Last month we announced the general availability of EclecticIQ Endpoint Response, our EDR solution – built from the market-proven PolyLogyx ESP product – which leverages an enterprise-ready osquery-based agent to provide deep endpoint telemetry for real-time investigation and response, allowing you to detect, respond to, and eradicate threats on endpoints.
In our launch post I wrote that:
EclecticIQ Endpoint Response is the most flexible and cost-effective EDR weapon in the market today for service providers – including Digital Forensics & Incident Response (DFIR) firms, Incident Response (IR) consultants, and Managed Security Services Providers (MSSPs) – and enterprises looking to improve their ability to hunt for, detect and respond to endpoint threats.
Let's dig into this a bit more.
Most of you in the cybersecurity service provider community are probably looking to build on top of and expand the services you currently offer – without ripping and replacing systems that are already working well:
- to minimize switching costs and training & productivity impacts;
- to provide more & better services for your customers; and
- to maintain a competitive edge in the market.
Here are some considerations you should contemplate in your never-ending quest to improve your offerings, your competitiveness, and your margins, based on my conversations with MSSPs around the world over the years.
Backend Integration
A key consideration is an open and extensible architecture, meaning you can integrate it into your existing toolset with little to no impact on current processes and workflows. Basically, this means a kernel-based and higher-privileged agent that provides access to the filesystem, network, OS, BIOS and hardware layers. This lets you leverage your existing consoles and/or dashboards, minimizing the steep learning curve and associated productivity hit.
I liken this to how Tesla does over-the-air (OTA) updates -- one day you wake up and have ludicrous mode enabled! Same car, new capabilities. In your case, you want your analysts to be continue using the same console but have newer and better telemetry, live search and response capabilities.
Expansive Telemetry
Another hallmark of truly useful EDR tool is the ability to adapt to your data ingestion needs - both depth and breadth. Typical endpoint tools focus on the OS being monitored, and has a preset list of data to monitor. But if you need to monitor beyond the OS, such as SCADA devices or a CT Scanner, does your EDR allow customization to collect from these new data sources? After all, there will be applications beyond OS that can be threat vectors to watch.
- Depth. The ability to customize the depth of data collection can be critical, especially for incident responders or in cases where the risk model dictates heighten vigilance. The ability to add focus to your data collection effort without having to rely on additional tools or manual processes can greatly improve your customers' security posture.
- Breadth. Depending on the environment, you may need to monitor Windows, macOS and/or Linux workstations, perhaps at the same time; in this case, being able to monitor them all with a single tool – for monitoring, investigation, and response – reduces monitor fatigue and switching costs, and improves holistic visibility and productivity. Or you may need to expand monitoring to include, say, a new IoT network or medical devices; in this case, being to extend your existing toolset will get you to finish line faster with less pain.
Kernel-based Agent
Another key architectural consideration is a design which resists attempts to manipulate data collection, logging or transmission. Basically, this means a kernel-based and higher-privileged agent that provides access to the filesystem, network, OS, BIOS and hardware layers. Two areas where this is particularly important include:
- Investigation. Access to reliable telemetry is of course paramount to ensure your evidence collection – all the IOCs and other observables – is able to track those sneaky malware that try to thwart your threat hunting and detection efforts by corrupting or altering logs. Bottom line, are you able to trust your telemetry if the endpoint is compromised?
- Response. On the flip side, you need to know that any corrective actions you push onto infected systems are actually executed, that the device is indeed put back into proper working order. Again, this requires a trusted, reliable path to prevent malware from escaping your remediation efforts.
In a good world, your EDR can provide everything you need to identify, investigate, and remediate IOCs is via a single agent, and is available via API to easily integrate into your existing toolchain and allows you to implement custom functionality for your use cases.
Competition
In a better world, you get this capability from a vendor who isn’t supporting your software needs on one hand while competing against you with the other, especially when your customer comes up for renewal. While coopetition certainly works to the mutual benefit of both sides in some cases, think about much lower stress levels would be with a partner directly invested in your success.
So, maybe it’s time to reexamine your security tooling in light of these considerations and think about an upgrade?
Post Script
Take EclecticIQ Endpoint Response Community Edition for a free test drive – just download from GitHub and start your own POC today! It leverages our enterprise-ready osquery-based agent and provides visibility into endpoint activities, query configuration management, a live query interface, and alerting capabilities based on security-critical events.
