Choosing an On-Premises EDR: between strategic challenges and legal obligations
An On-Premises cybersecurity solution may be required for:
- compliance with certain laws or regulations,
- reasons linked to strategic or geopolitical issues, and therefore the need to prevent access to sensitive data, industrial secrets theft…
Indeed, when data is processed or stored in a public Cloud, depending on the legislation in the country where the data is hosted, and the country from which the company operating this public Cloud, access to the data may be authorized to third parties or local authorities. For example, the Foreign Intelligence Surveillance Act (FISA) and the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) enable US authorities to retrieve data via major digital players, and the NSA can requisition software used by foreign market players
China has similar legislation, notably with the 2017 Intelligence Law.
Outside its own borders, a company can see its data exposed to foreign competitors or governments. The solution: technically protect data with sovereign, On-Premises tools.
This is an option for organizations wishing to retain total control over their data, with processing exclusively in-house, and On-Prem may even be mandatory for legal or regulatory issues specific to certain sensitive sectors (e.g. defense, energy, banking…) or for Critical National Infrastructure (CNI).
Apart from legal and regulatory obligations, what else should you be thinking about from a technical point of view?
Choosing an On-Premises EDR: technical criteria
Cybersecurity solutions offering their services in the Cloud (or SaaS) can also offer an On-Premises version to meet the confidentiality and compliance needs of sensitive organizations.
Nevertheless, here are a few questions to ask yourself before choosing your On-Prem solution:
- Are the functionalities exactly the same as in the Cloud version?
- What are the deployment steps and resources to be involved?
- How many components need to be deployed?
- Is the On-Prem solution scalable?
- What are the upgrade options for the solution and for Threat Intelligence?
Is the solution truly On-Premises, or does it need connections – even limited ones – outside to run properly?
To answer these questions and make sure that the tool you’ve identified corresponds to your constraints and needs, you can challenge the solution’s publisher or your integrator.
And to go even further, here’s a selection of key points to consider when choosing your On-Premises EDR.
3 key points for choosing an On-Premises EDR
Product capabilities
Even on-Premises, an EDR must remain an asset for cyber analysts. For an On-Premises solution, it’s important to check that the functionalities meet analysts’ needs, just as they do for the Cloud version.
Note that at HarfangLab, there’s no need to check in this respect, as the functionalities are identical between the Cloud and On-Prem versions!
In addition, the openness of an EDR and the possibility of using an API are essential for the efficiency of SOC analysts, who can integrate the solution into an existing infrastructure.
Whether Cloud or On-Prem, the solution must be able to interface easily with the infrastructure and tools already in place, and help analyze data from multiple sources (workstations, servers, network…). Indeed, an On-Premises architecture generally includes specific technical bricks, so the more open a solution is, the easier it is to integrate.
Finally, when it comes to detection rules, standard formats such as YARA and Sigma are also an advantage for analysts, as they help them to get to grips with EDR quickly.
In addition, the transparency of detection rules is another major asset for understanding the origin of alerts and speeding up investigations and remediation.
Tests to evaluate a EDR
MITRE ATT&CK Evaluations are used to measure the detection capabilities of cybersecurity solutions.
Good news: the results of these tests are also valid for HarfangLab’s On-Prem version, as the functionalities are identical to those of the Cloud version!
Operational and security conditions maintenance
In the case of an On-Premises EDR, the update frequency and process must be specified with the vendor or partner who manages the solution to plan maintenance operations and upgrades. This ensures up-to-date protection and detection rules that systematically adapt to the ever-changing cyber environment.
To keep pace with user needs, proximity, responsiveness, and the quality of customer support play an essential role. The ability to listen to users’ needs and react swiftly are essential to ensuring optimal maintenance and develop a product in line with real needs in the field.
Conversations with peers, case studies, or even opinion platforms such as Gartner Peer Insights allow you to take the temperature.
Our objectives: simplification and quality throughout the maintenance phases!
Updates are delivered regularly by HarfangLab according to strict processes, with comprehensive test phases and safeguards to interrupt any update that does not go smoothly. They can be carried out remotely (remote update link, Bastion, VPN, videoconferencing…), or fully isolated (on-site intervention or total autonomy).
In short, the product’s flexibility means that you can choose how, when, and what to update in complete autonomy; and if the remote maintenance link is activated, console updates can be automated.
Threat Intelligence is either continuously updated via a dedicated network link or made available as archives to be imported into the console for fully isolated deployments.
Impact of the solution
Impact on infrastructure
The impact on the infrastructure is an important criterion: how many servers (physical or virtual) and what capacities (RAM, storage) will be required?
To what extent can deployment be customized to meet network, OS, and other constraints to harden systems and respect security policy?
You also need to be sure that the On-Premises solution is available and scalable, and that it can handle the load according to the number of endpoints.
The more precise the vendor’s documentation is, enabling you to estimate the storage, RAM, and CPU requirements for the number of endpoints you need to protect, the better you’ll be able to control your budget and anticipate the costs of upgrading your infrastructure.
Impact on endpoints
An EDR helps maintain an organization’s productivity by protecting IT assets, while at the same time preserving the quality of the user experience. Objective: 0 friction!
To this end, the impact on endpoint performance must be as low as possible, with minimal RAM and CPU consumption, which the solution provider must continuously optimize.
With the help of all these technical, functional, and operational criteria… You now have the keys to identify the solution best suited to your needs and to protectyour IT assets!
Wondering what it’s really like to deploy and use HarfangLab On-Premises?
Check out this feedback from the defense industry:
Cyber 2024 challenges
What’s the biggest challenge for 2024, and how can it be met? We put the question to a dozen cybersecurity…
Guillaume Dubuc, CISO at Altitude Infra, a “propagator of healthy paranoia”.
Guillaume Dubuc is CISO at Altitude Infra, France’s 3rd largest fiber optic infrastructure operator. How do you convince your board,…
The role of human support between software editors and users
The relationship between a software editor and end-users plays an essential role, yet one that is sometimes underestimated. A close…
10+ Expert cybersecurity tips for C-Level
What is THE piece of advice that cyber experts would give to a decision-maker (CEO or CIO) for the security…