Endpoint security solutions range from the original antivirus solutions of yesteryear to extended detection and response (XDR) platforms that tie multiple security solutions together for a better ecosystem. As the needs arise for endpoint security solutions, vendors will attempt to make their solutions match buyer expectations and analyst terms through their messaging but not their engineering. This checklist provides nine criteria informed EDR purchasers consider when evaluating a change or supplement to their endpoint security strategy.
Protection Efficacy
This is where evaluation begins as an EDR solution has to, at its basic core, protect against the current and future threat landscape. Organizations that haven’t made a change in their security strategy in the past few years are often still using older EPP or AV solutions that don’t protect against the latest threat vectors, such as fileless attacks. Look into how an EDR solution reduces the attack surface and go from there. With the proliferation of people working from home and away from the office, you need to trust that the EDR solution you select will be able to protect the endpoint no matter where it is operating.
Ransomware Defense and Recovery
Ransomware is the most destructive form of malware to date and one of the most attractive to attackers today, especially when targeting state/provincial and local government agencies. MITRE’s Engenuity ATT&CK evaluations are a good source to see how well a vendor’s EDR client responds to ransomware, but one must also look at how the vendor responds to all forms of ransomware. Additionally, the artificial-intelligence (AI) and machine-learning (ML) capabilities are seen as most important when it comes to ransomware defense. This is made evident when buyers ask, “Can it defend against ransomware if the endpoint is offline, such as at home?” Other considerations are around real-time rollback and the types of systems the EDR client can perform the rollback task on.
MITRE ATT&CK Evaluation Results
Even vendors that fail to block attacks and/or discover the majority of sub techniques in the MITRE ATT&CK Evaluations will find a way to make themselves look like a top-tier EDR solution using the results. The best way to judge if an EDR solution will stop attacks and appropriately discover sub techniques, for the sake of blocking and threat hunting, is to look at four possible things from the evaluation. First, did they elect to participate in the protection tests? They may discover sub techniques well, but may not have the ability to stop them. Secondly, did it block all the attacks they participated in? Note that some clients either don’t operate on Linux or were developing threat hunting for Linux at the time of the latest round (e.g., Fortinet). Thirdly, did they discover over 90% of all sub techniques in the detection test? This is important for threat hunting and protection. Fourthly, was the vendor able to detect a strong majority of these sub techniques with analytics (also known as “Technique”) as this demonstrates that the solution doesn’t require threat intelligence to operate?
To read full download the whitepaper:
Top Nine Criteria When Selecting An Endpoint Detection and Response (EDR) Solution
