We are nearing the end of our Endpoint Detection and Response (EDR) research project; we just pushed our first paper – on EDR operational practices – into review and are concentrating on a technology comparison paper, a more difficult effort.
One thing has emerged from many of the recent conversations with EDR vendors and users. The thing we secretly suspected, but feared to explicitly say – until we have more data.
What IS this thing?
So far in our experience, EDR tool WINS (= examples of wildly successful deployments) tend to be concentrated at a highly mature, “Type A of Type A”, lean-forward, advanced security organizations.
Huh? Are you simply saying that “if you are better at something, things tend to be better for you”? Or are you saying “warning: EDR is a tool for security 1%-ers?”
Not exactly! We are a bit more careful here and we are not branding EDR “a 1%-er tool.” However, success with EDR is found more often in the land of 10+ person SOCs and full-time standing CIRTs, rather than in the land of “we just hired our 1st security person.”
When buying an EDR tool, please be aware of that!
Blog posts related to our current EDR research:
- EDR Mud Fight: Kernel or Userland?
- Using EDR For Remediation?
- EDR Research Commencing: Call To Action!
- Where Does EDR End and “NG AV” Begin?
- Reality Check on EDR / ETDR
- My Paper on Endpoint Tools Publishes (2013)
- Endpoint Threat Detection & Response Deployment Architecture
- Essential Processes Around Endpoint Threat Detection & Response Tools
- Named: Endpoint Threat Detection & Response
- Endpoint Visibility Tool Use Cases
- On Endpoint Sensing
- RSA 2013 and Endpoint Agent Re-Emergence
- All posts tagged endpoint