EDR for Everyone Is about Fighting Alert Fatigue
Endpoint detection and response solutions (EDR) are predicted to become a key security technology by 2020, with 80 percent of large organizations, 25 percent of midsize organizations, and 10 percent of small organizations investing in them. Demand for incident response tools that offer early visibility into advanced threats will fuel the EDR market growth, with expectations of a CAGR of 45.27 percent from 2015 through 2020.
The EDR market is already booming, having grown from $238 million in 2015 revenue to about $500 million in 2016. By 2020, it’s going to be a billion-dollar market and could even match the $3.2 billion (2015) endpoint protection platform (EPP) market.
Despite the rapid growth in the EDR market, these preventative controls are still out of the reach of mid-size and small organizations. As EDR requires dedicated security operations center (SOC) teams to manually investigate alerts, the high cost barrier is something that only large organizations can currently overcome. Or is it?
Fighting Alert Fatigue
EDR solutions have emerged from the premise that it’s impossible to prevent all threats, meaning their purpose is to minimize dwell time of an infection while also reducing the amount of damage it can cause. However, managing the number of security alerts for potential threats can be overwhelming for any under-resourced IT team. Because of that, investigation decisions may end up being either ill-informed or based on summary judgements. This broad strokes approach can lead to full network compromise, especially if traditional EDR is not properly managed or used to its full potential.
Since EDR agents often come installed on top of existing EPP agents and other security technologies, such as SIEM, IDS and IPS, security teams are often bombarded with up to tens of thousands of alerts coming from multiple security consoles, making prioritization nearly impossible. Instead of increasing visibility and raising the overall security posture of the organization, this fragmentation and segregation of security consoles only makes security more cumbersome.
EDR should be about having a single agent and a single management console, and only focusing on really important security events, instead of spreading human resources thin. After all, EDR should enable your security “SWAT team” to focus on truly important tasks, and not just chase ghosts and put out fires.
EDR for Everyone
Advanced threat hunting capabilities enabled by EDR agents require alert prioritization and manual investigation by dedicated teams, something that drives costs up beyond the initial purchasing and deployment price. The key to having an EDR solution for everyone lies in detecting advanced attacks using built-in intelligence in the endpoint agent. This lets admins focus solely on specific elusive and advanced threats that have crossed the other layers of prevention, and prevents them from wasting time on false positives. This enhanced security operation enables automated triage of truly important security events, and doesn’t require a full-time dedicated team of security specialists to investigate each and every event or anomaly.
Incident visualization and investigation are also greatly simplified, as detected elusive threats are presented in a comprehensive fashion, with all contextually relevant information, so that the admins can assess the impact of the threat in seconds. This directly translates into swift incident response tactics that enable admins to use surgical precision to remediate the elusive threat by deleting or quarantining it, containing spread.
This type of evolved prevention, which even comes with the ability to fine-tune the protection level of controls from incident response workflows, helps reduce incident response costs by focusing on truly significant alerts. Unlike traditional EDR, which is usually noisy and overburdens already under-resourced IT teams, a smart EDR solution designed to bring the same early detection capabilities but with pinpoint accuracy is within the reach of any organization, regardless of size, vertical, or IT team size.
It’s the Last 1 Percent of Attacks You Should Worry About
Layered security solutions are doing a great job at detecting, preventing and mitigating close to 99 percent of all threats. However, the last 1 percent – or less – are usually the type of sophisticated attack that flies under the radar. The final frontier in cybersecurity involves having the capability of accurately identifying these elusive threats.
The value of EDR for everyone should lie in its ability to fully integrate with your EPP solution, while enabling IT admins to have a holistic view of the security status of the entire infrastructure. This last 1 percent of attacks is not only elusive, but the attacks can also hide behind background noise generated by trivial security incidents, which is why IT admins need the ability to focus on real dangers and problems by preventing, investigating, detecting, and responding to advanced threats effectively and promptly.
About the author: Liviu Arsene is a Senior E-Threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and research departments.
Copyright 2010 Respective Author at Infosec Island via Infosec Island Latest Articles "http://ift.tt/2CBtc7F"
Comments
Post a Comment