Methodology

Choosing an EDR: key points to assess

How do you choose the right solution for your organization to protect your endpoints against threats? What criteria should you evaluate to ensure that an EDR will help you achieve your cyber strategy objectives?
7 min

Here’s a selection of topics to explore in order to validate the relevance of a solution to your roadmap.  

Obviously, before choosing a tool, you need to define your needs, objectives and scope… because an EDR is part of a global strategy. For this prerequisite, here’s a guide about he questions you need to anwser.

Threat detection  

An EDR must enable to detect the threats targeting an organization: malware, whether or not it is known to the malware database, Information System intrusions attempts(e.g. for espionage purposes) and advanced persistent threats (APT), data theft… In short, all attack techniques, from the most basic to the most sophisticated.  

For optimum protection, the solution must be able to identify binaries as well as behaviors, be enriched with detection rules to track the evolution of the threat, and automatically learn to detect unknown threats.  

Detection evaluation frameworks, such as MITRE, set the benchmark for the market, and provide useful benchmarks for security solutions. 

Threat analysis and contextualization 

Above all, an EDR is supposed to be designed to facilitate of security teams work. The information gathered by the solution must therefore be contextualized, accurate and usable.   

In order to improve the efficiency of investigations (doubt removal or incident response), the relevance of data and the way in which it is rendered are major advantages for analysts. Here are a few examples of what makes analysis work easier:  

  • display of the rule at the origin of the alert, for a real understanding of the detection method;  
  • easy navigation through the process tree to trace the attacker’s movements;  
  • telemetry data (code injection, DNS resolutions, network connections, etc.) can be aggregated to form a single set of events for easier analysis;  
  • access to a timeline of activity on a workstation-by-workstation basis;  
  • ability to collect additional forensic traces… 

Automation features 

Generally speaking, automation is crucial to saving time. However, it needs to be implemented with intelligence.  

This means checking which remediation actions can be automated, with what level of granularity, flexibility and customization.   

Here are a few examples of questions to be asked about automation, in relation to concrete uses for analysts:    

  • What about agent group creation options, and the ability to apply security policies on the fly?   
  • What about the management of false positives, and in particular the possibility of automating whitelists management?   
  • Is it possible to automate certain remediation actions before the analyst takes over (launching jobs to isolate workstations, connecting with playbook management tools, etc.)? 

In all cases, bear in mind that human analysis is indispensable, even with a solution that offers a lot of automations. What’s more, these automations are essential both within the solution itself and between solutions – which brings us to the subject of interoperability, which we’ll discuss later. 

Artificial intelligence 

In cybersecurity, artificial intelligence can help not only to optimize threat detection, but also to limit analyst overstretch – and the well known alert fatigue.   

To validate that AI can indeed meet your organization’s needs: what concrete use cases will it enable you to address? How can it help you better identify threats? How does it limit false positives? How transparent are its algorithms, and is the vendor able to clearly explain what AI does and how?  

Another asset to support analysts in incident response: generative AI features. Exploring these proposed functionalities and the vendor’s vision on the subject will help you understand how the solution will support incident response. 

Rules and transparency 

Inside the console: what languages are used to edit detection rules? Are they accessible within the tool? Are they in proprietary formats, or in open, standard formats such as YARA or Sigma?  

It’s worth noting that standard formats help users to get to grips with the tool more quickly, and if analysts need to be trained in them, they will be able to capitalize on this knowledge when operating other security solutions on the market using these standard formats.  

Interoperability and connectors 

Another important criterion to consider when choosing an EDR is its level of openness and interoperability, which is central to the successful deployment of your roadmap.  

Indeed, you’ll need to integrate the EDR into an infrastructure that may include other security capabilities, and therefore connect it with other solutions.   

So, how does EDR fit into your ecosystem? How do you correlate data from different sources (workstations, servers, networks, cloud, etc.)? Are connectors available, who develops them, and how are they maintained? 

Cloud / On-premise: deployment options 

A private Cloud, or On-premise deployment, may be required for organizations with particularly sensitive data. There may also be an economic advantage to using a private cloud.  

Does the solution offer different deployment options: public cloud (SaaS) or private cloud (on-premise)? If so, are the functionalities identical, whatever the deployment mode? 

Compliance   

Take care to check where the data is hosted, and the volume of personal data collected. Behind this topic, there are of course GDPR compliance issues in addition to operational issues relating to the processing of this data.  

For a solution that makes use of AI, it’s also required to ensure compliance with the AI Act.   

Finally, in the more specific field of cybersecurity, NIS2 directive, adopted at the end of 2022, represents a major change in the cybersecurity legal ecosystem. It is important to choose software that meets the minimum criteria laid down by the Directive, in particular those for technical audits, via security scans for example. 

Roadmap, evolution and adaptability 

Technological developments and innovations are essential as we are to face up to the ever-evolving threat landscape and meet the emerging challenges in cybersecurity.   

In this context, what are the priorities identified by the supplier, and are they the same for you? How do they intend to address these priorities, with what techniques and resources? Do they plan to pursue innovations on the endpoint itself, beyond detection capabilities? Or is the roadmap more trend-driven?  

These are all issues that need to be addressed when choosing a tool, to ensure that it covers the risks your organization is facing now and in the future.  

What’s more, the users of a solution also help it evolve through their feedback. So, before committing yourself to a software supplier, you should find out not only about the planned evolutions, but also about their capacity to integrate them ad hoc, insofar as these functionalities may be useful to all users. These developments can be aimed at both innovation and improving the user experience. 

User experience and security: target 0 friction 

An EDR guarantees an organization’s overall productivity by protecting workstations and servers. It must also ensure a seamless experience, and this involves, among other things, the lowest possible impact on endpoint performance, as well as transparent, frictionless updates.  

So, one of the prerequisites is to assess resource consumption and the impact on the performance of work tools: this impact must be minimal.  

For this purpose, HarfangLab’s EDR consumes only 90MB of RAM and 0.5% of CPU, and updates do not require endpoints to be restarted – which means no impact on business tools! 

Quality of customer support 

The quality of support is one of the criteria to consider when choosing a security solution.   

Review platforms such as Gartner Peer Insights provide an overview of customer feedback, and their testimonials, or talks with peers (for example, within the framework of clubs or associations), are also useful for estimating the quality of support.   

In addition to the opinions expressed by users, you can also make sure that the support offered by the supplier is in line with your needs (scope, availability…). 

Whether you’re looking for a new solution or a different one, 
with what team do you need to work with?