Providing endpoint security for all your customers is a major challenge. First, it is very rare that partners can deploy an entire endpoint security stack. In many cases, there are servers or other endpoints that do not get covered, or you have customers in the middle of contracts with one EDR provider or another and they are unwilling to switch early. Next. you have the challenge of administering all those tools and integrating them into your SOC platform. When remediation/response is required, you need to manage multiple logins for multiple customers.
Many partners turned to SOAR to solve this challenge. It has advantages in that you can combine the alerts from multiple platforms and automate responses so you don’t have to catalog multiple passwords. Unfortunately, SOAR solutions do not have intelligent correlation built into their platforms – they simply pass-through alerts. It can also take as much effort to manage the SOAR as the SIEM.
An XDR platform will make alerts more manageable by correlating data from multiple tools. To address the management challenge just outlined, the XDR platform should offer EDR integration to provide:
- Full endpoint coverage
- Complete visibility
- Improved fidelity of EDR alerts and events
- Correlation of EDR alerts and events with the entire attack surface
Ultimately, this strategy can deliver high fidelity detections with low noise. If you think abstractly about data – there should be different handling of events and alerts based on which EDR the telemetry is coming from. As we survey EDRs, we see three data crunching paths likely to be needed:
Ideally, you want to be able to leverage any combination of EDRs to reduce false positives, find high priority alerts faster, respond more quickly, and eliminate vendor lock-in for you and your customers. If you are interested in learning more, please reach out: [email protected].