Alex - stock.adobe.com
EDR testing: How to validate EDR tools
Cutting through an EDR tool's marketing hype is difficult. Ask vendors questions, and conduct testing before buying a tool to determine if it solves your organization's pain points.
Endpoint detection and response is a key cyberdefense tool against malware that targets endpoint devices. Having an effective EDR tool that detects and remediates malware quickly is crucial. With so many EDR options on the market, it's important to conduct EDR testing before adopting one.
Let's examine what to consider when evaluating EDR products and how to validate an EDR tool to ensure it works as intended.
Questions to ask before buying an EDR tool
When assessing an EDR tool, it's important to ensure it is suitable to an organization's environment. First and foremost, an organization must determine if the EDR product effectively blocks the cyberattacks that target its endpoints. It can be difficult to cut through vendor marketing hype to get to the core of whether an EDR tool can perform its primary roles: stopping malware and enabling the security team to rapidly isolate infected devices.
Additional checks include the following:
- Compatibility. Is the EDR tool deployable to all endpoints, including older ones? Many organizations have legacy devices that might not be able to support EDR agents and, therefore, could become targets of an attack if left unprotected. Does the vendor have an agentless option available?
- Integration. Security teams cannot operate effectively if they must manage and monitor disconnected systems. Ensure the EDR tool integrates with other security tools.
- Cost. Does the EDR agent provide sufficient value beyond the security tools the organization has already deployed?
- Usability. Can security teams interpret events the EDR tool reports and then respond accurately and rapidly?
How to validate EDR tools
The best way to ensure an EDR product will be effective in an organization is to test it -- ideally, before signing a contract with an EDR provider -- in a test environment that mimics the endpoints the organization uses. Tests can be conducted internally by experts within the organization or externally by a third party with experience in EDR evasion techniques.
When testing, put the EDR tool through its paces. Start with malware samples that should be simple for the EDR tool to detect, and then gradually increase test complexity and use evasion techniques designed to disguise malware.
Tests should also perform actions on endpoints that an EDR product should flag, such as attempting to list all domain admins or running suspicious PowerShell commands.
Note how the EDR agent reports these events and what automatic actions are taken, and compare these to what is known about the malware sample used. Many successful attacks on organizations occur when EDR agents report a certain action, but the security team misinterprets the severity of the event and does not respond appropriately.
After putting an EDR tool through a variety of tests, it's time to make a decision. If the tool worked as expected, move on to the next purchasing step. If it didn't meet expectations, continue evaluating and testing tools. It might seem onerous, but it's worth knowing how effective an EDR tool is before adopting it.
After deployment, security teams should periodically conduct EDR tests to ensure the tool continues to detect and mitigate attacks, especially as malicious actors create new and more sophisticated malware samples.
Rob Shapland is an ethical hacker specializing in cloud security, social engineering and delivering cybersecurity training to companies worldwide.
