Endpoint Detection and Response: Breaking New Frontiers
The case for endpoint detection and response (EDR) has been already made. EDR products have started getting wider acceptance in the enterprise. This is partly due to the challenges managements face in managing endpoints at scale in today’s geographically distributed enterprises. According to Gartner, “Detection and Response” is the top security priority for enterprises in 2017 and will continue to drive the security market for the next five years. The challenge now is to elevate the common understanding and expectations from endpoint detection and response tools to a higher level.
Various players continue to innovate around the basic tenets of endpoint detection and response. However, in order to break new frontiers, it is imperative to get inside the mind of an enterprise CISO. The CISO already expects an EDR tool to have such features as real time querying at scale, visual dashboards and alerting bundled in. So, what would enable the CISO to take endpoint management within his enterprise to the next level? Here are three areas that could be potential game changers in the way endpoints are managed today.
Real-time Data Bundled with Enterprise Data
Although gathering real time data from endpoints, and providing slice and dice capabilities with visual dashboards on this data is critical, stopping there is not enough. This data is bound to be limited in capability if processed in isolation. Enterprises already have significant amount of “related” data that must be coupled with endpoint data to extract more meaning. These include data at rest in the form of CMDBs, MIS systems, employee databases, HR systems and many more. When integrated with endpoint data and made richer, they can be more impactful and provide much more meaning and value.
Built-in Automation Frameworks
Each enterprise is different, and so are their use cases. It is important to be cognizant of this reality. A “one size fits all” approach targeted towards different CISOs having different priorities can be restrictive. It is important to provide capabilities out of the box for the enterprise to plumb and wire its own solutions. Building automation around endpoint detection and response to build workflows using IFTTT-like conditional frameworks is one such capability. It allows for integrating with external systems in very interesting ways to extract more value. Sample a scenario where the CISO tracks new OS vulnerabilities being reported by NVD. Today, the response is reactive and manual even with real-time EDR, and involves querying, gathering data, consolidating and analyzing the impact. If instead, the CISO can instruct EDR to intelligently track such incidents, analyze the impact and generate reports proactively, the value is far higher.
Ecosystem of Endpoint Detection and Response Apps, Power to the Enterprise!
The EDR solution needs to be pervasive and flexible. It needs to be able to deal with heterogeneous data and provide flexible action paths. It also needs to be open to multiple integration points with automation. What is needed is a systematic API-driven approach sitting on top of the core EDR engine with analytics subsystem and IFTTT-like automation runtimes. This will provide virtually unlimited capabilities in the hands of the enterprise. IT can then manage their endpoints in a uniform and systematic way with the ability to define and deploy custom “apps” that leverage APIs. It will also enable them to react with a lot more flexibility and variation.
Endpoint detection and response has been a consistent “emerging” trend over the last couple of years. While it needs no further justification looking at the current enterprise environments, it is imperative to think beyond the traditional reactive systems, isolated analytics and restrictive actions. A process of continuous innovation that gives power in the hands of the enterprise is the way to move forward.
Accelerite Sentient is a leading EDR product that goes beyond the basic querying and alerting capabilities. It provides advanced analytics, integration of external data sources and ultimately a foundation for more automated endpoint ecosystem.
Some good EDR resources are here.