The traditional defenses against cybercriminals are no longer enough. Small and medium-sized businesses (SMBs) that are successfully exploited by attacks like ransomware can get hit hard. Here are some sobering cybersecurity statistics:
- 300% – the increase in reported cybercrimes since the arrival of Covid-19
- 92.7% – 2021 YoY increase in ransomware attacks
- 59% – the percentage of managed service providers (MSPs) who said that remote work has led to increased ransomware attacks.
Even more troubling for MSPs: Their customers are right in the crosshairs of attackers who see SMBs as soft targets. More than 80% of ransomware victims were small businesses in Q4 2021. The impact of an attack can be dire, with 60% of small businesses experiencing a cyberattack subsequently going out of business.
Time is money for attacked organizations, who enter a race against the clock to eradicate the threat and return to normal operations. The average business interruption for SMBs is 20 days following a ransomware attack, at an average cost of $8,000 per hour of downtime until it’s fixed.
EDR: Safeguarding endpoints
These metrics are creating a sense of urgency for SMBs. They are looking to their managed service providers (MSPs) to help protect their endpoints, which now sprawl wider than ever due to the workforce increase in BYOD (bring your own devices) and mobile devices. While installing antivirus (AV) on each endpoint used to be sufficient, advanced endpoint threat detection and response (EDR) is now a must to better protect against costly attacks.
EDR’s additional safeguards are needed because MSPs today find themselves facing an asymmetrical battle: Hackers can attack at any time along any one vector. A threat actor only needs one open door to infiltrate systems – a vulnerability, human error, or advanced persistent threat (APT) can all provide entrée. Attacks can come from several different angles, including endpoints, email, cloud or over networks.
The advantage in this scenario goes to the attacker over their MSP counterpart, who must defend their customer everywhere against every technique, which could strike at any moment.
Cybersecurity frameworks such as NIST, ISO 27001, and COBIT provide MSPs with guidance and best practices to protect their clients’ data. While no single framework is “the best”, they are crucial for MSPs to establish strong policies and procedures, and a cybersecurity must-have.
Drilling down into these frameworks sheds important light on where AV and EDR differ, and why both are now necessary to defend SMB data. The NIST cybersecurity framework, for example, presents risk management for critical infrastructure as a set of interconnected steps: Identify, Protect, Detect, Respond and Recover.
Organizations today are spending 85% of their budget on the “protect” component. This leaves just a small portion to spend on the other four phases, but attitudes around this are changing. There is a growing awareness among MSPs, SMBs, and IT departments that they must shift how they invest in cybersecurity.
The rapid evolution of modern threats has given attackers new ways to bypass endpoint protection. Today’s attackers employ techniques such as:
- Living off the Land – Malicious programs aren’t needed by hackers who can dwell unseen under the surface, instead using common admin tools like the Windows Powershell Command Line Interface (CLI) to execute abnormal activities.
- Staged Malware & Attacks – Individually, each stage of an attack appears benign, but they are building up to a debilitating compromise.
- Disabling Endpoint Protection – Many attacks seek to disable AV and defensive tools before dropping their final stage, such as ransomware.
What’s the difference between AV and EDR?
Uses of these cyberattack techniques are gaining momentum. That’s why IT professionals today need both AV and EDR, working together, to defend endpoints – but what’s the difference between the two?
Also known as anti-malware, antivirus (AV) is software used to prevent, detect and remove malware. Originally developed to detect and remove computer viruses, for many years AV was the primary source for defending networks against ransomware.
AV tools serve an important role in protecting endpoints from daily cyber threats – they provide the ability to detect and respond to malware on an infected computer. However, because they rely on signature detection or the ability of the software to detect “known threats”, sophisticated threat actors can bypass AV at will by using a variety of attack techniques that standard AV is unable to detect.
Additionally, antivirus software must be updated on a regular basis, if it is not up to date or a threat is not yet known, it will not be detected. This leaves many MSPs and their customers open to ransomware, fileless malware, credential harvesting, data loss and other cyber-attacks.
Endpoint threat detection and response (EDR)
Meanwhile, endpoint threat detection and response (EDR) is a layered, integrated endpoint security solution that monitors end-user devices continuously. EDR also collects endpoint data with a rule-based automated response.
An EDR platform records and remotely stores system-level behaviors of endpoints. Then it quickly analyzes these behaviors to detect suspicious activity and provide various response & remediation options.
EDR agents collect and analyze data from endpoints and respond to threats that have appeared to bypass existing antivirus (AV) protections and continues to analyze, detect, investigate, report and alert your security team of any potential threats even after.
How to choose the best EDR for MSPs
MSPs need EDR more than ever. However, the vast majority of EDR solutions are not made to fit their needs, and instead have been designed for enterprise use. These tools are often expensive, complex, and require a highly trained security team to manage them.
A big assist is arriving with advanced new solutions which have been created especially for MSPs. Using these new tools, MSPs can improve their security posture while expanding the security offerings for the SMBs they protect. When selecting the best EDR for your MSP practice, you should ask the following questions:
- Is it easy to use and manage?
- Does it combat alert fatigue by enabling me to focus on the most important alerts?
- Can I quickly remediate problems that arise?
- How does it integrate with the other IT tools that I use, like RMM and managed SOC?
- Does it offer quality tech support?
- Is it cost-effective?
Other key features to evaluate in an EDR solution are its strengths in cyber-attack prevention, continuous monitoring and recording capabilities, rapid breach detection, automated response, and integrated threat defense.
Taken together, the right capabilities and feature set bring the cybersecurity advantage back to MSPs. Expertly informed alerts and response functions can guide your team through the remediation process with detailed recommendations, so you can address threats without needing a highly trained security team on staff.
Don’t stop at AV to protect client endpoints. The additional security of EDR keeps MSPs and their customers ahead of advanced threats. Contact us today to see how we can help you with an Endpoint Detection solution.
This article was first published at: