What Is Endpoint Detection and Response, and Does My Business Need It?
Technology Strategy | Cybersecurity | Threat Prevention | Disaster Recovery
It seems like some company is always trying to push you toward a new cybersecurity solution that your business just has to have to protect against data breaches and cyberattacks. You’ve already invested in cyber liability insurance, backup and disaster recovery solutions, anti-virus programs, and firewalls.
At this point, it feels like new security products serve no other purpose than to profit from your worst fears of a cyberattack or data breach destroying your business.
You’re right to avoid the snake oil salesman claiming his latest and greatest cybersecurity solution is everything you’ll ever need to protect your business from [ransomware, virus, or insert cyberthreat flavor of the month here]. That doesn’t change the fact that cyberthreats are very real and can cause severe damage to your business.
New cyberthreats are popping up every day. To protect your business at even the most basic level, regularly re-evaluating and upgrading your security strategies is critical, but there is no one-size-fits-all solution.
Endpoint detection and response (EDR) solutions are a new(ish) (at least in the small to mid-sized business market) cybersecurity solution that you might want to consider as a possible addition to your cybersecurity toolkit.
As a managed service provider, Innovative is responsible for supporting and implementing the best technology strategies and solutions for our clients’ businesses.
Lately, we’re more frequently recommending our clients (and most any business) consider adding an endpoint detection and response (EDR) solution to their security stack.
Yes, we do sell (and profit from) backup and disaster recovery solutions, anti-virus, firewalls, and many other security solutions (including an EDR product). But not all solutions are right for all businesses, and we don’t take our position as advocates for sound IT strategies lightly.
We recommend solutions only when they’ll do one of two things (and often both):
- Improve your profitability through access to data or increased efficiency.
- Mitigate an identified risk to your business.
So, to help you figure out if an EDR solution might do one, or possibly both of those things for your business, I sat down with Innovative’s Vice President of Operations, Tyler Snyder. We talked about what endpoint detection and response (EDR) is and how to know if it could benefit your business. Here is a summary of his answers.
What Is Endpoint Detection and Response (EDR)?
Endpoint detection and response (EDR) is a next-generation anti-virus and anti-malware tool. It includes the same virus/malware detection and prevention as traditional anti-virus software, plus advanced detection, communication, and remediation features that allow it to go far beyond traditional anti-virus.
Like anti-virus software, EDR solutions identify and prevent any known threats. But they go several steps farther than your traditional anti-virus software.
- EDR endpoints identify suspicious-looking changes to the device’s operating files even when the changes don’t exactly match a known threat. This identification process allows the tool to adapt more quickly to rapidly evolving cyberthreats vs. traditional anti-virus.
- If an infection does get through, EDR can communicate with other endpoints and let them know about the threat. The other endpoints can adapt and lock themselves down in real-time, shrinking the damage a cyberthreat can do on the network.
- EDR endpoints also take regular snapshots of the device so that you can roll back the clock to restore the device to a point in time before the infection.
What Business Problems Does EDR Solve?
Endpoint detection and response (EDR) reduces significant downtime when a cyberthreat occurs.
Incident prevention is the ideal goal for any cybersecurity strategy. But the likelihood of your businesses experiencing a cyberattack or breach increases by the day. Forty-three percent of all cyberattacks target small businesses, and half of all small businesses experienced a cyber breach in 2019. Those statistics skyrocketed in 2020 when the pandemic hit.
EDR is a layer of protection that assumes it’s not a matter of if you get infected; it’s when!
Depending on your other backup and recovery solutions, remediation of a cyberattack takes days or even weeks. Plus, downtime from a cyberattack often impacts every user in your organization.
An EDR solution can limit the attack to just one device, which means it only impacts one user’s productivity instead of all users.
Plus, it gets that one user up and running significantly faster (as little as one hour compared to the eight hours that it traditionally takes to fully re-image and re-integrate a device).
Let’s compare the costs of recovery to your business. Remember, these numbers are one example using generic averages. Real-life recovery scenarios vary drastically depending on your specific infrastructure, the type of attack, and your other security solutions.
Small Business Scenario 1
Small business has anti-virus on all devices (no EDR), and file-based cloud backup on the server. One computer gets infected with ransomware.
Number of computers: 10
Number of servers: 1
Amount of data: 1TB
- A malware threat gets past the anti-virus and encrypts data on the server.
- Users notify the IT team about the threat due to a ransom message on the initially infected device and other users who cannot access files on the network.
- The IT team removes the originally infected device from the network to stop the spread.
- At this point, one machine is unusable, and all server data is encrypted (including email if it is hosted on this server).
- The IT team remotely or manually kicks off secondary anti-virus scans on other workstations to ensure they removed the threat.
- The IT team deletes all encrypted data off the server and begins restoring from the cloud backup solution. Depending on the amount of data and internet speeds, this process can take multiple days for 1TB of data. The IT team works in parallel to wipe the infected workstation, reload the entire operating system, and re-integrate the device into the organization’s network.
ORGANIZATION-WIDE DOWNTIME: 1-2 weeks
COSTS: $30,000 to $60,000 (generous estimate based on the scenario below)
- Ten employees, average $30,000 annual salary = $5,800 to $11,500 in wages while down
- $125/hour tech support for one to two-week recovery = $5,000 to $10,000 in recovery costs
(Note: This calculation assumes a tech works eight hours per day, Monday thru Friday. In reality, techs work around the clock on a system-wide outage, and this type of recovery still takes a week or more.) - $1 million annual revenue = $19,000 to $38,000 in lost revenue during one to two-week downtime
NOTE: Recovery costs increase significantly in this scenario because the server is encrypted, and file-based backups cannot recover the entire server (operating system, files, databases, etc.) as one whole piece. File-based backups are designed to recover the occasional deleted file. Restoring an entire server from a file-based backup involves re-installing the operating system, restoring each file individually, and rebuilding databases, file hierarchies, applications, and access controls.
Small Business Scenario 2
Small business has anti-virus on all devices (no EDR), and image-based hybrid (local and offsite storage) backup on the server. One computer gets infected with ransomware.
Number of computers: 10
Number of servers: 1
Amount of data: 1TB
- A malware threat gets past the anti-virus and encrypts data on the server.
- Users notify the IT team about the threat due to a ransom message on the initially infected device and other users who cannot access files on the network.
- The IT team removes the originally infected device from the network to stop the spread.
- At this point, one machine is unusable, and all server data is encrypted (including email if it is hosted on this server).
- The IT team remotely or manually kicks off secondary anti-virus scans on other workstations to ensure they removed the threat.
- The IT team deletes the infected server and spins up the recovered server locally on the original client hardware or on the cloud backup hardware. The IT team works in parallel to wipe the infected workstation, reload the entire operating system, and re-integrate the device into the client network.
- If the IT team spun up the server on the backup device, they wait for a maintenance window (e.g., an evening or weekend when no one needs to access data on the server) and put the server back on its original hardware.
ORGANIZATION-WIDE DOWNTIME: 1-2 days
COSTS: $6,000 to $12,000 (generous estimate based on the scenario below)
- Ten employees, average $30,000 annual salary = $1,200 to $2,300 in wages while down
- $125/hour tech support for one to two-day recovery = $1,000 to $2,000
(Note: This calculation assumes a tech works eight hours per day. In reality, techs work around the clock on a system-wide outage, and this type of recovery still takes a day or more.) - $1 million annual revenue = $3,800 to $7,700 in lost revenue during one to two-day downtime
Small Business Scenario 3
Small business has endpoint detection and response (EDR) on all devices, and image-based hybrid (local/offsite storage) backup on the server. One computer gets infected with ransomware.
Number of computers: 10
Number of servers: 1
Amount of data: 1TB
- A malware threat gets past EDR and communicates in real-time to other endpoints to stop the spread and lock down the original machine.
- The IT team identifies the infected device via an automated alert or from end-users contacting them about their locked-down devices.
- The IT team performs a manual check over the network to ensure the threat is contained and performs a ransomware rollback to undo the ransomware changes made to the infected computer.
ORGANIZATION-WIDE DOWNTIME: none
USER DOWNTIME: 1 hour
COSTS: $188 (based on the scenario below)
- One employee, average $30,000 annual salary = less than $15 in lost wages while down
- $125/hour tech support recovery = $125
- $1 million annual revenue, assuming ten employees contribute equally to revenue generation = $48 in lost revenue
What Types of Businesses Benefit Most From an EDR?
Any good business person will tell you to find your niche, that no one product or service can ever be everything to everyone. So, when Tyler first answered this question and said, “all businesses can benefit from an EDR solution,” I pushed him to be a little more specific.
Surely, some businesses are a better fit for an EDR solution than others, right?
As a technology advocate, it’s difficult for Tyler to say that some businesses can’t benefit from EDR. Still, he did concede to say that some types of organizations should prioritize it more than others.
