With limited budgets and manpower, how can the smaller enterprises deploy advanced EDR solutions without letting them become shelf-ware?

From our experience, small- and medium-sized enterprises (SMEs) understand that they need to improve their security capabilities. Such enterprises typically make the IT department responsible for cybersecurity, which can dilute some of the focus needed. They simply do not know where to start.

Therefore, it may seem ideal for SMEs to just buy a solution that combines all the high-profile cybersecurity features at once.

But what can go wrong with this approach? Will the firms be able to sift through all the data and events that modern Endpoint Detection and Response (EDR) solutions provide, as well as distinguish between false alerts and real threats?

SMEs’ limited resources

First of all, it is a matter of price. One of our own reports showed that, on average, the share of spending on information security equates to around a quarter of an entire IT budget. This is true for both small and large companies, but in absolute numbers there is a significant difference.

A solution intended for enterprise customers may not suit smaller businesses’ budgets. Moreover, required investments are not only monetary. Enterprise-grade products may be difficult to install and integrate with existing security solutions. In an enterprise with a large IT security department, some staff can simply devote their time to this task. This can be an issue for SMEs, as fewer employees are responsible for maintaining the whole infrastructure.

Of course, all these efforts are worthwhile when a new security solution benefits the company’s level of protection. But, in practice, even if an SME manages to secure a budget and implement an enterprise-grade solution, without sufficient expertise in information security, it will be difficult to fully leverage the scope of functionality.

Finding the right-sized solutions
Enterprise-grade functions may simply be irrelevant to an SME’s needs. For example, if a previously-unknown suspicious object is detected, some organizations that are not very mature in cybersecurity just need to know if it is malicious, or needs blocking. Meanwhile, other SMEs just need a full picture of the object’s actions and background for a deep investigation.

Furthermore, products that are created for security analysts are not appropriate for an SME’s preferred ‘set-and-forget’ approach. For example, a feature-rich EDR solution requires a team of expert analysts capable of tuning the detection logic and creating new rules to continuously improve detection levels. Without such specialists, the solution’s ability to proactively search for indicators of intrusion will not be useful.

In SMEs it is common for a system administrator to manage an endpoint protection solution. But even EDR, which provides essential capabilities, requires an employee with basic cybersecurity knowledge. Hiring a full team of threat hunters or advanced security analysts at once is hardly a feasible task.

Therefore, it is worth starting with an employee who has knowledge in information security. Combined with an understanding of the IT landscape, this allows for validating alerts, eliminating threats while taking into account the risks of their actions, such as isolation of a certain workstation or server, or stopping a critical business process.

EDR selection tips
When EDR becomes a piece of shelf-ware rather than an effectively-used solution, it can demotivate company leaders from developing cybersecurity initiatives in general. After all, if they do not see a benefit, why should the business invest in other security products?

Therefore, an organization should first decide if it is ready to hire an employee who is responsible for information security issues. If not, the most effective option will be to ask for help from external incident detection and response professionals.

For those businesses that decide to develop this capability internally, it is essential to initially find a beneficial solution without making substantial investments in additional resources, whether monetary and/or human. To avoid the above pitfalls, we recommend the following guidelines for SMEs:

  1. To provide visibility without ‘blind spots’ and centralized response features, EDR needs to be integrated with an Endpoint Protection Platform (EPP). Enhancing cybersecurity capabilities should be a step-by-step evolution. Once a company can detect a malicious object with an endpoint protection solution, it can expand existing technology with the ability to understand where it came from and search for this threat on other workstations.
  2. If an EDR solution can be smoothly integrated with existing endpoint security solutions in a centralized way, it cuts the time required for deployment. So, before purchasing a product, ask if it supports turnkey integration with your EPPs. 
  3. If you have a limited number of staff responsible for security, make sure your chosen EDR solution provides good visibility and automation, but does not overwhelm a specialist with irrelevant information. All the incident information should be readily available from a single console and a path of the attack spread should be visualized to simplify threat analysis.

Automated searching for Indicators of Compromise (unusual outbound network traffic, PAM anomalies, geographical irregularities, login red flags, etc.) and incident response features will be useful in speeding up the work and increasing IT staff productivity.