EclecticIQ
nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Service Providers: Let’s Talk About Improving Your EDR Toolset

Sridhar Jayanthi August 27, 2021

eer-campaign-blog-banner

Last month we announced the general availability of EclecticIQ Endpoint Response, our EDR solution – built from the market-proven PolyLogyx ESP product – which leverages an enterprise-ready osquery-based agent to provide deep endpoint telemetry for real-time investigation and response, allowing you to detect, respond to, and eradicate threats on endpoints.

In our launch post I wrote that:

EclecticIQ Endpoint Response is the most flexible and cost-effective EDR weapon in the market today for service providers – including Digital Forensics & Incident Response (DFIR) firms, Incident Response (IR) consultants, and Managed Security Services Providers (MSSPs) – and enterprises looking to improve their ability to hunt for, detect and respond to endpoint threats.

Let's dig into this a bit more.

Most of you in the cybersecurity service provider community are probably looking to build on top of and expand the services you currently offer – without ripping and replacing systems that are already working well:

  • to minimize switching costs and training & productivity impacts;
  • to provide more & better services for your customers; and
  • to maintain a competitive edge in the market.

Here are some considerations you should contemplate in your never-ending quest to improve your offerings, your competitiveness, and your margins, based on my conversations with MSSPs around the world over the years.

Backend Integration

A key consideration is an open and extensible architecture, meaning you can integrate it into your existing toolset with little to no impact on current processes and workflows. Basically, this means a kernel-based and higher-privileged agent that provides access to the filesystem, network, OS, BIOS and hardware layers. This lets you leverage your existing consoles and/or dashboards, minimizing the steep learning curve and associated productivity hit.

I liken this to how Tesla does over-the-air (OTA) updates -- one day you wake up and have ludicrous mode enabled! Same car, new capabilities. In your case, you want your analysts to be continue using the same console but have newer and better telemetry, live search and response capabilities.

Expansive Telemetry

Another hallmark of truly useful EDR tool is the ability to adapt to your data ingestion needs - both depth and breadth. Typical endpoint tools focus on the OS being monitored, and has a preset list of data to monitor. But if you need to monitor beyond the OS, such as SCADA devices or a CT Scanner, does your EDR allow customization to collect from these new data sources? After all, there will be applications beyond OS that can be threat vectors to watch.

  • Depth. The ability to customize the depth of data collection can be critical, especially for incident responders or in cases where the risk model dictates heighten vigilance. The ability to add focus to your data collection effort without having to rely on additional tools or manual processes can greatly improve your customers' security posture.
  • Breadth. Depending on the environment, you may need to monitor Windows, macOS and/or Linux workstations, perhaps at the same time; in this case, being able to monitor them all with a single tool – for monitoring, investigation, and response – reduces monitor fatigue and switching costs, and improves holistic visibility and productivity. Or you may need to expand monitoring to include, say, a new IoT network or medical devices; in this case, being to extend your existing toolset will get you to finish line faster with less pain.

Kernel-based Agent

Another key architectural consideration is a design which resists attempts to manipulate data collection, logging or transmission. Basically, this means a kernel-based and higher-privileged agent that provides access to the filesystem, network, OS, BIOS and hardware layers. Two areas where this is particularly important include:

  • Investigation. Access to reliable telemetry is of course paramount to ensure your evidence collection – all the IOCs and other observables – is able to track those sneaky malware that try to thwart your threat hunting and detection efforts by corrupting or altering logs. Bottom line, are you able to trust your telemetry if the endpoint is compromised?
  • Response. On the flip side, you need to know that any corrective actions you push onto infected systems are actually executed, that the device is indeed put back into proper working order. Again, this requires a trusted, reliable path to prevent malware from escaping your remediation efforts.

In a good world, your EDR can provide everything you need to identify, investigate, and remediate IOCs is via a single agent, and is available via API to easily integrate into your existing toolchain and allows you to implement custom functionality for your use cases.

Competition

In a better world, you get this capability from a vendor who isn’t supporting your software needs on one hand while competing against you with the other, especially when your customer comes up for renewal. While coopetition certainly works to the mutual benefit of both sides in some cases, think about much lower stress levels would be with a partner directly invested in your success.

So, maybe it’s time to reexamine your security tooling in light of these considerations and think about an upgrade?

Post Script

Take EclecticIQ Endpoint Response Community Edition for a free test drive – just download from GitHub and start your own POC today! It leverages our enterprise-ready osquery-based agent and provides visibility into endpoint activities, query configuration management, a live query interface, and alerting capabilities based on security-critical events.

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

3 more posts you might like

All Blog Posts (115)

Explore all topics

© 2014 – 2021 EclecticIQ B.V.
EclecticIQ. Intelligence, Hunting, Response.
Get demo