This is part 3 in a series on some of the capabilities you should be looking for in your Endpoint Detection and Response solution. Choosing the right EDR solution is important, as pointed out by a recent SANS survey entitled Modernizing Security Operations which found that EDR is considered the most effective technology used in Security Operations. EDR gives you access into your clients’ environments. The more access you have in your clients’ environments, the more effective SOC services you can provide.
But how do service providers best choose an EDR solution? Whether you’re already using an EDR solution or looking to add EDR for the first time to expand your services, you likely have a list of criteria. Either way, this series should help you supplement your list. Here we examine a third aspect: reducing your security stack complexity by ensuring full and effective remediation.
To remediate compromised endpoints effectively and completely, analysts benefit from having the widest variety of the most powerful tools available to them. Response action capabilities should be closely evaluated with this in mind. Don’t be limited to taking only stop-gap remediation actions. Analysts should be able to collect artifacts for investigation and fully remediate a compromised machine from within the same console.
Our EDR solution, EclecticIQ Endpoint Response, has the most capable set of response actions on the market. With EDR, analysts can access the endpoint’s command line for ad hoc commands using a Live Terminal from the console, execute Powershell and bash commands and scripts, perform live queries on the endpoint, send, retrieve, and delete files, stop processes, remove a machine from the network, and isolate a particular program, protocol, or address from the network.
What does that mean in practical terms? It means an analyst can download a forensic toolkit to the endpoint and execute it. It means that an analyst can take a forensic snapshot and upload it to a cloud instance for further analysis. It means that analysts can send remediation scripts to the endpoint and execute them. No additional agent or console is needed. It means analysts have the most flexible toolset available to help them succeed in accomplishing their mission.
When analysts must switch between consoles, or worse install another agent on a machine, to completely remediate it the quality of their work is reduced and the time to remediation is increased. If your team is performing investigation and remediation in multiple consoles or with multiple agents, their effectiveness is being hindered. While detection capabilities are important, don’t minimize the importance of complete response capabilities when evaluating EDR solutions.
This marks our halfway point in our 5-part series on what you should be considering when selecting an EDR solution for your service provider organization. If you haven’t yet, read Part I and Part II. And be sure to come back for Part IV, which is coming soon. If you can’t wait, you can read our whitepaper 5 Questions to ask About Your EDR Solution.
This marks our halfway point in our 5-part series on what you should be considering when selecting an EDR solution for your service provider organization. If you haven’t yet, read Part I and Part II. And be sure to come back for Part IV, coming soon. In the meantime, you can read our whitepaper 5 Questions to ask About Your EDR Solution.
To learn more, visit EclecticIQ Endpoint Response or contact info@eclecticiq.com
You might also be interested in:
- 5 Questions to Ask About Your EDR - "Visibility"
- Deconstructing R in an EDR
- Detect and Remediate Process Hollowing with EclecticIQ Endpoint Response
