3 points to challenge when choosing the right EDR
Product capabilities: detection, protection and openness
Whether Cloud or On-Premises, an EDR must be evaluated on its detection and protection capabilities. Its role is to make life easier for analysts to investigate and remediate threats. To this end, MITRE ATT&CK Evaluations consider the capabilities of cybersecurity solutions on the market, with a view to tool selection and field testing. Please note: MITRE evaluations are based on Cloud versions of solutions, and not all vendors offer exactly the same On-Premises functionalities. On the other hand, as we’ll see below, HarfangLab offers the same features regardless of deployment mode.
Another important point to consider is the openness of the solution. Indeed, the ability to connect the EDR to other security tools via an API is essential for easy integration with the existing ecosystem. This is all the more true for On-Premises or Air-gapped architectures, which are often composed of technical bricks specific to the infrastructure.
Last but not least, openness is also reflected in the fact that standard detection rules formats such as YARA and Sigma are used, making it quicker to get to grips with the tool. In particular, Harfanglab’s EDR provides full access to detection rules to understand the origin of alerts and speed up investigation and remediation.
Operational and security conditions maintenance
To meet user needs and cope with an ever-changing threat landscape, a cybersecurity solution must regularly update its functionalities and detection rules in both Cloud and On-Premises versions.
Responsiveness and proximity to customers are essential to ensuring optimal maintenance and regular upgrades in line with user needs. Particularly for an On-Premises solution, the software publisher must provide update options adapted to user requirements: remotely or on site.
The impact of the solution
A security tool plays a key role in protecting an organization’s IT resources, and thus contributes to business continuity. It must guarantee a fluid user experience without degrading the performance of the equipment it protects. To achieve this, its impact on system resources such as RAM and CPU must be kept to a minimum.
The same applies to the impact on the infrastructure: it is important to check in advance, for example, the number of virtual machines or the capacities (RAM, storage…) required, whether the solution is scalable and under what conditions…
Now that we’ve seen the key points for assessing the suitability of a cybersecurity solution, let’s look at the criteria that can guide the choice of a Cloud or On-Prem EDR depending on the architecture already in place.
Cloud, On-Prem, or Air-gapped infrastructure: which EDR is right for you?
Who is it for, what are the benefits and what do you need to know ?
Download our ebook to find all the details you need:
Now, let’s dig into a little more detail about On-Premises EDR: what needs it meets, and what you need to anticipate.
On-Premises EDR: a response to technical and regulatory constraints
In some cases, an On-Premises EDR (in a private Cloud or even Air-gapped) may be required. It is designed to:
- comply with legal and regulatory requirements
- respond to strategic and sovereignty issues, e.g. to prevent access to sensitive data or to limit the risk of data leakage or theft
Data sovereignty and confidentiality issues
When data is hosted in a public cloud, it may be subject to the laws in force in the service provider’s country.
For example, legislation such as FISA and the CLOUD Act in the United States allows authorities to access information stored by American companies or operating on its territory. China imposes similar conditions with its intelligence law adopted in 2017.
As a result, organizations operating internationally may find their data exposed to risks of foreign interference, whether from states or industrial competitors.
In this context, On-Premises solutions, hosted and managed in-house, ensure total control and protection of data.
This approach is sometimes mandatory, particularly in critical sectors such as defense, energy and banking, or for Critical National Infrastructure (CNI).
So, for an On-Premises EDR, what are the specific technical criteria to consider?
Technical questions to ask of an On-Premises EDR
To meet the requirements of sensitive or mission-critical organizations, here are a few technical aspects to consider:
- Does the On-Premises version offer the same functionalities as the Cloud version?
- What human and technical resources are required for deployment and maintenance? How many components need to be deployed?
- Is the solution scalable to meet future needs?
- How are updates managed, particularly for Threat Intelligence?
- Is the solution totally independent of a public cloud, or does it retain certain external dependencies?
The answers to these questions can be decisive in choosing an On-Premises EDR that is truly adapted to your data security and confidentiality requirements, and in line with your technical prerequisites.
What about HarfangLab On-Premises?
Cloud or On-Prem, HarfangLab offers the same functionalities across both versions.
The On-Premises version embeds all intelligence directly in the agents, meaning that the solution is not dependent on any third-party service, and can therefore operate and offer the same level of protection in a totally closed environment.
Solution version and detection rules updates are performed without rebooting the machines, and for the On-Premises version, different options are available: remote or on-site intervention, to fully adapt to the requirements of each organization, even Air-gapped ones.
Choose the right solution for your infrastructure
and discover the benefits and what to bear in mind: