Endpoint security solutions are becoming wildly popular as critical vulnerabilities skyrocket year over year with nearly 3,000 published every month.

Tools and services once primarily reserved for large-scale operations with deep pockets are now widely available to small and medium-sized businesses at a more affordable rate. Yet, as more businesses adopt these products, a clear disconnect has emerged between how they’re marketed and how they truly function.

Businesses often assume they can buy any brand or version, install it, and immediately be more secure. In reality, not all endpoint security solutions are created equal.

With the increased adoption rate of these tools and services, Coalition Incident Response (CIR)* has observed an uptick in cases in which cyber attacks impact businesses with endpoint security in place, most often due to misconfiguration, inadequate permissions granted, or misinterpretation of what they purchased.

Below, we’ll explore what’s exacerbating this problem, common issues with endpoint security solutions, and what to look for when purchasing a new product or service.

Knowing the difference: EDR vs XDR vs MDR

While these endpoint security solutions can vary greatly, here’s a high-level overview to help you understand them:

• Endpoint detection and response (EDR) is a baseline security tool that monitors and protects physical devices connected to your business network, such as computers, mobile devices, and servers.

• Extended detection and response (XDR) is an enhanced security tool that goes beyond endpoint devices to protect additional layers in your security stack, like internet of things (IoT) devices and applications.

• Managed detection and response (MDR) is a managed security service that combines EDR or XDR with a team that responds to threats in real time.

Here at Coalition, we have dedicated analysts who provide 24/7 monitoring. Coalition MDR offers a range of services, including real-time threat detection, 30-minute average response times to incidents, continuous monitoring, threat intelligence, and proactive threat hunting to ensure your business is always protected.

Understanding the differences between each is critical when selecting what’s right for your business, especially because these products may also have different licenses or tiering systems. 

For example, many out-of-the-box EDR tools are intentionally basic. They typically require a significant amount of configuration, incentivizing businesses to purchase additional licenses or higher-tiered products.

Similarly, purchasing an MDR service doesn’t automatically mean you have the support of a dedicated team that’s watching your business like a security operations center (SOC). We've encountered many policyholders and managed service providers (MSPs) that believe a “team” is monitoring their networks when, in reality, these teams not only have dozens of other tasks but also primarily do IT work.

Businesses often assume they can buy any brand or version, install it, and immediately be more secure. In reality, not all endpoint security solutions are created equal.

Who’s responsible for EDR configuration?

Time and again, we see businesses that may not fully comprehend the endpoint security solution they’ve purchased. 

CIR recently handled a case in which a business was using an EDR tool that provided very few alerts. The internal team tasked with monitoring alerts noticed something suspicious and requested logs from the EDR provider. However, before the business could investigate the matter, it experienced a full-blown ransomware attack.

After the attack, CIR examined the business’ network and was immediately able to identify the malicious file, raising the question of why it went undetected by the EDR tool.

Cases like these prompt conversations around how the EDR tool was configured. Technology providers typically assert that, if suspicious activity goes undetected, the blame lies with whomever configured the tool. 

Understanding the differences between endpoint security solutions is critical when selecting what’s right for your business, especially because these products may also have different licenses or tiering systems.

Who’s tasked with responding to alerts?

Businesses that recognize the need for a managed service can still be left holding the bag if they haven’t procured the proper licenses.

CIR has handled three recent cases in which businesses have purchased an EDR tool but only have the licenses for it to operate in “alert mode.” This means the EDR tool observed the occurrences of possible exploitation and escalated the alerts to the businesses but didn't have permission to automatically isolate or take action on the business’ behalf — and each instance resulted in a full-fledged encryption event.

In each case, the business was hit with a different ransomware variant. They all had networks of different sizes and worked with different MSPs. The only commonality was the EDR provider.

Who’s to blame for the communication breakdown?

The easy answer is to blame the technology providers. Some EDR tools could do a much better job of blocking out of the box. Others do too much whitelisting, logging a minimal amount of data if the customer isn’t paying for additional tiers of service that include MDR.

MSPs are another common scapegoat. We regularly encounter businesses surprised to learn that MSPs have either not configured or misconfigured their EDR tools and failed to carry out their contractual obligations.

But businesses must accept responsibility for their roles in these cases, too.

The truth is that many EDR and XDR products don't just work out of the box; the onus is on you to ensure it’s been configured correctly. And if you’re paying for an MDR service, it’s your job to grant the MDR provider enough power to take action. Otherwise, what’s the point of managed service and response?

Businesses can assume more responsibility by thinking through these common missteps and asking questions like: 

• Do I understand the security afforded by the product or service I’m purchasing?

• Does the tier or license of my purchase match my business’ needs?

• Does my MDR service provider have enough authority to take action as needed?

• Can I run a tabletop exercise to determine if my security products are configured properly and if the tools and services meet my expectations?

Technology providers companies presume that you, as a buyer of these products and services, are making well-informed decisions and have the resources to respond to the events appropriately — and the product tiers reflect that understanding. This is how security alerts go unnoticed or unaddressed and end up resulting in cyber attacks.

Coalition MDR offers a range of services, including real-time threat detection, 30-minute average response times to incidents, continuous monitoring, threat intelligence, and proactive threat hunting to ensure your business is always protected.

Why MDR is a superior choice for small businesses

The rising popularity of endpoint security solutions is due, in no small part, to the fact that cyber insurance providers are requiring or even incentivizing their adoption.

Recognizing that small businesses are at a disadvantage when it comes to protecting against cyber attacks, either due to existing resource constraints or the high costs of enterprise security tools, Coalition recommends MDR as the most effective way for your business to add human expertise to scale its threat detection and response capabilities.

When it comes to MDR, there are three key components: people, process, and technology.

1. People: Is your MDR service backed by in-house expertise? Are the teams available 24/7 to not only monitor for suspicious activity but also respond quickly as needed?

2. Process: Does your MDR service adhere to service-level agreements and operate within strict timelines? Are you given an opportunity to review your security logs regularly and ask questions?

3. Technology: Is your MDR service built upon reliable EDR technology? Are you able to bring your own license for a different EDR technology? Can you customize rules and alerts or extend logging and monitoring of additional data sources?

With MDR, the endpoint security solution is only as good as the people supporting it.

Click here to speak with a Coalition security expert or visit coalitioninc.com to explore all of our tools and services.

*Coalition Incident Response services provided through Coalition’s affiliate are offered to policyholders as an option via our incident response firm panel.

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites.