8 Key Capabilities Managed Security Service Providers Need from their Endpoint Detection and Response Platform

Endpoint
devices represent a significant attack surface for most enterprises. Many
businesses don’t have the resources or the expertise to thoroughly monitor
their own endpoints and to promptly respond as needed when threats are
detected. Their logical course of action is to outsource the full range of
activities for endpoint threat detection and response to a Managed Security
Service Provider (MSSP) that specializes in providing 24×7 monitoring and
response. For their part, MSSPs need the right tools with the right level of
automation to augment the capabilities of their in-house security experts.

The
market for Endpoint Detection and Response (EDR) platforms is both large and
mature. The August 2019 Gartner Magic Quadrant report for this market features
20 products—and this certainly doesn’t cover every product that professes to
provide protection and detection functionality at the endpoint. In such a
crowded market that is still evolving in terms of capabilities, what should an
MSSP look for when selecting a product?

Here
are 8 key requirements that MSSPs need from their EDR platforms.

1. Speed and Ease of Deployment

The sooner a platform can be deployed and up and running, the sooner the service provider can begin to monitor for and respond to threats. Ideally, a platform should be in a position to begin inspecting an environment within minutes. This necessitates no “heavy lifting” to get up and running, but rather a simple configuration concerning what environment to inspect.

There should be minimal impact to a customer’s business and network operations when deploying and configuring such a security solution. Moreover, the platform should have the ability to quickly and automatically enumerate and identify all systems within an environment to ensure there are no gaps in monitoring and coverage.

Sponsorships Available

Sponsorships Available

Sponsorships Available

2. Flexible Deployment Options

Some EDR platforms require a software agent on the endpoints while others do not. There are pros and cons on both sides of the agent versus agentless models.

On the plus side, agents enable the MSSP to capture extensive details about each device’s configuration and what’s happening on the device, along with all user activity taking place on or through the device. Agents also enable interactive intervention in a user’s session when needed; for example, to quarantine the device if malicious activity is suspected.

However, the agent-based approach has its drawbacks. Agents require installation and management. An agent may not work on devices and computers with unsupported operating systems, leaving gaps in coverage. What’s more, guests and owners of unmanaged devices may not agree to having the agent installed.

One downside of not having an endpoint agent installed is that some data cannot be collected, such as local user activity on remote computers. More troublesome is that without a presence on the endpoint device, the “response” capabilities of EDR platforms is limited and may require another tool.

Many enterprises find they need to use both an agent-based and an agentless model in order to cover all endpoints and network-based devices, and to overcome the shortcomings of each approach listed above.

3. In-Memory and System Forensic Detection

Because attackers have gotten clever and utilize in-memory-only malware, the EDR platform must have the ability to conduct deep forensic inspections of assets that focus on memory, running processes, files, user accounts, network connections, and drivers—essentially the entire running system.

We take a unique approach compared to many EDR security providers when it comes to our detection engine. Infocyte monitors and catalogs what is happening on the endpoint right now, while also providing a complete historical forensic analysis of what transpired on all endpoints we inspect—even before Infocyte was installed.

This historical forensic timeline provides MSSPs with a clear trail of evidence, starting with the initial attack, and helping security teams understand how long the malicious item dwelled in the environment and how the attack has moved inside their network

4. Historical Data and Trends

The
EDR platform must have the ability to analyze historical data against newly
discovered threats to determine whether a threat already exists in the
environment, and if so, how long it has been there and what it has done.
Threats can be lurking in the system and they may go undetected until new
threat models or signatures are available to scrutinize the historical
information.

5. Continuous and Real-time Monitoring

Some
EDR platforms rely on analyzing historical data from logs and other static
datasets. Cyberattacks such as ransomware attacks move quickly, so the EDR
platform must provide analysis of security events in real-time to ensure timely
detection of and response to suspicious activity.

6. Automation

Automation
is a force multiplier for an overworked and understaffed security team. The EDR
tool must support automated scanning of systems, updates of detection models,
responses to threats, and mitigation workflows. What’s more, the automation
capabilities must be able to scale to the size of the enterprise.

7. Integrations

The
platform must have the ability to integrate smoothly into the existing security
ecosystem, becoming part of the overall security solution rather than acting in
isolation or attempting to solve all of an organization’s security challenges.

8. Reporting

Corporate
executives are held accountable for security breaches, and so they want to
deeply understand their enterprise’s security posture. They need visualizations
that highlight key performance indicators on the overall security stance and
progress toward improvement.

Conclusion

MSSPs provide a vital service in monitoring their customers’ endpoints for threats in real-time. The security team needs the right tools to complement their security expertise. Using the right type of EDR platform can be a real force-multiplier by automating many of the tasks involved in detecting and responding to threats before they become larger issues.

Contact us to learn more about our endpoint detection and response platform or start your free trial.

The post 8 Key Capabilities Managed Security Service Providers Need from their Endpoint Detection and Response Platform appeared first on Infocyte.

Recent Articles By Author

• Responding to Kaseya VSA Vulnerability & REvil Ransomware Attack
• Virginia Parmley of Infocyte Featured on CRN’s 2021 Women of the Channel List
• Infocyte Completes first 90 Days of Microsoft 365 Threat Assessments

More from Infocyte

*** This is a Security Bloggers Network syndicated blog from Blog – Infocyte authored by Infocyte. Read the original post at: https://www.infocyte.com/blog/2020/03/04/8-key-capabilities-managed-security-service-providers-need-from-their-endpoint-detection-and-response-platform/