Running a few hundred security operations centers isn’t easy.  While debates about how to build the perfect SOC change every year, some aspects remain constant. In my 20 years in cybersecurity, especially before becoming a CSO, many of my security decisions boiled down to one product: The Anti-Virus.

Friends building their own PCs, programming or investing in a new PC would ask: Which AV should I use? Each had an anecdote about why one was better than the others:

“I hate X, it crashed my system so I love Y because it’s used by gamers for performance” or “My super smart friend who oughta know uses Z”.  Or my favorite, “I’ve never had problems with my current one so I stick with it”.

Many reading this likely consider factors like price, familiarity or any number of factors to their consideration. Spoiler alert: As of this writing my favorites are CrowdStrike and Defender. However, the point of this article isn’t to endorse them. Instead, it’s about explaining the rationale on making a decision, ensuring the rules still apply when the next best thing arises.

And yes, we’ve given endpoint detection fancy names over the years, like Endpoint Detection and Response (EDR) or Endpoint Protection Platform (EPP) or anti-malware, exploit prevention, or host intrusion prevention system (HIPS). Let’s use the current name EDR.

How many attacks is your EDR safely blocking?

This might seem obvious, but measuring this can be difficult.  Testing methods seem to vary and there’s no one-stop-shop for block rates. Some organizations have their own breach simulation and attack detection tool to continuously test the anti-virus against attacks daily or even multiple times a day. If you don’t have security engineering skills to constantly test, your decision may rely on third-party tests. Here are a few sites with published results:

https://www.av-test.org/en/
https://attackevals.mitre-engenuity.org/
https://selabs.uk/reports/2023/
https://www.av-test.org/en/antivirus/home-windows/
https://www.av-comparatives.org/consumer/latest-tests/
https://www.mrg-effitas.com/test-library/
https://avlab.pl/en/recent-results/
https://www.virusbulletin.com/testing/

There are  pay-to-play reports like Forester, Gartner, and IDC, but they have analysts review the business and don’t run technical evaluations.

Notice the emphasis on “safely”, and by that I mean resource consumption on the endpoint. It’s not only about how well it blocks attacks but also how efficiently it operates without excessively using the device’s resources. You can always look up the AV-Test scores above and see resources on the device used when the software is present. More resources don’t always mean the product is checking more, it likely means the engine is inefficient.

Spoiler alert: Across all the tests CrowdStrike, Defender and SentinelOne scored the highest.

What type of visibility and forensics does it provide?

For a long time endpoint products didn’t provide much information about what happened on the device. You would either get an  alert from a downloaded  virus or need to inquire about an unfamiliar file.

Now, tracing the actions leading to the virus download, like phishing links, USB drives, or downloads from external addresses, is crucial. This data is called Telemetry and for a long time was very difficult to capture. Now, it’s standard in tools as a feature but there is no standard on what’s logged.

Here are  key things which should be logged:

• Workstation and User details.
• File names and paths
• Process details and relationships
• Network activity such as IP or DNS connections
• Enrichment such as: Frequency of use, geography, reputation.

The more details the better. How the industry ranks EDRs is based on how much information they provide about a particular attack, not whether they block them.

How does the EDR integrate into other tools?

Many features such as scanning hard drives, running on multiple operating systems, and controlling features like host firewall or USB drives are important.  In most cases, the more features added to a product the less robust each individual feature is. So, how do these features integrate with your current tech stack?

For example:

• Operating systems: Does it run on all your OS types? Windows, Linux, Mac, Android, Chromebook and iOS are typically the main operating systems, but versions and architectures are also important.
• Analytics Tools (SIEM/SOAR/Ticketing): For those looking at getting more visibility and forensics, it typically helps to have integrations which can automate processes like cutting off network access when an attack is discovered.
• Network/Email: Having the ability to scan email or notify tools like a firewall may seem advanced but are key systems that have been around almost as far back as when EDR was called anti-virus.

Today’s cybersecurity landscape demands advanced analysis. Evaluating and swapping components in the SOC is a continuous challenge. In the past,  decisions in cybersecurity could be made based on relationships, familiarity, and cost.  Today’s landscape is much more advanced with the severity of incidents which could end your business. If it sounds like a continuous challenge to evaluate and swap out components in the SOC, it’s because it is. Many companies choose to leave their endpoint decisions (and other security tools)  to their MSP or MDR as a result.

What comes next when the EDR detects an attack?

What happens during an attack? Who gets notified, and what actions do they take? Are they available around the clock? Without the guarantee of a 24/7 response to contain and stop a threat with quick reaction times, the potential for significant damage is high.   Even with all the available SOC tools – firewall, anti-virus, SIEM, or Vulnerability Scanner — they may not always remediate, investigate, and communicate  details about an attack to stakeholders. Human oversight becomes essential in the process.

When acquiring an EDR, it’s crucial to ensure it can effectively manage the entire detection process. Managed Detection and Response (MDR) services have emerged for this reason, integrated with EDR software. Evaluating your ability to handle the workflow following a detection is key—consider what’s involved from your IT staff, end users, or other entities in your IT infrastructure. What comes next?  Spoiler alert, ActZero, as the name suggests, is a full-stack MDR service with an EDR that blocks, quarantines, and stops an attack requiring zero action, making it easy and cost-effective for small teams to deploy and better secure their business.