The best test for an EDR solution is one that works for you

The best test for an EDR solution is one that works for you

Since its inception, the endpoint detection and response (EDR) market has evolved rapidly with new innovations to better address the cyber landscape and meet customers’ needs for an effective and simple solution that just works.

But finding something that just works means something quite different for every business, depending on their size, security expertise, and requirements.

Collectively, the EDR market has experienced three, sizable waves of innovation:

Wave 1: event visibility

With the market introduction of EDR solutions, the first innovation wave focused on providing security teams with visibility into all events that happen in the organization.

The predominant use case of a “first wave” EDR product is for the end user to search among millions of events and hope to find the “needle in the haystack” event that was critical and actionable.

However, this type of detection and response approach failed to provide enough relevant context or actionable intelligence for it to be useful for organizations with a security team of any size or skill level. Instead, the first wave of EDR solutions were mainly adopted by organizations with extremely experienced incident response investigators and Security Operations Center (SOC) teams with level 3-trained analysts who could apply the EDR event visibility as an additional datapoint during an attack investigation.

Wave 2: event alerting

Most EDR products in the market today are second-innovation-wave offerings. To address the first wave’s “needle in the haystack” usability shortcomings, EDR products added alert capabilities alongside the vast sea of event visibility and context.

However, these EDR offerings are not fully automated and are known to cause alert fatigue as the alerts are not correlated to an actionable remediation process. The practical usage for incident response efforts require a SOC level 2 analyst to analyze and investigate each detection, in-depth, to determine if it is critical or actionable, before closing the ticket.

What has the third wave introduced?

The EDR market is beginning to see some vendors—in a third wave of innovation—largely focus on democratizing security with usability and automation enhancements that make EDR an effective tool for organizations large and small and with security teams of any skill level.

There have been several market drivers creating the need for this third wave. First, with advances in attacker tools, cyber criminals have expanded their attack targets from enterprise-sized organizations to equally include small- and medium-sized businesses. In fact, small business victims now account for 43% of all corporate data breaches according to Verizon’s 2019 Data Breach Investigation Report. In parallel, the market has continued to see a widening and unsustainable gap in the available cyber security staff, which (ISC)2 is now estimating at a global workforce shortage of 4.07 million.

With the number and severity of attacks increasing, combined with the pervasive lack of available or highly skilled cybersecurity staff, demand has increased for EDR solutions that can address these issues. Third-wave-EDR products strive to meet that need with the inclusion of:

  • Actionability

The third wave of EDR products finds us at the height of automation’s promise, raising only actionable alerts to the end user. The premise is that the visibility and context of the first and second EDR waves are important but shouldn’t get in the way of actionability. Without actionability, an EDR product becomes unusable by organizations that don’t have large or advanced security teams to investigate these tens of thousands of daily events.

  • Automation

This latest wave of EDR products has achieved the Herculean task of fully automating EDR—from detection through to remediation—to support small-to-medium organizations without a large security team, enabling them to benefit from the same advanced EDR technology that has been in use by organizations with trained security personnel.

  • Comprehensive security

Third wave EDR products provide a tightly integrated set of capabilities to effectively manage the attack chain—from proactive protection to detection of a suspicious activity and automated incident response. These capabilities create an ecosystem that informs, learns, and adapts from itself, so, in essence, the whole security stack is greater than the sum of the parts.

Third-party testing

With these waves of EDR innovations, how do third-party test labs play a role in the selection process?

To aide companies in their search, third-party evaluation and testing resources have been available to help prospective buyers narrow the field in vendor selection. The unique paradox with these resources is that the testing methodologies are designed with a specific and narrowly defined scope to “even the playing field,” which, in turn, typically renders the testing one step behind the latest, cutting-edge EDR innovation. This makes sense, of course, because test centers cannot adapt their standardized methodologies until after they have seen and understood the latest EDR advances.

Given that the EDR market has moved into its third wave, testing labs will also need to adapt their evaluation and testing criteria to incorporate these innovations.

For example:

  • Actionability vs. alert fatigue

Tests will need to discern between actionability and alert fatigue. The third wave of EDR products are focused on providing a customer-centric approach that makes security accessible and easy for organizations of all sizes, with security teams of all capabilities.

In terms of testing, that means avoiding alert fatigue by sharing only actionable detections found within suspicious activity—those that are most relevant to ultimately prevent an attack. These solutions provide additional drill-down search options to view detections if a security analyst wants to dig into them, and third-wave testing criteria should incorporate the concept of a “primary UI event notification” vs. a “secondary UI for searching additional detections.”

  • Testing the whole and not the separate parts for effectiveness

Tests will need to focus on the overall efficacy of the solution that evaluates the integrated EDR ecosystem of protection, detection, and remediation working together as they were designed for real world functionality, rather than creating artificial product deficits by shutting off part of the system, such as protection, in order to narrowly test detection capabilities.

How can companies navigate this reality?

Third-party tests are a good resource to understand how different solutions fair against a specific testing methodology. Yet, because the tests innovate a cycle behind the technology they’re intended to evaluate, ultimately, no standardized test is as good as doing a solid proof of concept in an organization’s live environment.

In the same way that companies turn to trusted colleagues and community resources—like Spiceworks and Reddit forums—when finding suggestions on good EDR solutions, third party tests provide a valuable, similar resource: to serve as a compass guide on the top group of EDR solutions to evaluate.

When evaluating EDR solutions, organizations should focus on selecting a vendor with a detection and remediation strategy that aligns with their objectives. Some criteria to consider when developing an EDR evaluation include:

  1. Identify the risks: where is all the sensitive data located and what are the routes to that data?
  2. Prioritize protection on the data that matters: sensitive organizational and customer data.
  3. Consider the level of available security expertise. Most organizations don’t have enough cyber security experts, so evaluations should look at the solution’s complexity level. Does it require additional integrations, have a complex UI, or need additional skillset to operate?
  4. Consider the organization’s brand and reputation in peer review sites, such as G2Crowd, Gartner Peer Insights, and Capterra.
  5. Choose the solution or solutions to evaluate that have the capabilities that align with the defined criteria.

In the end, once an organization has narrowed the field of EDR solutions to the group that they want to evaluate, nothing can replace the experience of conducting a live test to see how the product stands up in their unique environment, against their real-time attacks, and with their trusted team learning to navigate the solution to see how easy or difficult it is to manage.

EDR has grown at a blistering pace to do one thing—help you and your business detect, prevent, and remediate cyber threats. By better understanding the testing landscape today, you can better deliver on your EDR results tomorrow.


Akshay Bhargava

Chief Product Officer, Malwarebytes

Akshay is the Chief Product Officer at Malwarebytes and enjoys technology, business, the stock market, cybersecurity, leadership, yoga, and basketball.