How to Justify EDR with Three Top Business Cases
April 03, 2019
Increasing complexity and frequency of attacks have escalated the need for detection of attacks and incident response. Endpoints are the new battleground as they are a) more pervasive across the network, b) more commonly used by non-IT personnel, and c) less well-defended by IT teams who first move to secure the data center. Endpoint detection and response (EDR) solutions meet the need to rapidly investigate large numbers of systems for evidence of malicious activity, quickly uncover, and then remediate attacks and incidents.
Building the business case for an EDR solution can be easy if the organization has already gone through a lengthy, painful, and expensive incident response (IR) process. This usually involves hundreds of thousands of dollars in consulting fees and months of investigative work. The business case here is for a tool that can shrink the time for the investigation from months to days, or even hours. EDR provides the following top three benefits:
1. Saves on security incident response costs
The assume breach paradigm says that you are penetrated as you read this, but either acknowledge it as a fact, or are in denial. This factor means a security incident response is in your future. What's it going to cost you? In the 2018 ransomware attack on the City of Atlanta, published reports associated with that attack put the cost of recovery at 2.7 million dollars, a figure which did not include the cost of downtime to organization end users. Would you rather pay for the investigation by hiring two experts for six weeks at $600 per hour, almost $300,000, or investigating it yourself with minimal help from said expensive experts? Better yet, how about augmenting your limited team with a 24/7 EDR service that proactively blocks threats up front?
2. Better detection of endpoint threats
EDR boasts superior detection of modern threats over traditional signature-based anti-virus (AV). The business value comes from faster detection of threats, already resident in the network, ideally before they cause substantial damage or steal critical data. EDR is also effective against insider threats that have already bypassed perimeter defenses, such as next-gen firewalls (NGFW) and AV. In such cases, EDR provides defense-in-depth at the endpoint. EDR excels at reducing dwell time, investigation time, and the remediation time, the three big metrics in IR.
3. Reduces endpoint re-imaging costs
In many businesses, once an infection is reported on an endpoint, IT throws up their hands and performs a system re-image. This task wastes $500 in labor costs and lost productivity. Why squander time investigating the suspect systems, correlating events from the security information and event management (SIEM), intrusion prevention system (IPS), endpoint protection platform (EPP), network sandboxing, etc.? EDR can pinpoint the root cause and minimize re-imaging. Don't have a separate security team? Consider a co-managed service like EventTracker EDR that augments your existing security team and allows you to focus on recovery and remediation. It’s perfect for the small-to medium-sized organizations where it’s hard to hire and retain IT security experts.
Winter is coming to the endpoint. Are you prepared?