12 Things to Consider When Implementing EDR

hi everyone um today I'm going to be presenting the top 15 considerations you should be making When selecting an EDR solution uh first I'll introduce myself my my name is Nick chevi I've been with Isa cyber security Inc for about eight years and prior to that I was at a pretty large utility company in Toronto um where I worked for about 10 years and Isa was one of my partners that I was always a goto so I have a really long-standing relationship with the current company I work for um I've been in while I was at the utility I I also had the ability to lead the C cyber security operations team where uh endpoint was a really big deal uh not

only in the corporate environment but the skada environment too I don't know if we have any utility folks in the in the room today but uh um SK was top of mine you know when you're you're always dealing with uh um utilities you want to make sure that the skada uh end points are always secure but not all the time you can put an AV Solution on a scada system because um of resource uh Power and you know uh CP utilization is a is a cause I don't know if anybody in the room today is using Legacy AV but um show of hands if anybody's had a complaint from an end user or an application owner

um where they've complained about CPU and and you know applications not working and you know I see some people U shaking their heads there so yes the these are top of mind but as we move on to the next generation of endpoint um being EDR our goal really today is to talk about endpoint detection and response and my goal is to give you the top considerations that you should be um looking at When selecting uh an EDR solution this is not a sales pitch by any means but you know when we talk about the EDR we're going to be also talking about how we're going to be implementing and installing on on these um devices and replacing Legacy AV so

let's get right into it uh the first thing and by no means this is in uh order of what you should do from 1 to 15 um this is really a thought process on what you should consider going forward in your EDR Journey um so when we look at the first one here organizational needs and goals we want to ensure you know has there been a breach in the uh environment so if there has been a breach and you're using Legacy type AV you might want to look at get an EDR solution as your next step or you might have had an IR company come in and pretty sure 100% of the time or 99% of

the time that IR company that came in has put in their tools and that is an EDR solution whether it be you know one of the top three or the top five EDR solutions that are out there today um the next thing you know you want to look at is when you're looking at an EDR solution do you have any industry regulations so um anything to do with compliance or business requirements when you're looking at all the different um business type uh you know organizational needs that you have we want to make sure that we we are um providing those outcomes in this EDR solution as well and then the budget and resources today resources are are

lacking in many organ organizations where they're looking at third parties to take care of their endpoint solution um going forward so this is a really you know top of mine scope and coverage what are we using are we using workstations and and servers how many workstations are we using laptops uh what kinds of servers are we using most EDR tools today are using Windows Linux you know Mac devices um in the environment but then we look at what types of operating systems that are going to be used as well so um you know we want to also look at uh mobile devices or Internet of Things mobile devices are are upand coming right now in the industry now that the endpoint is

secured a lot of organizations are starting to look at mobile as being the next end point that they want to secure either be Android devices or iOS devices and with the addition of MDM you really want to put a layer on top of the mobile uh with a security solution such as an EDR um this will really help solidify that endpoint uh coverage within within the um environment now uh we always talk about bring your own device and we work with a lot of Education uh um organizations from K to 12 to to universities we we've also seen a lot of from the student aspect bring your own device so how do we cover those how we

provide coverage on them and and provide good Solutions so that when the student leaves the company how do we get that licensing back or you know um let them you know go on their their way with that licensing going forward as well um Legacy devices on EDR it's it's a it's a dicey subject right now um AVS typically have been really good on Legacy devices but uh edrs when they put in their hooks in Legacy devices and you have homegrown apps or you have say uh an application that you can't put an EDR on well I get that question all the time and and people say to me well Nick how can I secure this device I can't put EDR on it

well there are different solutions that are out there there could be application control where you can Whit list and Blacklist applications that are going to be um installed on that endpoint and we go back to you know my my example of scada we can't put on an EV on some of these skated devices because uh the nature of the application and the OS level that there on so existing infrastructure we want to make sure that the EDR solution is able to talk to all your platforms so today you know e one of the Security Solutions might be a Sim it might be a firewall it might be your ticketing system like service now so when we move into the xdr

journey we want to make sure that we're starting to build a platform right and when we're building a platform we want to make sure that there's integration points into your EDR this is huge because when there's an incident that comes into to your EDR or other Security Solutions we want them all to cohesively be talking together to tell you one story and this is your your next phase in your journey with EDR and not only with EDR but with xdr as well okay so data collection and privacy we all have some type of you know privacy um compliance that we have we also want to make sure that the EDR solution tendency whether it be