Adopting an endpoint detection and response solution should be a top priority for healthcare, financial services, and any business with compliance regulations that legally require guaranteed data access and uptime.
Beyond those heavily regulated industries, he clarified that any organization that values uptime and data protection should consider an EDR solution.
Here’s a good gut check – how much heartburn would you have if an employee were sitting and playing Candy Crush on their phone for hours while their computer was re-imaged? Are there other equally productive things that employee could do to contribute to the bottom line until the computer is back online? Or, does that thought trigger a pit in your stomach as you imagine hundreds of dollars flying out the window while your employee sits there and does nothing all day?
If you chose the second answer (the pit in your stomach/hundreds of dollars flying out the window), you’re a good candidate for an EDR solution.
How Is EDR Different From Other Cybersecurity Solutions?
A comprehensive cybersecurity strategy includes several layers of protection. Your security solution stack must address technical and human vulnerabilities in ways that prevent, identify, and remediate attacks.
Below is a chart of the most common security solutions small to mid-sized businesses consider. This chart is not a comprehensive list of available security solutions. This list is an example combination of solutions intended to show you where an EDR fits in an overall strategy.
Prevention |
Identification |
Remediation |
|
Human |
|
|
|
Technical |
|
|
|
An EDR solution replaces your traditional anti-virus software, but Tyler explained that you see the real power of EDR solutions when an attack happens. We showed both anti-virus and EDR in the chart above to demonstrate that anti-virus software is only a threat identification and prevention tool. EDR is both a threat identification, prevention, and remediation solution.
EDR vs. Backup and Disaster Recovery Solutions
Backup and disaster recovery (BDR) is a more comprehensive recovery solution than EDR. It is necessary to address both recovery after a cyberattack and recovery from hardware and human error (which is the most common reason for recovery).
The difference in EDR is that it is device-specific. A BDR solution only helps you recover from an attack or outage at the server level. If only one computer is affected (which is more likely the case with an EDR solution), it allows your IT team to quickly (usually within an hour) restore that computer to a point in time before the attack. Without an EDR, even when only one device is affected, your IT team must re-image that device (which could take up to 8 hours).
Think about the average office worker earning a $50,000 annual salary. If that one employee’s computer is unavailable for just one day, that’s nearly $200 in lost wages, not to mention the wages of the tech working on the device.
How to Choose an EDR Solution
There is a variety of comparable endpoint detection and response solutions on the market. Innovative managed services clients can add Malwarebytes Endpoint Detection and Response to the solutions we manage for you.
We’ll get to why Innovative chose Malwarebytes solution in a minute.
If you’re evaluating EDR solutions for your organization, here are the top things to consider:
- Rollback – can the solution quickly and easily roll back the device to a point in time before the attack?
- Incident response – how detailed of a report can the solution provide? Will it identify a root cause for the breach? (Note: Cyber insurance companies often require a documented root cause analysis to process claims.)
Why Did Innovative Choose Malwarebytes EDR?
Malwarebytes has been in our tech tool bag for several years. Their reputation in the IT industry is second to none when it comes to anti-malware software. Most importantly, we already use and have seen success with Malwarebytes remediation tools when a client does experience a significant malware infection.
We couldn’t previously offer clients the solution because Malwarebytes historically geared their business solutions toward larger enterprises purchasing large numbers of licenses once each year. As an MSP, our clients need to renew and purchase smaller quantities of licenses any time throughout the year, and that option wasn’t available.
This year, Malwarebytes began offering subscriptions that align with the managed service provider model. With this transition, adopting their solution was a no-brainer for us.
What Is the Cost of an EDR Solution?
Endpoint detection and response solutions cost, on average, around $5 to $10 per month, per device.
For reference, Innovative clients currently pay $8 or less per month per device for Malwarebytes Endpoint Protection and Response.
With traditional anti-virus solutions costing businesses between $1 and $5 per month per device, the increase is minimal for most companies looking to transition from their existing anti-virus solution to an EDR solution.
As with most subscription services, the more devices you have, the less you’ll pay per device for an EDR solution.
That’s all, folks.
Like any IT solution, we could have pumped this article full of technical jargon and explained in minute detail how and EDR works. But frankly, those details make even my eyes start to glaze over. At the end of the day – what matters for your business is a tech strategy that lets you keep doing what you do. That’s where endpoint detection and response comes into play.
An EDR solution can mean the difference between a network-wide outage and one employee inconvenienced for an hour, all for an extra few dollars per device per month.
Want Exclusive Content Like This?
Sign up for our monthly email.