Endpoints are among the most vulnerable parts of your system. Their frequency of use, coupled with inevitable human error, make them the perfect targets for attackers.
Deploying an endpoint detection and response (EDR) solution can dramatically improve security for endpoints and your organization as a whole.
But, it’s often easier said than done. The best results require a mindful installation and proper tuning of you EDR solutions.
Now, if you choose a managed EDR solution (outsourced), any required tuning will be handled by your partner. But, while you might not need to deal with it yourself, you’ll at least want to know what goes into it.
However, if you’re thinking about performing the task on your own, you’ll need a basic understanding of what steps to take to stay secure.
Let’s take a look into what it takes to get the most out of your investments.
Solutions & Tuning Overview
Endpoint detection and response combines the detection capabilities of antivirus with the ability to perform automated responses.
Responses can range from simply sending alerts, to deleting malware, or even isolating a compromised device from the rest of your network.
EDR solutions use established algorithms constantly updated by experience, artificial intelligence (AI), and machine learning (ML). EDR solutions also feed alerts into security monitoring programs to provide an overall assessment of your organization’s status.
While AI-enhanced EDR solutions will continue to improve, both software and humans still make mistakes.
False positives occur when an event is incorrectly identified as malicious, and false negatives occur when a malicious event is incorrectly identified as safe.
That’s where a little bit of fine tuning comes into play.
Tuning an EDR attempts to minimize mistakes and improve EDR performance.
This tuning will adjust what actions to take on the endpoint device, as well as how to integrate alerts into your security process.
Tuning Considerations
EDR software vendors create tools with default settings that provide good protection and minimize false positives for all customers. Basically, they do the best they can to create a ‘one-size-fits-all’ approach.
However, these default settings don’t maximize protection for any specific customer. After all, if the EDR tool shuts down operations too many times, or creates too many alerts, then customers will simply pull the plug on using it.
That means in order to avoid losing business, the vendors play it safe. They don’t use the strictest settings by default, and instead, leave it up to the customer to decide how strict they want them.
These are the settings that tuning aims to narrow down.
An effective EDR tuning takes your preferences and needs into account, improving security without increasing false positives.
Tuning the EDR to adjust security logs and alerts balances the protection of your network against unnecessary disruptions. And, it balances sending useful alerts against overwhelming your security team with non-emergencies.
But, it’s a fine line between too much and too little. Too much one way, and your security team wastes time chasing down non-issues. Eventually, this can even lead to problems like in ‘The Boy Who Cried Wolf,’ and when real threats present themselves, they might be ignored as just “another false alarm.”
On the other hand, too few alerts and, well, your security team will never be notified of a problem.
What Should EDR Solutions Provide?
Should an event occur, your EDR also must provide meaningful information to track the attack for investigation, containment, and remediation.
Keep in mind that the same action in one context may be an attack, but in another context will be business as usual. The machine, the user, and the nature of the business all contribute to what’s normal and what constitutes an attack.
Security teams should work with business managers and for each asset class or user group and ask two things.
First, “What should never happen?” And second, “What regularly happens?”
For example, if no employees in a law firm use the Command Line for their Macs and PCs, any attempt to access it should immediately trigger a response. Of course, you’ll want to balance the danger of the threat against the response level.
But, if that’s something your team uses on a regular basis, then you wouldn’t want an alert triggered every time someone tried to do their job.
EDR responses can be set up to alert, isolate a process, or even isolate a machine. Again, the appropriate action will be dictated by the risk to the organization. Critical assets or definite attacks may merit isolating the device. However, less critical assets experiencing suspicious activities may only merit alerts.
Proper security is e a continuous process, and tuning is, as well.
Each new vulnerability or attack method discovered requires security professionals to evaluate whether or not to add new alerts to your EDR solutions.
Final Thoughts
EDR solutions are important tools keeping your business safe. But, that doesn’t mean you have the same security needs as everyone else.
You use different software at different times, and need a customizable level of security.
That’s why fine-tuning your security solutions is so important. You’ll save you and your team the headaches of too many pointless alerts, while at the same time improving the safety of your organization.
That said, it might sound easier than it truly is.
To avoid burying the critical attack signals in the noise of false positives, it takes experience and expertise. Outsourcing to an experienced professional can pay dividends.
Outsourced professionals have already passed the learning curve to install the software correctly into a variety of IT environments, and deeply understand the software’s limitations.
This expertise saves time during the installation and tuning process and minimizes operational disruptions.
Outsourced professionals also have experience analyzing the reports and indicators of compromise generated by an EDR. They know which alerts are critical, and which are simply false alarms.
For expert assistance tuning EDR or managed EDR solutions contact Blue Bastion at 412-349-6680, or fill out the form below. Our security experts provide a no-obligation consultation to explain EDR options and installation processes specific to your needs.
