This is part I in a series on some capabilities you should look for in your Endpoint Detection and Response (EDR) solution. Why? Well, a recent SANS survey entitled Modernizing Security Operations [registration required] found that EDR is the most effective technology used in Security Operations. It’s important for gaining visibility into your clients’ environments, which is key to your SOC effectiveness.
But how do you choose an effective EDR solution? If you already have an EDR solution at work for you, you may already have some areas in mind where you’d like to see improvement. If you’re looking to add EDR to expand your services, you may have an initial list of criteria. Either way, this series should help you round out your list. Let’s examine one aspect: getting sufficient cross-platform visibility across your clients’ environments.
Real-world environments are diverse. Real-world environments are composed of a combination of workstations and servers, a mix of operating systems, and include physical, virtual, and cloud-based machines. It’s difficult to get a single homogeneous view of what’s happening in such diverse environments. Having machines with different agents, machines without agents, and machines which frequently are offline leaves gaps in your visibility, which means gaps in your security and effectiveness. Without a holistic, standardized, and continuous view into your environment, you risk undetected compromises.
In December 2021 SysJoker, a new backdoor malware, targets Windows, macOS, and Linux. Existing anti-virus engines could not detect SysJoker on Linux and macOS machines but could on Windows. Malware can exist in an organization’s environment undetected by their antivirus software for an extended period. Simply using the same brand of antivirus on all machines doesn’t guarantee you’re using the same underlying software or getting the same protection on all platforms. Many solutions have completely different agents for different operating systems. They may look the same on the surface but actually provide extraordinary levels of visibility and protection.
Besides the challenge of effectively protecting various operating systems, there is the challenge of endpoints which are often offline. With the work-from-home trend gaining popularity, this is becoming an increasingly important issue. Gaining consistent visibility into these machines can only be accomplished by capturing data on the endpoint itself, to be analyzed when the machine reconnects.
The EclecticIQ EDR leverages one agent on all endpoints, including workstations and servers, that gives you the most comprehensive and uniform view of activity on the endpoints in your environment. The agent supports Windows, macOS, and Linux on physical, virtual, cloud-based, and Docker containers. The EDR agent supplements the data collected by osquery with additional telemetry valuable to endpoint detection and adds the most flexible response capabilities available in an EDR solution today.
A lightweight open-source osquery component enhances the collaborative strength. Osquery is written in low-level C and C++ and then cross-compiled for native operation on different platforms. That means that the same code is running natively on Windows, macOS, Linux, and BSD endpoints. Initially created by Facebook (now Meta) for internal use, hundreds of developers who have produced over 110 releases have refined osquery over eight years. You can use the same solid, mature, proven agent on all endpoint operating systems.
This combination gives you the most uniform view possible into your entire environment in one tool, which means uniform alerting and a single workflow, making you a more effective security service provider.
Be sure to come back and read the next part of this 5-part series on what questions you should ask when selecting or upgrading your EDR solution. Part II is coming soon. While waiting, you can read our whitepaper 5 Questions to ask About Your EDR Solution.
To learn more, visit EclecticIQ Endpoint Response or contact info@eclecticiq.com
You might also be interested in:
