WIXLIB

ENDPOINT DETECTION & RESPONSEBuyer’s Guide15 QUESTIONS YOU NEED TO ANSWER

EDR BUYER’S GUIDEIntroductionEndpoint Detection and Response (EDR) tools enable organizationsTHE GROWTH OF EDRto address the increased complexity and frequency of attacksThe adoption of EDR tools has rapidlyby providing unparalleled visibility and detection across theirincreased over the past several yearsendpoints.and is quickly becoming one of thecore components of a modern securityRed Canary’s technical team keeps constant tabs on the EDR market,evaluates new technology, and has guided hundreds of organizationsthrough successful EDR evaluations and implementations. This guideis a byproduct of the ongoing evaluations we conduct with EDRagents.Identifying the right EDR product for your organization requires acomplete understanding of: Your business needs, technical requirements, and internalcapabilities The potential impact an EDR product will have on yourorganization and security operations operation.50% Over half of enterprise informationsecurity budgets will be spenton rapid detection and responseapproaches by 2020*3xKey variables you should use to help you differentiate betweenEDR productsThe number of organizations usingan EDR tool is expected to triple overThis guide highlights fifteen questions every security team needs toanswer before investing in an EDR product.the next 5 years*#2Detection and response is thesecond highest area of operationalspending (SANS, February 2016)*As estimated by a leading marketresearch firm 1

EDR BUYER’S GUIDEAbout the AuthorsMICHAEL HAAG@M haggisDirector of Advanced Threat Detection & ResearchAs an advanced expert on Red Canary’s technical team, Michael works side-by-side with securityprofessionals to help them assess EDR deployments. Prior to Red Canary, Michael architected thesecurity program at Danaher Corporation, a Fortune 150 company with more than 60,000 endpoints.He has extensive experience evaluating and purchasing EDR products, integrating them into securityprograms, and managing day-to-day tuning and operations.What he likes most about his job: “I help companies eradicate evil.”JOE MOLES@FlyingMonkey127Lead Detection & Response OperationsAn IR and digital forensics specialist, Joe has more than a decade of experience running securityoperations and e-discovery. He has worked with most of the industry’s leading forensics tools over thecourse of his career. Joe is passionate about finding the best way to combine technology, intuition,and process to detect threats, respond to attacks, and roll back the tape to identify root cause.What he likes most about his job: “I get to work on the leading edge of security, supportingorganizations all over the world.”KEITH MCCAMMON@kwmChief Security OfficerKeith leads Red Canary’s security organization and is responsible for the company’s security strategy,operations, and innovative threat detection approach. He has almost two decades of technologyexperience, much of it focused on identifying and solving complex problems related to informationsecurity and risk, as well as hands-on experience in offensive security operations.What he likes most about his job: “Helping customers improve their security, and ultimately makingtheir businesses more successful.” 2

ENDPOINT DETECTION & RESPONSEBuyer’s GuideTABLE OF CONTENTS15 QUESTIONS YOU NEED TO ANSWERThe Most Important Question1.Why are you investing in an EDR program?The Business Case2.What level of expertise and time commitment is needed to use the solution?3.What additional infrastructure is required?4.What is the business impact of deploying the solution?5.Can the EDR solution replace existing endpoint security investments?6.What platforms and operating systems does the solution support?7.What level of visibility does the solution provide?8.Does the solution include the ability to prevent threats?9.How does the solution detect threats to your organization?Technical Performance10. What response capabilities does the solution offer?11. What types of reporting are available?Living With It12. Does the solution integrate with other security and enterprise tools?13. What is the impact to your endpoints?14. What security controls does the solution use to protect itself from attackers?15. What support does the vendor offer? 3

EDR BUYER’S GUIDEThe Most Important Question1Why are you investing in an EDR program?There are many reasons to invest in an EDR program. Understanding your goals is a critical first step to narrowing thefield of potential EDR solutions. Once that is out of the way, you can move on to evaluate the business case, technicalperformance, support, and vendor requirements.USE THIS WORKSHEET TO RANK YOUR TEAM’S CONCERNS:ProblemConcernExisting endpoint security products (AV, NGAV, HIPS, EPP, etc.) are failing tostop an increasing number of threatsHighMediumLowYour team has little visibility into what is happening on your endpointsHighMediumLowYou have good tools and processes in place, but are concerned that threats arestill slipping through on your endpointsHighMediumLowFrequent incident analysis and response costs are distracting your team fromfocusing on the right prioritiesHighMediumLowYour team does not have the capacity or expertise to build the solutionsneeded to respond to increasingly sophisticated threatsHighMediumLowCompliance requirements or large fines are mandating the use of continuousmonitoring and threat detectionHighMediumLowLeadership is focused on preventing a public breach and the associated costs,negative headlines, and brand damageHighMediumLow 4

