Cyber strategy

How to choose the right EDR: checklist of questions to ask

How do you define your security requirements? What perimeter do you need to protect, and at what level of service? When is it appropriate to outsource EDR management? How to choose the right solution or managed service?
6 min

One thing is certain: CISOs are in the best position to define a cyber strategy and choose solutions to protect their information systems. They have the best grasp of the context, the needs and the maturity of the operating teams.
Nevertheless, these strategic decisions for the organization cannot be taken alone, and above all, to ensure the effectiveness of the system, it is important to anticipate.
To help you, here’s a guide to the questions you need to ask yourself before choosing EDR, along with a list of resources to call on internally to ensure that your cyber roadmap is deployed in the best possible conditions. 

1. EDR: what questions should be asked during the scoping phase?

  • What needs does the EDR  have to meet, what risks does it have to cover, what does it have to protect against?
    • Ensure the availability of the organization’s IS, which could be compromised by ransomware attacks?
    • Protect sensitive information that could be stolen by an attacker who has compromised a device? 
    • Validate cyber insurance?

  • What attack scenarios need to be covered? 
  • What feedback do you have on past security incidents? 
  • Does the IS already have endpoint protection capabilities (antivirus, etc.), and how effective are they in identifying malicious behavior and responding to incidents? 
  • Is there a SOC in place?
    • What is its detection coverage and functional capabilities? 
  • Is support needed to answer these questions? 

Answering these questions will enable you to prepare comparative scenarios with a view to choosing the most appropriate solution for reinforcing a SOC where necessary.
If it is not possible to carry out a preliminary analysis in-house to answer these questions, the support of a qualified professional is necessary to identify the best approach. 

Who should Security Managers talk to?
Infra – CIOs – Peers – Expert consultants

2. What perimeter should the EDR cover?

After the needs and context definition phase :

  • How large is the IT infrastructure? 
  • How many endpoints need to be protected?
  • Does the infrastructure team have the skills and bandwidth to deploy agents on the IS?
  • Which OS should be protected?
  • What is the strategy for managing obsolete OS?

It should be noted that, in all likelihood, an EDR cannot be deployed on all obsolete OSes.
Choosing an EDR is therefore an opportunity to take stock of your IT assets and identify workstations that need to be decommissioned, or that require increased protection, in order to improve risk management.

Who should Security Managers talk to?
IT – Infrastructure 

3. What are the requirements?

In addition to technical requirements and constraints, an organization may also be subject to a number of legal and regulatory obligations, which may influence the choice of a cybersecurity solution.
This raises the question of which obligations the organization is subject to, and what the implications are.

  • RGPD
  • LPM 
  • HDS
  • NIS2 
  • PCI-DSS…

Who should Safety Managers talk to?
CEO – Legal – CIO – DPO – Business units 

4. Crucial question: in-house or outsourcing?

Outsourcing is the best option for organizations in these situations:

  • A small team, or even a single person to manage the IS.
  • No in-house cyber expertise, and no possibility of recruiting analysts or SOC managers in the short term. 
  • Budget is limited. 
  • Need to draw on the experience of a partner who knows the organization’s business sector.

If so, who should Security Managers talk to about it?

Organizations can internalize EDR management if they have : 

  • The means to deploy an SOC / EDR and manage it, if this is already the case.
  • In-house expertise to operate an SOC. 
  • In-house skills or the possibility of short-term recruitment.
  • Legal or regulatory constraints, or constraints linked to overall acquisition strategy

If so, who should Safety Managers talk to about it?

5. What level of service is required?

  • On-call duty to handle critical alerts only, or outsourced on-call duty? 
  • A capacity of supervision in working hours only, or in non-working hours? 
    • During non-working hours, are on-call procedures in place to deal with incidents internally? 
  • Local or global? 
  • For a managed service, what is the perimeter and expected level of service: 
    • Investigation and/or response? 
    • What about the possibility of calling on additional skills in the event of an attack (forensic, reverse…)? 
  • If a insurance cyber is subscribed, what are the constraints?
    • Can you choose any service provider?
    • And does the insurance cover response, restoration and recovery?  

These choices can be guided by the ability of in-house teams to be available 24/7 or not, and by budgetary resources.
Obviously, a 24/7 managed service costs more, but this budget needs to be put into perspective with the team’s bandwidth and the risks against which the organization is seeking to protect itself.
Moreover, the choice of incident response perimeter also depends on the skills and availability of the teams if the EDR is managed in-house. 

Who should Security Managers talk to?
If management is in-house: Cyber experts – CIOs
If management is outsourced: MSSP – CFO

6. Finally, how do you choose the right solution?

If the organization manages the EDR internally

The Security Manager can call on in-house cyber experts and analysts to confirm the usability and relevance ofEDR .
Be sure to carry out this consultation beforehand, to ensure the support of the operational teams who will be using the console on a daily basis.
With this in mind, here are the questions to ask the software supplier:  

  • What are its references in the industry? 
  • Does the solution provide access to all raw data collected by agents? 
  • What are the MITRE results, certifications or assessments
  • What aboutopening up to third-party solutions? 
  • How do I contact customer service

If the organization manages the EDR externally

The support of a MSSP is the right solution for companies that don’t have the expertise or resources to manage EDR or SOC in-house.
Note that choosing a managed service means choosing a partner who offers a catalog of solutions. Thus, forcing the adoption of a non-catalog solution has two disadvantages: the budget may be higher, and the partner’s teams will be less experienced in using this solution.
With this in mind, here are the questions to ask your partner: 

  • What level of service do you offer? 
  • Does it already operate the desired solution if it has already been identified? 
  • What expertise does it have in the organization’s business sector

Definition of requirements, scope, obligations, in-house vs. outsourcing, service level, and finally choice of tool… You now have the keys to identifying the solution best suited to your needs, taking your context into account. 

You need to dig deeper into the subject,
or want to find out more about our offers?

Contact us!