Endpoints are among the most vulnerable loose ends in an organization; unfortunately, these weak points multiply at an unprecedented pace. 

Be it the growth of Bring your own device to work (BYOD), the tendency of remote working, or the effervescence of IoT, you're relying on more and more endpoints as your company grows or as your employees work from random places. EDR SOAR NDR... How do we tackle the challenge?

This is why the need to protect those loose ends correctly appeared. Endpoint Detection and Response (EDR) tools emerged as a solution. These tools would provide security teams visibility where most companies are usually blind.

However, as much as it can increase the protection of your company alone, it often lacks effectiveness. To ensure maximum efficiency, one must combine EDR with Security Orchestration, Automation, and Response (SOAR). This is what we're going to explain below by determining:

• What's an endpoint detection and response tool?

• Can a SOAR help to protect endpoints?

• Do I need to combine it with a SOAR?

What's an EDR?

An endpoint detection and response tool is a set of technologies and practices whose primary function is to focus on detecting and investigating suspicious activity on your endpoints in your organization. These endpoints can be any computer system in your network: laptops, smartphones, or IoT. The detection tool installs an agent on the endpoint it wants to monitor. Its mission is to gather and organize data collected from this endpoint—this information ranges from logs to performance monitoring or configuration details.

Then, it uses these data to identify abnormal activities and initiate a response in a centralized manner (a central system, cloud, or virtual server) or decentralized fashion (the client device is entirely equipped with means to collect, analyze, and respond).

To summarize, the typical EDR presents different roles divided into information collection, analysis, and threat response. To fulfill these two missions, it gathers multiple capabilities, such as:

• Unification of endpoint data;

• Malware detection;

• Incident insight;

• Monitoring endpoints (online and offline)

In the context of the increasing number of devices described above, SOC (Security operations center) teams tend to have only limited visibility into these increasingly remote endpoints, such as laptops, smartphones, cloud servers, or IoT devices. To protect these, even remotely, an agent is installed on every one of them. This agent's role is to monitor the endpoints and continuously look for suspicious activity.

How does it typically work?

Let's take the case of a centralized EDR. If such suspicious activity is detected, the detection tool sends telemetry to the central management system, which assesses and automatically sends an alert back to the SOC analyst. Then, the analyst has to determine the severity of this alert and confirm whether it is an actual threat or a false positive.

Most advanced solutions provide pattern detection and behavioral analytics capabilities, although they aren't specialized in these functionalities. According to a best-of-breed approach, combining your EDR with other tools specialized in such capabilities makes sense. Here's where the SOAR comes in.

Can a SOAR help enhance endpoint protection?

While EDR is best at detecting threats across endpoints, its first mission is to detect, not remediate. Also, because it focuses on endpoints, it leaves unguarded loopholes in your network.

In other words, it can't do everything independently because it's not supposed to. Thus, Your company must apply different tools to enhance the capabilities of EDR tools for security response.

Among those, there's a special place for a SOAR tool to deal with threats more extensively. Indeed, SOAR starts where detection stops. We've seen that your SOC uses a detection tool to protect your endpoints and achieve complete visibility on your remote, loose endpoint devices. The SOAR acts as a wrapper around your security stack by continuously ingesting threat data from all security tools, such as your SIEM and your EDR, and automatically feeding back essential components into the detection tool to sharpen its detection capabilities and produce faster and better outcomes.

In this regard, SOAR provides an additional layer of protection, which, combined with the enhanced endpoint security, will widely strengthen the security posture. Here is how SOAR can improve and optimize the effectiveness of EDR:

• Orchestrate immediate response, from detection to remediation: your detection tool alerts the SOC of real-time threats. However, analysts need to handle those threats manually. A SOAR allows analysts to predetermine automatic playbooks to remediate known threats as soon as they are detected on every endpoint at once;

• Standard operative procedures (SOP): alarm is created, an SOP workflow analyzes the threat and reports information to the analysts who then decide the remediation measures;

• Artificial intelligence and Machine learning: learn from previous threats and use this knowledge to anticipate new ones relying on similar patterns and determine remediation measures;

• Reduction of false positives and duplicates: automatic and continuous enrichment helps SOAR to distinguish between false positives or false alerts, thus alleviating "alert fatigue" syndrome;

EDR SOAR, do you have to combine them?

First, context. As the inter-connected devices grow, you experience more and more security alerts. Right now, a SOC can encounter tens of thousands of threats daily. A SOC can build an incident response plan to handle incidents more thoroughly. Still, relying exclusively on an endpoint detection tool can lead them to be submerged and leave more and more alerts untreated.

The security stack, composed of different tools, often lacks semantic awareness. However, given the evolving nature and diversity of attacks, it has to be continuously connected and wrapped up to face its environment.

As a result, unless you choose to afford an all-in-one solution, you risk losing quality and freedom of action. Your future SOC has to combine EDR and SOAR solutions to ensure your company's strong level of defense.

Overall, the EDR is naturally the best way to protect your endpoints. However, it needs to be combined with another technology to work best. Otherwise, your first risk is relying on manual labor or inadequate functionalities to handle incident detection and remediation. Second, you risk lacking connectivity across your tool stack, which impacts the capability of enriching your alerts and distinguishing false positives from real threats or letting some of them pass through your defenses.

This is where SOAR acts as your automatic remediation tool, helping you handle most basic incidents implying repetitive tasks and often prone to errors and false positives. It also serves as your connective link, filling in the gaps between your different tools in your security architecture. Moreover, it enriches each of them, primarily your endpoint detection tool. It results in a more precise detection capability and faster end-to-end handling.