cloud-based um is available in Canada right we don't want some of our Telemetry going out to the US or other parts of um the uh the world because our data has to state within Canadian soil right so we want to make sure that which EDR solution we're picking is has a ability to stay uh in Canada and make sure that we have this data to stay here so deployment architecture we want to make sure also that we have the ability to have a cloud base or on premise or even hybrid approach a lot of companies that I talked to today they're going to the cloud with their EDR solution why because it's very quick policies to

implement are very quick and eradication of an event is very quick on an endpoint if you are taking an endpoint and trying to contain an endpoint it can be done within seconds right and looking at the scalability factors looking at what the network impact is now with EDR we're looking and and seeing that there's very very minimal impact on the network where back in the old Legacy AV days this would be a high Network impact because you might be doing some Rogue scanning on your network looking for rogue devices um and and and looking for uh I've always had the network guys come to me and say are you trying to do any Rogue type scanning on the network and

yeah sometimes we were because we're looking for those agents that didn't have AV running on

it so the next thing to consider is is the agent lightweight again I I had proposed right in the beginning of the conversation have you had an end user ever tell you that your AV was slow and I had a couple people say yep i' I've seen that before or an application owner saying my application is not working well with EDR today we're seeing very lightweight CPU utilization memory um and making sure that we do a POC around these solutions to ensure that it works in your environment and with your critical applications as well we want to make sure that also the performance impact on the endpoint is is is is up to par so what I've seen with many of the

leading EDR Solutions is that we are now getting and users saying holy cow like I have like a new laptop it's it's running amazing I don't know what you did to it but it's running really really well and we're getting kudos for it now because of a simple replacement from a legacy type AV to a EDR uh agent lightweight agent okay oops so realtime monitoring and alerting do we need five by 8 or do we need 7 by 24 it's a question that we have to ask and you know what I continuously see is that there are resource constraints in cyber security so maybe you want want to use a third-party mssp that will help you throughout your

EDR journey and create those triage that incident response and detection that containment that you're looking for going forward threat detection techniques we want to look at the threat detection techniques uh based on if the EDR is powered by ai ai is huge today we're trying to replace signature based AV Solutions so everybody knows with Legacy type AV we're only as good as that signature we're not going to be able to get everything out of the signature when the zero day attack happens so when a zero day attack happens what is that signature file really going to give you well it's not going to give you anything because it's a zero a and the signature file has no clue about

what's going on but with AI and machine learning we have the ability now to detect right away right in real time right and this is really really key and when I look at some of the top EDR solutions that are out there we are seeing the time to respond be very very quick and we're able to contain and kill in quarantine threats much quicker than before this is very very big the next thing you want to see is how the incident is being dealt with from an agent perspective from the EDR perspective so you want to see is it able to do kill in quarantine can it remediate on the Fly some EDR Solutions have roll back where they leverage

Shadow copies on Windows a really good tool and demo that I do with some of my customers is when they're looking at a solution is I'll bring up a Windows server and I'll go and just delete Shadow copies with that EDR solution and let's see what happens it's not a ransomware attack but it is a symptom of ransomware right what is a ransom we going to do it's obviously going to elevate privileges it's going to look at if you have any Shadow copies so you can't recover from them and then they're going to put a nice little wallpaper on the screen and say pay my Ransom and start encrypting your files so this is very

very key I urge everyone who is using Legacy AV today to go and do that simple tool I can give you the command it's delete Shadow copies SL all let's see if your AV detects that if it detects it great you're doing good because you put in some rules in place you probably have some access protection rules in place that says can't change files or you can't delete Shadow copies wonderful but when I show this in a demo to a client they are wowed because I didn't actually run lock bit or I didn't actually run a ransomware I just showed them one simple command that showed containment on a system that took it off the network and

now they have confidence in knowing that a more sophisticated attack will be able to be detected and responded to based on our policies also the last last Point here on on miter attack is everybody familiar with miter attack perfect so there's another slide um it's the last consideration uh that I'll be talking about is the miter attack engenuity but a lot of these detections that we run like the uh deletion of Shadow copy will map back to the miter attack framework within the EDR solution so a lot of edrs map back to miter and they'll give you links to go to miter to read up more about it and get give you some more reference points as

