Threat Hunting or Efficiency: Pick Your EDR Path?
“Do You Want It Done Fast, Or Do You Want It Done Right?” “Yes.”
“Help out more with our business objectives.” “Cover an increasing number of endpoints.” “Cut budgets.” “Make it all work without adding staff.”
Cybersecurity teams face a lot of conflicting objectives—both within their teams and from upper management. But a May 2019 commissioned study conducted by Forrester Consulting on behalf of McAfee really puts a fine point on it: When decision makers were asked which endpoint security goals and initiatives they’re prioritizing for the coming year, the top two responses were “improve security detection capabilities” (87%) and “increase efficiency in the SOC” (76%).
Unfortunately, traditional EDR solutions have made accomplishing both of these goals (and in some cases, even one or the other!) difficult, if not impossible. According to the study, gaps in EDR capabilities have created pain points for 83% of enterprises. For instance, while 40% of enterprises consider threat hunting a critical requirement, only 29% feel their current EDR solutions fully meet that need. On an even more basic level, 36% worry their EDR solution doesn’t surface every threat that breaks through—while an equal number of respondents say the alerts that are surfaced by their EDR are frequently not relevant or worth investigating.
These numbers clearly show there’s a lot of room for improvement, but at the same time, these two goals seem to be less than complementary. How would you choose to try and meet them?
Scenario 1: The Status Quo
Your team continues utilizing their traditional EDR solution on its own.
You lose points in efficiency out of the gate—according to Forrester, 31% of companies say that the systems are so complex, their junior staff lack the skillset to triage and investigate alerts without senior staff.
The number of alerts output by traditional EDR solutions will cost you efficiency in another way: another 31% of respondents say their teams struggle to keep up with the volume of alerts generated by their EDRs.
On the threat detection side, you’re not starting out with a perfect score, either: Again, keep in mind that more than a third of respondents believe that, even with this large volume of alerts, not everything is being caught.
As a baseline, let’s assume you’re starting out with a 7 in Threat Detection, and a 3.5 in Efficiency.
You’re still a long way from meeting your goals. Let’s look at our options.
Do you want to:
- Add more staff members
- Bolt on more software
- Hire an MDR
Scenario 2: Add more staff members
With efficiency seeming such a far-off goal, your team decides to focus its efforts on threat detection. To help manage the number of alerts, you hire two new employees. You still have every bit as much noise coming from your EDR, and it still isn’t catching everything, but your team has marginally more ability to triage and respond to threats. You gain a point for threat detection, but a look at your department budget sheet shows your efficiency score is basically shot.
Final Score: 8 in Threat Detection, and a 2 in Efficiency.
Scenario 3: Bolting On More Software
Other businesses are taking a different tack. They’re keeping their traditional EDR solution, but they’re also bolting on more point solutions to help catch things that fall through the cracks. If you choose to go this route, your threat detection capabilities go up …. but between all the duplicate alerts, separate interfaces, and near complete lack of integration, your team is critically bogged down. With junior staff able to triage just 31 percent of alerts on traditional EDR systems, senior analysts are having to manage all the alerts on all the interfaces on their own.
All this software isn’t cheap, and you’re losing time in both training in all of it, and in switching back and forth. Meanwhile, the solutions that were supposed to improve your threat detection capabilities are doing so … somewhat … but with things falling through the cracks amidst the chaos and analyst fatigue setting in, you wouldn’t know it.
Final Score: 7.5 in Threat Detection, 1.5 in Efficiency.
Scenario 4: Partnering with an MDR
You don’t want to hire any more staff—and even if you did, there aren’t many to hire. So instead you hire a Managed Detection and Response (MDR) provider to do what your EDR should be doing, but isn’t. You partner with the most reputable MDR you can find, and you’re confident that between what you’re doing and what they’re doing, there isn’t much getting past you. But you’re also paying twice to get a single set of capabilities.
Final Score: 9 in Threat Detection, 1 in Efficiency
Clearly, it’s time to try something new
- I want to improve my efficiency with my current EDR!
- I want to try something better.
Scenario 5: Improving efficiency with current EDR
How do you make a first-gen EDR more efficient? You don’t. In other words, if you want to get more out of an EDR that doesn’t utilize the latest technologies, the only adjustments you can make here have to come from your team. If you could get more threat detection mileage out of the same number of team members, your efficiency level would naturally rise.
Initial Score: 8 in Threat Detection, 4 in Efficiency
But as you soon find out, the mandatory late nights and your “you’d better step it up or else!” attitude aren’t exactly doing wonders for morale. With cybersecurity professionals in high demand everywhere, it isn’t long before you’re down at least one team member. Now you have 4 team members doing the number of 5. Which sounds decent ….
Intermediate Score: 6 in Threat Detection, 6 in Efficiency
… until an enterprising hacker takes note of your shorthandedness and targets you, hoping to use your situation to their advantage. Unfortunately, not only do you have a highly imperfect traditional EDR system and four employees trying to do the work of five … you have four disgruntled employees trying to do the work of five. According to IDC, in organizations that have experienced a breach in the last 12 months, those staff who are extremely satisfied are, on average, more likely to report fewer hours to identify the breach (11 hours) than those who are dissatisfied (23 hours). Guess which camp your team falls into?
Before long, your company is brought to its knees by a major attack. The press is all over it, and confidence in your company plummets. Your company’s reputation might recover … eventually … but things aren’t looking so good for you.
Final Score: Game Over.
Scenario 6: I want to try something better.
You’ve heard from your friends and colleagues about what doesn’t work. And, of course, you’ve read the horror stories. But you’re still left with two disparate goals. What if there was a way to increase threat detection capabilities without hiring more personnel, outsourcing what your EDR should be able to handle but isn’t, or creating a system with more bolts than Frankenstein’s monster?
According to Forrester, there is a way to bridge the goals of greater efficiency and better threat detection. With AI guided investigation, your junior analysts will be able to triage threats like your more seasoned analysts, freeing your senior analysts to focus on mission-critical tasks. And with less noise, your team will be free to focus on more of the right alerts.
Survey respondents backed this up: 35 percent believe AI-guided investigations will lead to fewer breaches, and 52 percent think they’ll lead to improved efficiency. Mission accomplished.
Final Score: You=1, Hackers=0.
To read more about how AI-guided investigation can help revolutionize your SOC, click here.