loader image

EDR SOAR: improve the efficiency of endpoint protection

Paul-Arthur Jonville

I think that everybody can agree on the fact that endpoints are among the most vulnerable loose ends in your company. Well, unfortunately, you also know that these weak points are multiplying at an unprecedented pace. 

Be it the growth of Bring your own Device at work (BYOD), the tendency of remote working, or the effervescence of IoT, you’re relying on more and more endpoints as your company grows or as your employees are working from random places. EDR SOAR NDR… How to tackle the challenge?

This is why the need to protect those loose ends properly appeared. Endpoint Detection and Response (EDR) tools appeared as a solution. These tools would provide security teams visibility where most companies are usually blind.

However, as much as it can increase the protection of your company alone, it often lacks effectiveness. To ensure maximum efficiency, one must combine EDR with a Security Orchestration, Automation, and Response (SOAR). This is what we’re going to explain below by determining:

  • What’s an endpoint detection and response tool?
  • Can a SOAR help to protect endpoints?
  • Do I need to combine it with a SOAR?

What’s an EDR?

Endpoint detection and response tool is a set of technologies and practices whose primary function is to focus on detecting and investigating suspicious activity on your endpoints in your organization. These endpoints can be any computer system in your network: laptops, smartphones, or IoT. The detection tool installs an agent on the endpoint it wants to monitor. Its mission is to gather and organize data collected from this endpoint—these pieces of information range from logs to performance monitoring or configuration details.

Then, it uses these data to identify abnormal activities and initiate a response in a centralized manner (a central system, cloud, or virtual server) or decentralized fashion (the client device is entirely equipped with means to collect, analyze and respond).

To sum up, the typical EDR presents different roles divided into information collection and analysis, and threat response. To fulfill these two missions, it gathers multiple capabilities such as:

  • Unification of endpoint data;
  • Malware detection;
  • Incident insight;
  • Monitoring endpoints (online and offline).

In the context of increasing devices described above, SOC (Security operations center) teams tend to have only limited visibility into these increasingly remote endpoints laptops, smartphones, cloud servers, or IoT devices. To protect these, even remotely, it works by installing an agent on every one of them. This agent’s role is to monitor the endpoints and continuously look for suspicious activity.

How does it typically work?
Let’s take the case of a centralized EDR. If such suspicious activity is detected, the detection tool sends telemetry to the central management system, which assesses and automatically sends an alert back to the SOC analyst. Then, the analyst has to determine the severity of this alert and confirm whether it is an actual threat or a false positive.

Now, most advanced solutions provide pattern detection and behavioral analytics capabilities, although it isn’t specialized in these functionalities. According to a best-of-breed approach, combining your EDR with other tools specialized in such capabilities makes sense. Here’s where the SOAR comes in.

Can a SOAR help to enhance Endpoints protection?

While EDR is best at detecting threats across your endpoints, its first mission is to detect, not remediate. Also, because it focuses on endpoints, it leaves loopholes in your network that are not guarded.

In other words, it can’t do everything on its own because it’s not supposed to. Your company thus has to apply for other tools to enhance the capabilities of EDR tools for security response.

Among those, there’s a special place for a SOAR tool to deal with threats more extensively. Indeed, SOAR starts where detection stops. We’ve seen that your SOC uses a detection tool to protect your endpoints and achieve complete visibility on your remote, loose endpoint devices. The SOAR acts as a wrapper around your security stack by continuously ingesting threat data from all security tools, such as your SIEM and your EDR, and automatically feeding back essential components into the detection tool to sharpen its detection capabilities and produce faster and better outcomes.

In this regard, SOAR provides an additional layer of protection, which, combined with the enhanced endpoint security, will widely strengthen the security posture. Here is how SOAR can improve and optimize the effectiveness of EDR:

  • Orchestrate immediate response, from detection to remediation: your detection tool alerts the SOC of real-time threats. However, analysts need to handle those threats manually. A SOAR allows analysts to predetermine automatic playbooks to remediate known threats as soon as they are detected, on every endpoint at once;
  • Standard operative procedures (SOP): alarm is created, an SOP workflow analyze the threat and report information to the analysts who then decide the remediation measures;
  • Artificial intelligence and Machine learning: learn from previous threats and use this knowledge to anticipate new ones relying on similar patterns and determine remediation measures;
  • Reduction of false positives and duplicates: automatic and continuous enrichment helps SOAR to distinguish between false positives or false alerts, thus alleviating “alert fatigue” syndrome;

    EDR SEAR adding up

EDR SOAR, do you have to combine them?

First, context. As the inter-connected devices grow, you experience more and more security alerts. Right now, a SOC can encounter tens of thousands of threats daily. A SOC can build an incident response plan to handle incidents more thoroughly. Still, relying exclusively on an endpoint detection tool can lead them to be submerged and leave more and more alerts untreated.

The security stack, composed of different tools, often lacks semantical awareness. However, given the evolving nature and diversity of attacks, the security stack has to be continuously connected, wrapped up to face its environment.

As a result, unless you choose to afford an all-in-one solution, at the risk of losing quality and freedom of action, your future SOC has to combine EDR and SOAR solutions to ensure your company a strong level of defense.

Overall, the EDR is naturally the best way to protect your endpoints. However, you need to combine it with another technology to work best. Otherwise, your first risk relying on manual labor or inadequate functionalities to handle your incidents detection and remediation. Second, you risk lacking connectivity across your tool-stack, which in turn impacts the capability of enriching your alerts and departing false positives from real threats or even letting some of them pass through your defenses.

This is where SOAR acts as your automatic remediation tool, helping you handle most basic incidents implying repetitive tasks and, often, prone to errors and false positives. It also servess as your connective link, filling in the gaps between your different tools in your security architecture. More, it comes enriching each one of them, especially your endpoint detection tool. It results in a more precise detection capability and faster end-to-end handling.