Endpoint Detection and Response (EDR) is an endpoint security solution that continuously monitors end-user devices (laptops, desktops, servers, etc.) to detect and respond to cyberthreats such as ransomware and credential harvesting. MSPs need EDR now more than ever; however, the vast majority of EDR solutions in the market today are not made to fit the needs of most MSPs and, instead, have been designed for the enterprise. These tools are often expensive and complex and require a highly trained security team to manage them.
MSPs should seek out advanced new solutions created especially for MSPs. (We like Datto EDR for this reason.) When selecting the best EDR for your MSP practice, ask yourself the following questions.
1. Efficacy — How Does My EDR Catch The Threats That Matter Most?
- A key requirement of any EDR offering is that it is lightweight and complements existing antivirus (AV) products. AV is a must-have solution to protect against the most common threats. EDR, however, is going to provide you with the defense-in-depth capabilities to detect and respond to stealthy threats that AV inevitably misses.
- Unlike AV, which relies on signatures of known threats, EDR detects suspicious behaviors that by themselves would not be problematic but, in tandem, can indicate a breach in progress. By spotting unusual behaviors, you gain an additional way to stop threat actors from wreaking havoc.
- Certain attacks, such as fileless malware that reside in memory, are so sophisticated that even the best AV often fails to stop them. Having EDR that can spot malicious code running in memory is critical.
2. Alert Fatigue — What Will The Alert Volume Look Like Once EDR Is Running?
- Most enterprise EDR solutions are designed to spot anything and everything that looks unusual. In doing so, these solutions generate a lot of alerts — so many, in fact, that most SOC analysts can’t keep up with the volume. Because of this, SOC analysts will detune their EDR to generate fewer alerts. The unintended consequence often results in threats that otherwise would be flagged by the analyst.
- Not every alert is a threat. To avoid alert fatigue, you want an EDR solution that zeroes in on the threats that really matter, which frees up resources to focus on other activities while ensuring strong security.
3. Ease Of Remediation — Once An Alert Is Triggered, How Easy Is It To Address The Issue?
- The MITRE ATT&CK framework is an invaluable tool for understanding tactics and techniques of threat actors. It codifies myriad common and not-so-common threat activities. Having an EDR tool that maps to the MITRE ATT&CK framework makes remediation easy and quick by giving users a common resource to utilize and leverage.
- You also want an EDR tool that provides step-by-step guidance on best practices to quickly and efficiently remediate indicators of compromise. Without it, the burden of remediation falls on you to figure out what steps to take in order to contain and remediate a breach.
- Ideally, when an actionable alert occurs, you can simply click on your EDR dashboard to isolate hosts, terminate processes, and take other actions without having to switch consoles or apps.
4. Integration — Is Your EDR Integrated With RMM Tools?
For MSPs and IT departments that remotely manage endpoints, your RMM tool may be your primary tool and dashboard for endpoint management. Because of this, having an EDR tool integrated with your RMM tool makes daily workflow easier and more efficient.
5. Ease Of Use — How Easy Is The Tool To Use, Manage, And Deploy?
You want a tool that is simple to understand so you don’t spend hours trying to learn a complex, new system. Your time is valuable, and leveraging a tool that is effective, efficient, and easy to use will pay dividends.