5 tips for maximizing the effectiveness of your EDR solutions

The traditional network perimeter has been on a slow and steady decline since the advent of mobile computing and smartphones – and the COVID-19 pandemic has hastened the perimeter’s demise. Without the predictable and logical network boundaries to guide security practices, security teams have had to shift their posture away from perimeter protections like firewalls, and toward endpoint detection and response (EDR).

The challenge is figuring out how to get the most out of EDR investments, since there is a downside to deploying them – for example, the solutions can generate unexpectedly high volumes of alerts if they’re not carefully tuned and refined. But when carefully customized, EDR solutions have tremendous value for organizations working to increase visibility into security systems. Follow these five steps to ensure you’ll see the best possible ROI for your EDR.

1. Build relationships inside and outside of cybersecurity and IT departments

If your security team collects insights from all departments, it stands a better chance of fully understanding what “normal” looks like – and in the process, identifying malicious activity with higher fidelity. Take this scenario for example: The development team creates a script that automates part of their job. When they run the script, the EDR solution identifies the file as malicious. If the security team is in close touch with the people who are part of this process, they’ll know the purpose of the script, and can approve the file name and process in a watchlist – or approve the hash or file path in a policy.

2. Apply a standardized tuning methodology to reduce false positives

The tuning methodology is essential for gaining insights about the security environment – for example, how often alerts fire and what they’re firing on. The steps in the tuning lifecycle include event identification, which is done by turning the feed on to see what’s firing; an auditing stage, which helps shed light on the normal good environment versus the abnormal one; and proposed tuning, where teams decide which alerts should continue to fire, perhaps for gathering metrics.

3. Measure visibility coverage of EDR and across the security tech stack

At this stage, the security team should track tuning changes to measure visibility improvements, which can help show ROI for the EDR solution. Choose a framework that’s relevant to your industry. A good starting point is MITRE ATT&CK™, which provides evaluations on how different technologies identify techniques used by threat actors. Tracking MITRE coverage is a great foundational starting point to understand what coverage you already have with the EDR’s out-of-box detection content.  

4. Close visibility gaps through a research and development cycle

After identifying gaps in visibility, security teams can create new alerts to close those gaps. A good starting point is to conduct research via the community forums for particular EDR solutions, including:

• Carbon Black: carbonblack.com
• SentinelOne: sentinelone.com
• CrowdStrike: crowdstrike.com

5. Apply automation to low-brain tasks

High-repetition, low-brain tasks are well-suited to automation, which can remove these tasks from security team workloads. The automation found in EDR solutions adds value to security teams by speeding up processes such as remediation, as well as banning hashes and pulling files. Security teams should agree on which automations would reduce the greatest amount of time, risk, and effort, while also increasing quality and efficiency.

EDR solutions offer unparalleled visibility into infrastructure, even down to application and user levels. They can also break down barriers among siloed environments. The key is spending time with the tips above to make sure your EDR solution is operating at maximum effectiveness.

Chris Weckerly, vice president, security operations, is passionate about helping ReliaQuest customers achieve predictable security outcomes. Chris brings years of experience as a security analyst and SOC leader with the U.S. Government and ReliaQuest, has deep understanding of SIEM, EDR and SOAR technologies, and has been critical in defining requirements for ReliaQuest GreyMatter, the company’s unified platform for threat detection, investigation and response. Leveraging GreyMatter, he and his team help customers reduce up to 89% of the noise in their environments to reduce risk and mature their security operations programs.