Twice a month, Antigen CEO Steven Legg is joined by Antigen’s Tim De Block for a podcast in which they discuss all matters relating to cyber liability insurance and the security controls organizations need in order to be insurance-ready. When you miss an episode, just visit our YouTube page to see the original recordings!
While you are waiting for the next episode to drop, here’s an excerpt from one of our September episodes, in which Steven and Tim are discussing End-Point Detection and Response, and everything that comes with it. Both the video version and text version are below. Be sure to subscribe if you found the information to be helpful!
Timothy De Block (Host): Welcome, everyone, to the Antigen Cyber Podcast. I’m Timothy De Block, Director of Advisory Services at Antigen. With me, as always, is Steven Legg, the CEO of Antigen Security. Steven, how are you?
Steven Legg (CEO): Hey, doing well, Tim. How are you?
Timothy: Pretty good. Second episode, and they say that reaching seven episodes significantly increases the chances of the podcast lasting. So, if we don’t make it to seven, we’re done. But I’m confident we’ll get there. My last podcast went to seven, took a two-year break, and then picked up for another 150 episodes. Quite a journey. Today, we’re diving into multi-factor authentication, or MFA. Steven, what is MFA?
Steven: MFA, or multi-factor authentication, is an access control method that goes beyond traditional username and password authentication. It adds an extra layer of security to mitigate risks of fraudulent authentication and identity theft specific to credentials and access.
Timothy: Alright, and why is MFA important?
Steven: The reason MFA is crucial is that, without it, you lack visibility into what’s happening on your endpoints from a cyber risk or security perspective. Without knowing, you might miss malicious actions, leading to a compromise without any indication that something has occurred.
Timothy: That makes sense. I’ve encountered questions about why another antivirus (AV) solution didn’t catch a threat. Could you elaborate on that?
Steven: Certainly. Traditional AV solutions operate on signatures, looking for specific things. However, threat actors have evolved, employing different techniques and tactics, making behavioral-based detection more critical. Some newer threats are designed to evade traditional methods, making them harder to detect.
Timothy: Right, so what are the benefits of Endpoint Detection and Response (EDR) over traditional AV?
Steven: EDR, particularly in real-time monitoring, offers deep visibility into various threats or activities on endpoints. It’s highly extensible, providing detailed breakdowns, from a security operations center (SOC) analyst level to instant response and forensic activities. EDR goes beyond traditional AV’s limited outcomes by offering more capabilities to detect, contain, and respond to threats effectively.
Timothy: I’ve heard people refer to EDR as “mini SOCs.” It seems like EDR has broader use cases beyond threat actors. What are your thoughts?
Steven: Absolutely. EDR can assist in troubleshooting applications, handling software issues, and addressing lost devices. The ability to lock down an endpoint, especially in the case of a lost laptop, adds significant value. EDR’s capacity to detect, contain, and prevent incidents makes it versatile for various scenarios.
Timothy: So, who should have EDR? Is it for all organizations, including smaller businesses?
Steven: Yes, every business, regardless of size, should have EDR. Even smaller businesses can leverage managed service providers to access enterprise-level tools at an affordable price point. EDR is foundational for system protection and essential in managing cyber risks on endpoints.
Timothy: And where is EDR typically deployed?
Steven: EDR is deployed on endpoints running operating systems like Windows, Linux, or macOS. While there are specialized EDRs for embedded operating systems in operational technology environments, traditional computing environments are prime targets.
Timothy: Does EDR extend to mobile devices or IoT?
Steven: While some Mobile Device Management (MDM) solutions incorporate elements of EDR, there isn’t a consistent central point for mobile EDR yet. Security for mobile devices is evolving, but EDR’s primary focus remains on traditional endpoints.
Timothy: Share your experience with EDR deployment.
Steven: EDR deployment is generally straightforward, leveraging tools like remote monitoring and management. While most deployments are seamless, there can be challenges in environments lacking certain tools. It’s essential to recognize that EDR, like any security software, requires ongoing maintenance.
Timothy: Deployment sounds promising. I recall my initial experience replacing antivirus with EDR, and it was pleasantly smooth.
Steven: Absolutely, the lightweight agents and the availability of deployment tools contribute to a positive experience.
Timothy: With the concept of XDR (Extended Detection and Response) emerging, what’s your take on the next evolution of the EDR space?
Steven: XDR integrates a traditional Security Information and Event Management (SIEM) into the Managed Detection and Response (MDR) ecosystem. The next evolution involves getting closer to the sources of telemetry data. However, true XDR solutions will likely become more prevalent, offering a centralized, resilient logging source for enriched detections across various technologies.
Timothy: So, is XDR more of a concept than an actual product?
Steven: It’s a concept that defines how go-to-market strategies differentiate between tools. Practically, the focus should be on evaluating each tool’s impact on cyber risk and understanding how effectively it prevents incidents.
Timothy: Where do you see the EDR space heading in the future?
Steven: I predict MDR solutions will aim to get closer to telemetry sources. Meanwhile, true XDR solutions will emerge, solving challenges related to integrated management and providing a holistic approach to security operations.
Timothy: Setting requirements and finding what fits the specific use case seems crucial when choosing an EDR solution.
Steven: Absolutely. Budget considerations, detection capabilities, retention of telemetry data, and integration with other tools are vital criteria to assess when selecting an EDR solution.
Timothy: Any final thoughts?
Steven: EDR is crucial; it’s a foundational control. Businesses, regardless of size, need it, especially as cyber insurance carriers recognize its importance. It’s like putting locks on your doors – a necessary step for awareness and security.
Timothy: Well said. Thanks for joining me, Steven, for this insightful discussion on Endpoint Detection and Response.