EDR BUYER’S GUIDEThe Business Case2What level of expertise and timecommitment is needed to use the solution?It is important to remember that an EDR product alone does not give your organization an EDR capability. Well-trainedsecurity professionals and sound processes are needed to maximize your EDR investment and truly improve yoursecurity. Without the right team and time commitment, EDR products can amass data and alerts, increasing costs andfatiguing analysts.DEVELOPING AN EDR CAPABILITY REQUIRES A VARIETY OF DISCIPLINES:Security ResearchSecurity EngineeringIntegrating the EDR product into other partsof your security infrastructure includingSIEMs, ticket tracking systems, or otherthreat intelligence sourcesSecurity OperationsWorkflow definition andexecution for detection,investigation, and responseacross your organizationSecurity Analysis andIncident ResponseTriage and investigation of the hundreds totens of thousands of potentially threateningevents identified by the EDR productContinuous curation and development ofsources of intelligence, detection techniques,and behavioral patterns to accuratelyidentify threatsEDRDisciplinesIT OperationsManaging and maintaininghardware and software for EDRproducts and their deploymentacross your organizationThreat HuntingHunting for potentially threateningactivity not identified by the EDRproduct’s detection capabilitiesConsider a managed solution if your team does not have at least one full-time employee totriage, investigate, and respond to alerts detected by an EDR product. 5

EDR BUYER’S GUIDE: THE BUSINESS CASEMANAGED EDR: TWO APPROACHESA growing number of managed security providers are now offeringEDR solutions. It is important to understand what is included withthe managed offering as there are drastically different managedEDR solutions.15xThe percentage of midsize andenterprise organizations usingservices like MDR will grow to 15%Managed Detection and Response (MDR):by 2020, up from less than 1%Often a custom-built detection and response service, MDRtoday*leverages EDR products alongside the vendor’s securityoperations team. They deliver the detection and responsecapability you would otherwise need to build internally. Corefunctions include: Threat detection based on continuous monitoring andanalysis of your endpoints, users, and network activity insearch of suspicious behaviors, patterns, and signatures A threat research team and security operations center totriage and investigate potential threats, identify the truethreats, and eliminate the burden of false positives Empowered response based on an alert to your team withdetailed and actionable context; feedback and reporting Infrastructure managementManaged Security Service Provider (MSSP):The traditional managed security provider is known formanaging dozens of different product categories and sometimeshundreds of products. When talking with an MSSP, make sure tounderstand what “managed” means. Most often it means: Management: Ensuring the product is operating correctlyincluding any hardware and software Monitoring: Reviewing any alerts generated by the product,performing some level of analysis, and forwarding along toyour internal teamDownload a related resource:MSSP vs MDR: 8 Common Questionsand Answers *Gartner, Market Guide for ManagedDetection and Response 6

EDR BUYER’S GUIDE: THE BUSINESS CASE3What additional infrastructure is required?When evaluating the total cost of ownership of an EDR solution, ensure you include the costs of hardware, software, andtime required by the product. Will you need to procure and manage hardware to support the solution? EDR productsgenerally come in three deployment flavors: on premise, appliance, and cloud. Refer to the following page for a chartthat outlines infrastructure requirements based on deployment type.THREE DEPLOYMENT FLAVORS123On PremiseApplianceCloudBUYER BEWARE OF “HUNDREDS OF THOUSANDS OF ENDPOINTS PER SERVER!”Over the years, certain endpoint vendors have used claims of scalability that were 10x that of their peers. It isimportant to inspect these claims with a critical eye. Many times, it is simple to deliver 10x the scalability foreach server by simply collecting 10x less data than is essential for your detection and response. 7

EDR BUYER’S GUIDE: THE BUSINESS CASEUNDERSTAND THE INFRASTRUCTURE REQUIREMENTS BASED ON DEPLOYMENT:On PremiseApplianceCloudHardware &InfrastructureProcured by you,provisioned by your ITorganizationDelivered by the vendor,installed on your premiseProvisioned by thevendor in their cloudProductMaintenanceYour responsibilityOften performed bythe vendorContinually performedby the vendorUpgradeFrequencyGenerally quarterly orannuallyGenerally quarterly orannuallyContinually or quarterly,depending on the vendorReliabilityDependent onyour hardware andconfigurationBased on quality of thedelivered applianceGenerally highest due tomaturity & SLAsDependent on hardwareand configuration.Generally requiresadditional or expandedhardware as you growDependent on hardwareand configuration.Almost always requiresadditional appliances asyou growElastically grows withyour businessDependent on yourinternal securitymeasuresDependent on bothyour internal securitymeasures and thevendor’s security controlsDependent on thevendor’s controls andsecurityScalabilitySecurity 8

E D RE DBRU YBEURY’ ES RG’ SU IGDUE I: D TE H: ET HBEU SBIUNSEI SNSE SC SA SCEA S E4What is the business impact of deployingthe solution?EDR solutions should be easily deployed to your endpoints using any native or third-party deployment utility. Solutionsthat require a reboot of the endpoint can have major business impacts and require greater organizational coordination.If you are concerned about operational impact or want to verify a vendor’s claims, consider anevaluation of the agent on each of your standard endpoint configurations.USE THE FOLLOWING WORKSHEET TO EVALUATE BUSINESS IMPACT DURING VENDOR CONVERSATIONS:Business ImpactCommon AnswersDeployment to Windows endpointsSCCM, GPO, AltirisDeployment to Linux endpointsPuppet, Chef, SpacewalkDeployment to OS X endpointsJAMF (formerly Casper Suite)Is a reboot required on installation?Yes / NoIs a reboot required on uninstallation?Yes / NoAre there known conflicts with your antivirus products?Yes / NoAre there known conflicts with your other endpoint products?Yes / No 9