Author: Joey Sylvester
Among a plethora of baseline requirements for cyber insurance coverage is a tool many underwriters require before they consider covering an organization: Endpoint detection and response (EDR).
Because EDR extends protection to endpoints in a network, it plays an important role in a comprehensive cybersecurity strategy.
What is EDR and how does it work?
To understand what EDR is, it helps to first understand how traditional anti-virus software works.
A traditional anti-virus product scans a database of known malware and then removes any malware it finds. Endpoint protection platforms (EPPs) are like anti-virus software on steroids: in addition to scanning for malware files, they scan for sophisticated threats such as fileless malware and malware stored in memory.
The limitation of traditional anti-virus software and EPPs is that the moment a particular type of malware can be remedied by a simple anti-virus solution and placed in a database, threat actors find another means to compromise systems. Because both traditional and EPP anti-virus software search for known malware, modern attacks can escape detection.
EDR differs from traditional and EPP anti-virus software:1 Rather than scanning for the presence of specific viruses, EDR monitors behavior instead — behavior characteristic of today's advanced malware and other malicious activity.
Specifically, when deployed to an endpoint — anything connected to a network such as end user machines and devices, servers, etc. — an EDR solution monitors the behavior of the endpoint for key indicators of malicious activity or malware. These indicators may include unusual processes, an unexpected volume of activity, large data transfers and unrecognized connections.
When EDR software detects such activity, it responds by alerting IT staff, the security operations center (SOC) and — if available with the purchased solution — automating the response to the point of isolating and containing the compromised endpoint.
Certain automated responses can be tailored using rules set within the EDR solution. Automated responses can prevent lateral movement of a hacker beyond the endpoint itself, which helps prevent wider network attacks and breaches
EDR solutions can also provide a great deal of forensic detail in the event of a cyber attack, which may be helpful in an incident response scenario. Several EDR products offer centralized machine learning capabilities, compiling data from all endpoints on their platform. When a particular type of malicious activity is detected, the platform can learn to recognize the impacts and deal with the issues more quickly and effectively.
Protection beyond basic EDR
Many EDR vendors offer as an add-on managed detection and response (MDR) solution, for around-the-clock alert monitoring, so no critical alerts go undetected when no human is monitoring alerts. The level of monitoring is akin to an outsourced SOC. Underwriters who want to see exposure managed on a 24/7 basis view MDRs favorably.
Newer versions of EDR are now available, such as extended detection and response (XDR), which extends EDR protections to assets beyond endpoints, such as cloud-based systems and email.
Standalone EDR is just one aspect of protecting endpoints and networks. A comprehensive cyber protection strategy can also include EPP or next-generation anti-virus software, endpoint isolation and containment technology, a SOC, a security information and event management (SIEM), security orchestration, automation and response (SOAR) and other solutions.
How much does EDR cost?
A number of vendors offer EDR solutions at various prices. Some features are common to all products, and each product also has features that enhance the solution and its competitiveness in the market. Various websites offer comparisons of key features in the available EDR products.2
Although the benefits of EDR are clear, EDR solutions are not inexpensive. EDR can range from $10 per agent per month (the charge to deploy EDR to one machine) to more than $40, depending on the vendor and purchased add-ons. Nor are they comprehensive — they are one tool that can be part of an overall solution.
EDR also requires a significant time commitment from IT staffs to implement and manage. And as with any software product, the cost includes the time it takes to research solutions, gain budget approval, test in a development environment, deploy to a pilot group, deploy fully, educate, train and communicate changes to staff.
Why do cyber insurance underwriters require EDR?
With the increased frequency and cost of cyber attacks, underwriters are requiring proof that companies have robust protections in place. The strengths of EDR are clear: Because the solutions are behaviorally based, organizations no longer need to rely on a database of identified viruses that might be a step behind today's threat actors. By focusing on the presence of malicious behavior, companies can more easily identify a problem by recognizing and learning the effects, containing the activity and remediating the issue.
In summary, endpoints are a key entry point for cyber attacks and must be protected to the greatest extent possible. EDR tools are an important protection tool and, when combined with other tools, can significantly harden a network and prevent breaches. Because EDR is now a requirement of many insurance carriers, not having EDR as part of a comprehensive solution could result in fewer carriers willing to offer coverage.
For information on other key control requirements, check our recently published Cybersecurity Controls Checklist.