Cloud, On-Premises, Air-gapped: The impact of infrastructure on choosing your cybersecurity solution

3 points to challenge when choosing the right EDR

Product capabilities: detection, protection and openness

Whether Cloud or On-Premises, an EDR must be evaluated on its detection and protection capabilities. Its role is to make life easier for analysts to investigate and remediate threats. To this end, MITRE ATT&CK Evaluations consider the capabilities of cybersecurity solutions on the market, with a view to tool selection and field testing. Please note: MITRE evaluations are based on Cloud versions of solutions, and not all vendors offer exactly the same On-Premises functionalities. On the other hand, as we’ll see below, HarfangLab offers the same features regardless of deployment mode.

Another important point to consider is the openness of the solution. Indeed, the ability to connect the EDR to other security tools via an API is essential for easy integration with the existing ecosystem. This is all the more true for On-Premises or Air-gapped architectures, which are often composed of technical bricks specific to the infrastructure.

Last but not least, openness is also reflected in the fact that standard detection rules formats such as YARA and Sigma are used, making it quicker to get to grips with the tool. In particular, Harfanglab’s EDR provides full access to detection rules to understand the origin of alerts and speed up investigation and remediation.

Operational and security conditions maintenance

To meet user needs and cope with an ever-changing threat landscape, a cybersecurity solution must regularly update its functionalities and detection rules in both Cloud and On-Premises versions.

Responsiveness and proximity to customers are essential to ensuring optimal maintenance and regular upgrades in line with user needs. Particularly for an On-Premises solution, the software publisher must provide update options adapted to user requirements: remotely or on site.

The impact of the solution

A security tool plays a key role in protecting an organization’s IT resources, and thus contributes to business continuity. It must guarantee a fluid user experience without degrading the performance of the equipment it protects. To achieve this, its impact on system resources such as RAM and CPU must be kept to a minimum.

The same applies to the impact on the infrastructure: it is important to check in advance, for example, the number of virtual machines or the capacities (RAM, storage…) required, whether the solution is scalable and under what conditions…

Now that we’ve seen the key points for assessing the suitability of a cybersecurity solution, let’s look at the criteria that can guide the choice of a Cloud or On-Prem EDR depending on the architecture already in place.

Cloud, On-Prem, or Air-gapped infrastructure: which EDR is right for you?

Cloud EDR

Who is it for?
The Cloud version of an EDR is perfectly suited to the needs of infrastructures that are totally or partially in the Cloud too, and which have no regulatory constraints on data security.
The benefits
A Cloud EDR does not require in-house resources for the deployment of a specific infrastructure, nor for the technical monitoring of the solution.
This makes it a suitable option for organizations that are unable or unwilling to monitor the technical aspects of their cybersecurity solution, and who also want to benefit from real-time updates.
What you need to know
In some cases, data may be hosted by third-party providers, which can raise issues of data control and confidentiality that we’ll address in the next section.In this respect, please note that HarfangLab is a sovereign solution, which hosts all its data in Europe.

On-Premises EDR

Who is it for?
An On-Premises EDR is suitable for companies and organizations whose infrastructure is also On-Premises or even Air-gapped, to guarantee total control and confidentiality of data from end to end.
The benefits
An On-Premises EDR enables IT assets and data to be stored in a closed environment, for strategic reasons or to comply with legal or regulatory obligations.
What you need to know
To be truly On-Premises, a EDR must have no dependency on third-party or cloud solutions. This is an important point to check before you invest!
So, before purchasing, ask the vendor or your integrator all the questions you need to validate that the solution offers the best possible conditions for analysts in terms of deployment, maintenance and updates, and customer support.

Finally, let’s dig into a little more detail about On-Premises EDR: what needs it meets, and what you need to anticipate.

On-Premises EDR: a response to technical and regulatory constraints

In some cases, an On-Premises EDR (in a private Cloud or even Air-gapped) may be required. As mentioned earlier, it is designed to:

comply with legal and regulatory requirements
respond to strategic and sovereignty issues, e.g. to prevent access to sensitive data or to limit the risk of data leakage or theft

Data sovereignty and confidentiality issues

When data is hosted in a public cloud, it may be subject to the laws in force in the service provider’s country.

For example, legislation such as FISA and the CLOUD Act in the United States allows authorities to access information stored by American companies or operating on its territory. China imposes similar conditions with its intelligence law adopted in 2017.

As a result, organizations operating internationally may find their data exposed to risks of foreign interference, whether from states or industrial competitors.

In this context, On-Premises solutions, hosted and managed in-house, ensure total control and protection of data.

This approach is sometimes mandatory, particularly in critical sectors such as defense, energy and banking, or for Critical National Infrastructure (CNI).

So, for an On-Premises EDR, what are the specific technical criteria to consider?

Technical questions to ask of an On-Premises EDR

To meet the requirements of sensitive or mission-critical organizations, here are a few technical aspects to consider:

Does the On-Premises version offer the same functionalities as the Cloud version?
What human and technical resources are required for deployment and maintenance? How many components need to be deployed?
Is the solution scalable to meet future needs?
How are updates managed, particularly for Threat Intelligence?
Is the solution totally independent of a public cloud, or does it retain certain external dependencies?

The answers to these questions can be decisive in choosing an On-Premises EDR that is truly adapted to your data security and confidentiality requirements, and in line with your technical prerequisites.

What about HarfangLab On-Premises?

Cloud or On-Prem, HarfangLab offers the same functionalities across both versions.

The On-Premises version embeds all intelligence directly in the agents, meaning that the solution is not dependent on any third-party service, and can therefore operate and offer the same level of protection in a totally closed environment.

Solution version and detection rules updates are performed without rebooting the machines, and for the On-Premises version, different options are available: remote or on-site intervention, to fully adapt to the requirements of each organization, even Air-gapped ones.