6 things to Look for when Shopping for a New EDR Solution

One of the most sophisticated cyberattacks of the 21st century was the SolarWinds Sunburst attack. Microsoft, as well as the US government, traced an advanced persistent threat breach back to a hack on SolarWinds, an IT management software and remote monitoring company.1

The attackers had added a backdoor known as 'Sunburst' to one of SolarWinds’ infrastructure monitoring and management platform. The malicious program was disguised as a routine software update and was distributed to SolarWinds customers globally.

This backdoor gave the APT group access to the customers' networks, enabling them to explore and steal sensitive files and credentials. More than 18,000 customer organizations were compromised.

Customers with Endpoint Detection & Response (EDR) Were Protected

Customers using SentinelOne protected devices were spared from the SolarWinds Sunburst attack. This protection was due to the security product's autonomous AI and anti-tampering, which shielded its customers at the point of attack.

To help you select the best EDR solution, we’ve identified five key features a good endpoint security system should have:

  1. Remediate and Rollback Endpoints with a Single Click (Customer Favorite!)

    Remediate and rollback endpoints with a single click, reducing mean time to respond and accelerating investigation. This UNIQUE feature to SentinelOne compared to its competitors will return an endpoint to its former state prior to the execution of a malicious process with a single click.

  2. Offers Proactive Approach to Novel Threats

    Ensure that your security product proactively detects unknown threats via machine learning (ML) models and behavioral AI. Past security products primarily relied on malware ‘signatures’—they see an active threat that’s compromising other enterprises and write a signature to update their endpoints. However, signature-based defenses are entirely useless against a novel threat.

    To overcome that, some vendors have now turned to ML models and behavioral AI to identify patterns common to malicious files and behavior. ML models can be trained to effectively deal with most of the commodity malware we have today, but they cannot be relied on to catch all malware pre-execution. Nevertheless, it’s a great tactic to keep endpoints safe from common attacks. Behavioral AI works splendidly alongside ML models by identifying patterns of behavior that are typical of cyberattacks.  

    However, it would be best to avoid solutions that rely on cloud connectivity to offer security features, as cybercriminals can easily disconnect a device while deploying their attack. Choose a product that works locally on the endpoint and can make decisions at machine speed for the best possible endpoint protection.  

  3. Efficient Damage Mitigation with 24/7 SOC and Automated Systems

    Pick an endpoint security solution capable of automatically mitigating and remediating designated processes on the device. However, automatic mitigation isn’t the best way forward in all cases; if a false positive software update is released, for example, it can quarantine every host in an environment.

    Instead, get a security solution that works with a 24x7x365 security operations center (SOC) to review the alert, and then leverage the automation system to execute a playbook to isolate a host. This way, if there is a false positive case, it won’t break your production system.

  4. Multi-Site and Multi-Tenancy Flexibility

    With organizations going global and remote employees becoming the norm, it's more important than ever to have an endpoint security system that supports multi-tenancy and multi-sites. In other words, your security solution should work on large numbers of devices and data points, so that it can manage, respond to, and collect data from your global sites while allowing local teams to inherit from the central policy and manage locally when needed.

  5. Plugs Gaps with Auto-Deploy

    It’s not surprising for IT and security admins to miss a few endpoints in the system, especially in a vast organization spanning multiple sites and sub-networks. Unfortunately, this is where cybercriminals take advantage of unprotected endpoints.  

    A practical solution is to map the network and fingerprint devices to determine what is connected and unprotected. Choose an endpoint security product that offers an automated means to find deployment gaps quickly and reliably, and install the solution on these unprotected endpoints.  

  6. Wider Visibility

    Visibility on what's happening on your endpoints needs to evolve, particularly with increased digitalization. The best endpoint security systems are now moving from EDR into Extended Detection and Response (XDR). It helps organizations address cybersecurity challenges from a unified standpoint, resulting in faster and more effective threat detection and response.

    An effective XDR platform should offer out-of-the-box cross-stack correlation, prevention, and remediation while enabling users to write their own cross-stack custom rules for detection and response.

Learn more about Digital Hands CyGuard EDR powered by SentinelOne

EDR menu button-1 (1)

1SolarWinds hack explained: Everything you need to know; Whatis.com
2All SentinelOne Customers Protected from SolarWinds SUNBURST Attack; SentinelOne