5 Things MSPs Should Consider When Evaluating EDR

Buzzwords and acronyms abound in the MSP industry, an unfortunate byproduct of marketing years in the making. Cybersecurity is a hot watercooler topic at any business. Well, now probably more likely a virtual happy hour than a watercooler, but, nevertheless, cybersecurity remains top of mind.

To sleep at night, MSPs feel they must enhance or expand their security offerings beyond the standard layers, like firewalls, firewall filtering, Active Directory protocols, DNS filtering and antivirus/malware detection. One of the ways many MSPs feel they can satiate their cybersecurity concerns involves buzzword-y new acronyms floating around involving “EDR” or endpoint detection and response. But what is EDR really, and what can it do for MSPs and their clients?

But, first, besides EDR, there’s also ADR, MDR, xDR … The industry can surely expect newer blank-DR acronyms to come in the next few years. What are all these acronyms, and how do they help MSPs protect their clients? Here are a few definitions:

• EDR (endpoint detection and response): Technically, every security agent sitting on an endpoint is an EDR solution. The information the agents feed back to administrators determines what action to take and when.
• ADR (automatic detection and response): Newer technology allows the agent to automatically make a decision without human intervention. Ideally, ADR automatically remediates a situation and reports to the administrators on action taken.
• xDR: This newer acronym refers to agents across a network communicating to make a remediation decision or report decisions across multiple endpoints.
• MDR (managed detection and response): A best-of-breed solution using EDR, ADR and possibly xDR tools in various combinations, MDR allows a human team to make decisions and respond to situations. While more complex and administration- heavy, MDR closes the gap that arises when suspicious applications are being monitored and observed, but not reacted to by an ADR or xDR solution. Human-driven MDR ferrets out the suspicious and reacts.

Here are five things MSPs should consider when evaluating EDR solutions.

1. All security tools with an endpoint agent are basically EDR.

Their job is to detect malicious code, applications, scripts or other malicious files and make a status determination on the fly. Most security agents use various methods like physically scanning file hashes, scanning file content, watching behaviors, looking at scripts and detecting known attack surfaces to try to ascertain if a newly encountered file is good or bad.

How the security agent reports its activity depends on the EDR tool. So, while many security tools claim they offer an “EDR” solution, the key is to determine the level of threat, suspicions, and action taken in reporting or alerting that adds value for MSPs.

2. The “R,” or response, is key to a successful EDR solution.

While many security tools report and alert, the level of response is the most important aspect of any security practice. If the security agent provides minimal information for decision making, it’s of limited use to the technical personnel responsible for intervening.

On the other hand, technicians can take advantage of security tools with consoles that display alerts, reports and visibility into whether an agent responded, how the agent responded and the agent’s current status. Too often, tools don’t provide necessary insight for reviewing or comparing threat data or approaches–like the MITRE attack framework or other sites with relevant threat information.

Solutions with a more comprehensive APIs are advantageous for custom review, integration into more dedicated threat review tools, or for alerting through a log gathering and reporting tool. APIs are valuable for providing added information from which human technicians can make decisions.

3. What can be done with the EDR information? Is it actionable?

Once a tool has been selected, what should be done with the information it provides? Answering this is key to