well so incident investigation and response ouro loves this slide because they do a lot of this and we basically have our EDR solution in place for our clients we manage them for our clients but obviously ly on a daily basis we have to go through our incident response investigation we have to look at some of our workflows that we have in place and every single day our workflows are kind of changing because we have to ensure that we are getting better with the times we can't stay stagnant in the EDR world because the EDR world is everyday changing and and there's things that are changing where we need to automate our threat hunting capabilities we have people that are

eyes on glass but you might have people that are eyes on glass as well that works sometimes but we need to also automate how we're doing thread hunting so if we have known adversaries or known threat actors that we know we have ioc's for we can go and put that in a rule saying hey if you see this in my environment throw an incident at the EDR solution and send alerts to me so then I can go and do my investigation more thoroughly and and more actively on on the solution itself and within my environment this is very key having automated thread hunting within an EDR solution will save you time it'll save you money and it if you have really good

thread intelligence that that you are feeding information from and not just your EDR solution and you're building rules to automate you will be better off in the long

run so user trading and skill set so we talked about eyes on glass we want to make sure that our our team is trained right we want to make sure that they're getting the training that they need we want to make sure that they understand how to run the EDR solution but not only do we want to make sure that they know how to run the EDR Solution by Administration but we want to make sure that they know how to Det protect and respond to threats when they happen we might have tier ones tier 2os tier 3s we might even have you know um an incident responder uh within an organization or might be using a third party

organization like an mssp we want to ensure that everybody at different levels know how to react to a threat this is very important I was at a conference in Vegas last week everybody here about the MGM yeah okay so I'm not an MGM member at all but I did go to the mg Resort just to just kind of check out what was going on and kiosks were down and they were checking in people with clipboards again and and it was it was pretty crazy uh what I saw there but and ironically I was there for a cyber security conference which was even more weird but uh seeing a kiosk that is down across the board and people lining up out the door

was something to see I didn't stay there I stayed at planning Hollywood instead so um anyways long story short at the conference they said now it's only taking attackers what took them months and days now taking the minutes and they they gave a average time of 79 minutes of for an attacker to get into an organization think about that for a second we sometimes take days to go and threat hunt or look for things or investigate right for threats within our environment we are relying on our tools to tell us what's happening but we're also taking proactive measures to make sure that we know what's going on we know our environment we know the anomalies of our environment what's

changing what's not changing we know what's going on so it's very important to train our staff not only within the solution but within how to threat hunt threat hunting is very very key in the success of EDR I can't stress that enough if you're relying on the EDR to do everything you're already behind the game so we get into the implementation stage of EDR initially I like to use like a six-phase approach when implementing EDR first one is obviously let's know who the stakeholders are of the the the the project or the EDR solution the next thing is let's talk about what the initial scope looks like what does that pilot group look like right I don't know about you guys but I

like going after the it guys first they're the ones that are going to always complain they're going to tell you where the their applications that they own are not working well and they're going to tell you there's performance impact I can't put this on my systems you better fix this before I put this agent on my system all right no problem so we go and do that with the EDR Solutions and I I talk about literally the five top ones and and not here to about talk about Solutions today but if you see me outside definitely willing to have that discussion with you we want to have a pilot group we want to let that soak in for about two

weeks we want to make sure that things are going well want to do some initial scanning in EDR full disk scans are kind of a thing of a past you want to do them once but you don't need to continuously do them because the R solution itself is smart enough to see when there's suspicious activity happening on the endpoint it's already learning the endpoint it knows what the endpoint is capable of it knows what the the endpoint is doing on a daily basis now when you couple that with AI now we start telling a better story So Gone are the days of full disk scanning you can do them it's available it's a feature within EDR but it's

unnecessary so after the pilot phase we want to start the mass deployment phase and I always tell my customers always start with baby steps first because you don't know what you're going to learn sometimes we don't learn everything out of our pilot group we've done our fine tuning within the pilot group but now we want to start with a small number of end points so start with and then we ratchet up from there to make sure that we are gaining ground and we're keeping the lights on within the organization talked about the scanning sensitive endpoints the crown jewels of the company those are always done last never do them first don't put them even part of your pilot group do

them last because what you've learned throughout that journey of the 80% of the fleet that you did you've already fine-tune most of it when you get to the sensitive end point you're already miles ahead of the game right so you want to make sure that the Kinks are all out before you go and Implement on your sensitive endpoints your crown jewels continuous monitoring and updates so with EDR and Legacy endpoint there was always different versions and upgrades that needed to be done the beautiful thing about EDR agents is you can stay n minus two and be okay in the security game on your endpoint you need to stay n minus two though you can't be n minus 3 n-4 nus 6

because then you are your security posture is then going a little bit at risk why do I say this well every EDR vendor is implementing more and more security measures and and techniques within their new agent their agent does everything it's a single agent approach but their agent does everything you're not installing module on module on module the agent does everything so keeping on top of the agents is very very key to your success of keeping your company safe within your endpoint you want to ensure that it's n minus 2 and you want to ensure that your policies that are in place are are up to dat as well okay the next piece is you want to keep an eye on the blogs

and the support s of each of these EDR vendors I can say enough I've been working with very very many EDR vendors in the last few years and I I I come from a background of Legacy AV and I see such a big change in how support has taken the approach to EDR and what they've done is almost on a daily basis I'm seeing KB articles getting updated seeing more thread intelligence feeds that are they're putting into their KB articles and now you can take that data and implement it in your own console for automation right so I can stress enough keep an eye on the blogs keep an eye on the support sites these KB articles will

help you within your jour J going forward and keep you guys safe the last piece is a health check I don't know if you know in your in your legacy or in your current environments that if you have a third party do an assessment of your EDR or your legacy AV but you want to make sure that you have some eyes coming in from the outside looking at hey are the best practices in place what happens in EDR or on the endpoint is after time you might go and put in multiple exclusions and exclusions will grow and as time grows what's going to happen is I'll go back to an administrator in the in the

AV console and say hey how come these exclusions are here and the guy will say well I don't know I wasn't here before so I don't know what the exclusions are oh so we should remove them right no we can't remove them because I don't know what's going to happen if you remove them well we need to make sure that we have some kind of tracking of these exclusions that are going into place we need to ensure that uh we're doing health checks quarterly at least quarterly I I like to do the monthly make sure that things are in place and your best practice policies are in place this is going to keep you safe so compliance and

Reporting every EDR tool needs some type of reports right we this is this is key to success and key to your C Level exx your directors your managers and even Tech Engineers we need to know what's going on in the in the environment the best way that I S tell Tech Engineers how to run their EDR is to set up dashbo boards because dashboards are free you can have multiple dashboards you can have one for your workstations you can have one for your servers you can have one for your Cloud so by the single paint of glass you can actually see everything that's happening in your environment with a really nice dashboard the beauty is there are widgets so you can move

them you can make it look beautiful you can tell a really nice story to one of your sea level leg X and they'll appreciate you for it because you can also uh have arback rules which are role based access control rules that allow your Executives to have dashboard only access to look at the console so they don't have to see the nitty-gritties but what they can see is all the good work that you're doing within the EDR solution so vendor evaluation and support we want to make sure that the vendor has good reputation right look at Gardener look at Forester look at miter um I'm going to be talking about miter in a second here um you want to make

sure that the vendor also has a really good road map you want to make sure that they have features that are going to be you know opening your eyes to new things new requirements outcomes that you're looking for uh in your journey within EDR and xdr are they a thought leader are they really well known in the industry you know I had a I had a customer come up to me the other day he said Nick I'm running web rout and I said what what's web rot and he said oh yeah it's it's a really great great a AV and I said well let's talk and he said okay let's talk so we we had a discussion and he

was blown away by so many other EDR solutions that would better his environment and now we're doing a PLC um and showing him all the good things that EDR Solutions can do we don't choose we're vendor agnostic but we want to make sure that we position our customers for the best solution that fits their business requirements lastly I wanted to talk about is everybody familiar with the miter attack engineuity report show of hands all right some people I would urge everyone to take who's not uh familiar with a picture of this slide and go back and look at the miter attack and genuity report for the last four years there's been a sophisticated attack that miter

has been doing noted up here on the slides and they what they do is they invite participants in the EDR space to come to these um evaluations it's really cool to see how each of these vendors do and the what their results are but what I urge everybody to look at is not only just the results look at what they needed to bring each of these vendors to the table to detect and respond to these threats it's very key I had a customer come up to me and say hell you know this vendor did so well I said well did you look at what types of modules and and types of uh solutions that they had to bring

under this uh umbrella to detect and respond to this threat yes they had good results but at the same time they had to spend a lot of money to get where they wanted to be money cost is everything right for many organizations you can't have all the bells and whistles but if you can do it with the single module and a single agent and get really good results that's maybe where you want to be looking so I urge everybody to go and look at the miter report here at this link uh I can send it to you after the meeting if you need but also look at what the policies and the configuration was to to uh stop

these threats and detect these very very sophisticated uh malicious threats as a parting thought Legacy Solutions uh are a thing of the past really to emerging threats I urge everyone who's not using an EDR to start evaluating and maybe looking and doing your own research on on EDR and if you have any questions by all means here to always help uh again my name is Nick chevi and thank you for your time [Applause] today any questions go

ahead

so your business requirement is your EDR you want EDR first before you know if you're looking at replacing or bringing in a Sim let's say Sims are very expensive there are a lot of work it it takes time to get to the end state of what you want within a Sim but EDR is a quick win for you right so what you want to be looking at and evaluating is EDR first and then those other features can come in or those other Solutions can come in at the end I think I've had this question before and it I want to make sure that the customer has built that Foundation First the foundation is really endpoint right

all the stuff around it are things that are layered on top of it so when you're evaluating you really want to evaluate the EDR solution within the vendor first and then if that really fits the bill then you also have to look at what types of integration points you have within your organization already and it was one of the slides that I did show up here is how you're building a platform when you start building a platform you get to start telling that xdr story right how is everything coming together I have EDR I have SIM I have my ticketing system I have inion prevention systems I have all of that stuff in place and when you're evaluating make sure

that you're looking at the vendor for its EDR and not those other capabilities because yes you can get those capabilities anywhere but can they integrate together that's the big question

goad

sec

that's a great question um so in Legacy world when you're going to put AV on a VMware server and I don't know your host might have say 50 VMS let's just take that as an example well that's 50 times the resource power that that host will need to to do all the scanning now there are solutions out there that put it right at the host level right and it'll do agentless scanning for all your VMS right now in the EDR world it's a little bit different because the the agent is so lightweight that resource power you don't even see it anymore they actually have when you're doing your your uh deployment for your VMS they actually

have switches now that say you can tell the EDR agent that you're actually installing on a vmw uh server so it knows that hey okay I'm going on a VM I know I need to keep my resourcing power and memory at a minimum and so your host I I've done this a million times with customers where they're like prove it to me and I'm like all right here's the agent go install it on all 50 of those servers and every single time they've come back and said there's actually you can't even see it it's it's that lightweight yeah go

ahead so EDR will come with your reputation your reputational based scanning it's actually it's an engine that runs but there's multiple AI engines and machine learning engines with in each EDR solution I've yet to see one engine that does it all right so I'll give you some examples within the EDR engine that single lightweight engine you'll have about 10 to 20 different engines that are running one will be static AI one will be reputational based AI one will be lateral movement so all of these combined there's another one that's really really uh hitting the market that is been resonating well with a lot of organization is interactive threat right so what is happening in a Powershell

script not looking at Powershell but looking at inside what's happening within Powershell right so when I run delete Shadow copies all I get a detection right away right and it's based on that interactive threat engine that's running within the within the environment to answer your question around how does it do it well these threat intelligence feeds are being updated by the minute right so when you're a customer say of said solution you're not only just a customer but all the other customers that are sharing this thread in to you're also getting that thread and to as well so if someone else is hit you're already getting that coverage within your solution you won't see it but it's

happening on your on your agent and it's very important by the way I brought up in one of those slides was keeping your agent up to date right the agent being up to date will save you so much time um it it's not funny I I I've gone into customers that have edrs and they're n minus 6 and and they're like well I was hit with this and I'm like all right let's do it again let's go to at least n minus one we we'll get the same type of attack that you were running with and we're going to see if it's going to detect it 100% of the time right you want to stay with the flow now with EDR

Solutions you will have to update your agent a little bit more than normal but they're very easy to update you do it through the console you can do it on a test bed of say 20 machines and within minutes and I mean minutes you can install the Ed the newest EDR agent on all of your machines we had a customer that got breached um not too long ago and they're like well we got to get off of this solution because it's not working for us 500 end points we were done in an hour right so it's very very simple if you have a good third- party solution to deploy like an secm or G then you're good to

go one more question no uh we can take it offline okay I'm I'm getting C off thank you everyone