically identify specific threats in your environment. Many Detectors use correlated data from endpoint, network and cloud security tools. EDR contributes alerts and information on authentication activity, DNS, Netflow, process, and file modifications for your monitored endpoints. This information contributes to several detectors including:
- Login Anomaly
- Stolen Credentials
- Suspicious DNA Activity
- Rare Program and Rare IP
So, while Endpoint Detection and Response is an important input to security analytics, it only shows one part of the picture. The need to understand and harmonize activity across a whole environment is driving the move to SaaS solutions like Taegis XDR. Otherwise, the chance of missing threats is increased.
Learn more about: