Find the Right EDR Solution with WWT's ATC Malware Lab
In this article
Endpoint Detection & Response (EDR) is the first line of defense to an organization's security detection and response posture. It provides real-time endpoint visibility, analysis and protection, using a combination of practices and technologies to actively monitor endpoint activity, identify threats and trigger automatic responses to attacks. Because there are a variety of solutions from which to choose, it is important to take the necessary steps to be sure you're selecting the right one. That is why organizations come to WWT's Advanced Technology Center (ATC) for EDR lab services.
Endpoint Detection and Response (EDR) is the sub-field of endpoint security responsible for proactively defending the network against endpoint threats. EDR security is composed of practices and technologies that actively monitor endpoint activity, identify threats and trigger automatic responses to attacks. Within the ATC, WWT experts can create a simulation of your organization's environment and perform unbiased testing to determine how various EDR solutions with interoperate with your infrastructure. What could be better than selecting a solution or defining a strategy based on real data gathered from your own environment, but without any risk?
The need for EDR solution testing beyond what the research says
It's fair to wonder why you would need to do testing when there are reliable sources for product research and review. Gartner, Forrester and MITRE are fantastic references; but please keep in mind that some of these industry reports measure success and leadership by revenue, size, and existing client metrics; however, when it comes to vendor choice, there are other important factors, such as an OEM's innovation, reputation, service and cultural alignment.
For the CISO, CxO or any executive that is considering an enterprise security software solution, the Magic Quadrant (MQ) is often the go-to guide for determining which vendors should be on their short list. Yet as valuable as the MQs may seem, Gartner does not actually test or use the software under evaluation. This is why MQ is a great source for general knowledge on products, but shouldn't be the deciding factor for product selection.
The Forrester Wave Scoring Methodology, while unbiased, are best used as a reference to learn about and compare the product options within the marketplace. Forrester takes equitable approach by evaluating vendors and products based on the same metrics, but there is no independent or third-party testing to support validity product recommendations.
One of the more trusted EDR resources is MITRE Engenuity Testing. MITRE Engenuity ATT&CK® Evaluations (Evals) is a process that applies a systematic methodology to capture critical context on a solution's ability to detect or protect against known adversary behavior as defined by the ATT&CK knowledge base. However, false positive results are not taken into account and the testing isn't done in a live production environment and/or machine. Further, MITRE does not rank the results of their EDR testing. Rather, they openly release the results to be individually interpreted, leaving room for forgery and manipulated data.
EDR testing 2.0
Organizations looking for the right EDR need more basis than marketecture and nuanced promises that vendors try to sell. Only by putting products and solutions into play via a simulated lab of your own environment can accurately help you determine which features you need and which tools work best.
As EDR tools evolve beyond Endpoint Detection & Response for Telemetry data, and take on different functions such as Identity Threat Protection (ITDP) and Cloud Workload Protection (CWPP), the selection process will only become more challenging. At WWT, not only do we do EDR testing to test for efficacy, telemetry, AND industry analysis, we also encourage customers to join in our journey and analyze the labs themselves for independent post-testing analysis.
As an industry setter and innovator in security, the WWT Global Accounts Security team is always looking at ways to enhance our testing methodology within the ATC to better serve our customers. In the past, WWT has focused on EDR testing based on some behavioral type testing, Malware Detection and Prevention, typically known in the industry as Endpoint Protection Platform (EPP) style of testing.
- In 2022, WWT is featuring a new way of testing EDR solutions for our customers.
- In 2023, WWT is looking to enhance testing methodologies to include XDR, by testing multiple attack silos from email, network and the cloud.
How EDR tools need to be evaluated:
- Behavioral and malware efficacy testing: It is important to note that Malware attacks still exist to this day, therefore testing Malware and behavioral style of attacks are still important for an EDR solution.
- APT Testing based on industry vertical: Every nation state or APT attacker will focus on a specific industry; as such, having specific testing criteria that target global financial organizations is a must when evaluating an EDR solution.
- Telemetry visibility: Telemetry is important for SOC team members to triage data and alerts provided by an EDR solution to a SIEM solution. Therefore, visibility into an endpoint is paramount to SOC teams.
- Framework testing (MITRE ATT&CK, or Cyber Kill Chain): Security frameworks help organizations apply best practices and operational resiliency; by having standards, frameworks help provide alignment and knowledge to executive leadership to show the value of a security operations center.
- Quickness of alert reporting: As attackers get more sophisticated and quick in their attacks; therefore, having a scoring metric on how fast alerts happen to an EDR solution is essential to an organizations security posture.
Here are some important questions to ask when evaluating EDR solutions:
- How does your EDR tool fit in your incident response process and policy?
- Have you looked at moving away from legacy security products to more behavioral based products like EDR?
- What are your goals and aspirations for an EDR solution?
- Is your organization fully migrating to the cloud?
- What are your plans for EDR and protecting your endpoints?
Additional testing beyond security: performance, network utilization & functionality
WWT has performed EDR testing for some of the world's largest organizations, including the world's top financial institutions, with our ATC's Malware Lab; this has given our teams a wealth of experience on the matter.
The EDR space has become rather saturated, so we tend to recommend products based on customer-preferred vendors, such as Crowdstrike, Microsoft Defender for Endpoint, Sentinel 1, Palo Alto Cortex XDR, Carbon Black, McAfee, Cyberreason, Symmantec, and several others.
Far beyond using third-party research, our approach includes measuring and analyzing criteria from key focus areas to simplify decision-making; they are: OS feature/support parity, scalability, ease of enterprise deployment, EDR agent deployment and operationalization, security policy tuning requirements, tenant usability, endpoint performance testing (disk, CPU, etc.), and network utilization testing.
Inside WWT's ATC lab, your organization can experience tried and unique EDR testing scenarios that help you choose a solution that optimizes end point security, but also creates operational efficiencies, interoperability and better visibility.