Endpoint Detection and Response (EDR) solutions have been helping SOC teams sleep better at night for a good decade now. As the sequel of traditional antivirus and host-based intrusion detection systems (HIDS), EDR has proved more effective, warding off skilled cyber-threat actors by analyzing behavior. But like any security solution, it can become the weakest link in a cybersecurity system if not adequately set up, distributed, addressed, and controlled.  

Without proper EDR implementation, cyber attackers can cripple protective measures, de-register EDR agents or sensors, and make up their own malicious exceptions that give them free rein to wreak havoc in your environment. To rest assured that your EDR solution is living up to its full potential, get to know the best practices of implementation. 

Establishing Smart EDR Exceptions 

Start by entering your exceptions in the EDR product’s console. Set a deadline for collating all authorized applications (although you should always maintain a regularly updated asset list, with an initial focus on the network edge).  

Think about how broad each exception would be. Is an application identified as authorized but not recognized as authorized by the EDR product? An exception would allow it to run while in block mode. But if you make the exception too broad, you can create a blind spot and invite undue risk.  

We’ve seen multiple cases of EDR products failing to prevent malware executing on systems that had overly broad exceptions in place.  

Sleep aid: Establish tightly defined exceptions; for example, in the scenario described above, you’d identify the application’s absolute file path, filename, and, ideally, file hash.  

Choosing EDR Defensive Options

Next, devote careful planning to the EDR deployment stage, across the entire organization. Without thorough implementation of your EDR product, you’ve already set the stage for security teams to fail in response to an intrusion. (We recently wrote about better preparing incident response teams.)  

You may decide to tread lightly in choosing defensive options, choosing detect (passive) mode over protect (block) mode at a basic functioning level. As a reminder: 

  • Detect (passive) mode acts as an alerting mechanism.
  • Protect (block) mode offers more autonomy to the product to automatically take actions related to potentially malicious files or activity.

Passive mode lets you ensure that business operations and custom applications don’t react in problematic ways. But we’ve seen firsthand how a continued passive state leaves the door open for attackers to execute their own applications without restrictions—in small- or large-scale intrusions.  

Sleep aid: Switch to block mode once you’ve assessed the risk and are convinced that business-critical systems are unaffected by the EDR product.   

Maximizing Automated Remediation

The automated remediation feature of an EDR product is often available in standard and customized versions, and can be invaluable in responding to malicious activity, files, or applications. If certain circumstances or criteria are met, the auto-remediation kicks into action, deleting suspicious files and applications from the device. (See also more insights about automation.) 

But clear alert, incident, and event escalation paths must be established at an early stage of EDR setup. They should assign specific parties to specific actions, and may even call for playbooks or escalation paths that lead to broader actions or policy changes. 

Sleep aid: Define clear paths, and maintain them, to greatly decrease the potential dwell time of an attacker and achieve better response outcomes.  

Bonus Best Practice: Patching

Once your EDR product is in place and operational, maintenance is required for it to remain a robust EDR solution: Use update settings (which often vary according to the policies applied to them) to test the most recent versions before you distribute throughout the organization. Then practice regular patching. Any outdated versions of an EDR product or its sensor won’t have the latest detection capabilities, and your endpoints may be left exposed to bypasses allowed by older versions.

Limiting Account Access 

Controlling which personnel have access to the EDR product is another critical step that should occur during setup—especially as most EDR solutions are now cloud based. Access control safeguards the product against unnecessary exposure and lessens the impact if account credentials are lost, stolen, or phished. 

Sleep aid: Most EDR solutions allow various levels of privilege for specific users’ roles; take advantage by carefully ensuring the right people have the right level of permission at the right time: 

  • Configure access control lists (ACLs) to allow access from predefined IP addresses, restricting user and application programming interface interactions with your EDR product.
  • Apply MFA policies to all accounts (taking care to avoid misconfigurations that can facilitate MFA bypass attempts), and tighten the restrictions of those policies as privilege levels increase, if possible.
  • Create an elevated-privilege account for only specific uses and a lesser-privileged account for basic tasks. Direct staff to choose the account they need on a case-by-case basis.
  • Limit the duration of active sessions; use your judgement, but typically aim for something less than a user’s working day.
  • Create break-glass accounts for emergency remediation by select security-team members only if a large-scale incident unfolds.

Make the Most of Your EDR Implementation

To save time, costs, and potential reputational damage, ensure diligence in carefully setting up EDR. ReliaQuest GreyMatter helps get the most out of your EDR solution and improve your security operations workflow, enabling you to improve visibility, reduce complexity, and better manage risk—so you can rest easier at the end of the day.