Specialty Podcast: Endpoint Detection & Response

Intro (00:00):
You're listening to the Alliance Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Bobby Horn (00:09):
Welcome back to another Alliant Specialty Podcast. My name is Bobby Horn, I'm the practice leader here at Alliant Insurance Services within the Alliant Management & Professional Solutions Group. Today's podcast, we're going to be discussing endpoint protection platforms and specifically endpoint detection response and managed detection response platforms. With us today is Michael Cowley from Kroll. Michael's the Senior Vice President of Cyber Risk and Head of Solution Engineering. Welcome, Michael. Thank you for joining us.

Michael Cowley (00:33):
Thank you very much for having me on the podcast today. Greatly appreciated.

Bobby Horn (00:36):
Michael, can you just give us a little bit of an overview of exactly what endpoint protection platforms mean and then additionally, what is the difference between an EDR platform and an MDR platform?

Michael Cowley (00:48):
So, the main difference between endpoint detection response platforms - so EDR platforms and managed detection and response platforms, so MDR platforms, is really what they're looking to achieve. So, EDR is a technology and MDR is a service. So EDR being the technology, it’s just one of the three major technology sets that businesses can leverage in order to provide monitoring of their environments. So, in addition to EDR, it's probably worth mentioning, you've got SIEM - so security, incident, and event management tools, and you've also got NDR, which is network detection and response tools. And then EDR, endpoint detection and response tools, is that tool that's really focused on getting deep visibility into your endpoints within your environment. So, when we say endpoints, generally what we mean is anything that can be managed, anything you can install an agent on. So that might be a user's workstation, it might be a company server, or it could even be a VDR environment.

So, a virtual desktop environment that you're running and offering out to users. So EDR is a technology platform and it's a way of getting visibility into your endpoints. MDR, so managed detection and response, is a service first and foremost. A MDR service can include one or many of the technologies I just mentioned. So, an MDR service can include endpoint detection and response tools, or it could also include SIEM or network detection and response tools or include many. So, it can include one or many of those tools I've just mentioned. And as a service concept, what managed detection and response aims to provide is just that. So, it's managed detection and a managed response capability for a company.

Bobby Horn (02:41):
Thank you, Michael, for that distinction, it's really good to understand a difference between the two. I guess very high level, you know, why is it important for companies to have endpoint protection platform in place, specifically EDR and MDR, right? Understanding that EDR is the technology, and MDR is the managed service part. Why is it important for companies to type of place?

Michael Cowley (03:00):
So, I'd say that there’s kind of two major reasons. So, from a technology perspective, prevention is always better than cure. So, what happens with many of the EDR tools that you'll find today, they have two core functionalities about them. So, the first function is what we refer to is kind of heuristics behavior analytics. So, it's a way of detecting malware type attacks on an endpoint. And then normally you'll also have an ability to kill those malicious processes before they can do harm to a system. So, from a technology perspective, prevention is better than cure, right? If you can have safeguards in place to stop malicious activity happening on an endpoint in the first place before an attack can get a foothold, before they can exfiltrate data, then it's better to prevent than it is to cure. And then from a cure perspective, another core functionality that EDR tools typically provide is the response capabilities. So, this is doing things like forensics investigation on an affected endpoint, killing malicious processes, you know, banning hashes, which effectively means banning an application or a malicious application from running on any endpoint that's covered. And then taking other types of activity like isolation of endpoints from the network. So, an infected system can't go and infect systems on the same network as itself.

Bobby Horn (04:21):
That's great. No, that's good stuff. In your experience and not to put in the spot, I mean, how often are you seeing clients that don't have EDR or MDR in place, compared to those that that do. Obviously, I have to imagine that those companies don't have it are much more dire straits than those that do with respect to ransomware.

Michael Cowley (04:40):
Yeah, that's a really great question. So yeah, specifically when it comes to ransomware, which is - which is the type of attack that affects the endpoints and, really, where we see companies suffer the most is those companies that don't already have tools in place or platforms in place to protect them, right? So, some clients or some companies that we work with just are unaware that this tool sets out there, that it's a feature they can leverage, and you know, when it comes to kind of bang for buck or value of investment, it really does represent a great, great value investment for companies. And then we also meet other more mature companies who have sadly been breached despite having EDR tools. And more often than not, the reason that that's happened is because they have an ineffective rollout of that EDR tool. So just to give a bit of flavor for that, what I mean is companies sadly recognize the need for EDR, they see the value in it, they procure EDR for the company, but then for whatever reason, they don't manage to roll it out to all of their endpoints or you know, they roll it out in just detection mode rather than prevention mode and then they just become aware that they've been breached without actually preventing it in the first place.

Michael Cowley (05:51):
Or sadly, sometimes companies that do roll it out, it provides the protections, but they don't… they don't actually have the skill set or the teams in the back end of the organization to actually support the running and maintenance of those tools. And that, I guess relates to one of the questions you asked earlier around MDR and where's the value in that? It's one thing to have the tool in place, but I guess the other piece of the pie is actually having the right skill sets, the right expertise to actually leverage the tools to gain that advantage over the adversary. We often talk in technology about this concept of people, process and technologies needing to work in harmony to actually get the most out of an investment, and that's certainly the case with EDR and MDR.

Bobby Horn (06:34):
Yeah, it's a great distinction because I think in my experience on the broker side, we have certainly seen clients kind of check the box in the application process when we go out to market with carriers, and they check off that they have EDR. But I think we're starting to see more and more, on the underwriting side, much more specific questions. Well, what is your endpoint protection? How much is it deployed on your, on a percentage basis across all endpoints? Whereas it was just kind of a yes or no question a year ago. Now we're seeing a lot more details to the question. So, a company may only have EDR deployed on 75% of their endpoints. Well then, the question is, well, which endpoints are not being monitored? So, it's really important point that you bring up that it's not enough to just have it in place, you need to actually have it fully deployed. Is there, as far as implementing an endpoint protection platform, whether it's the technology or the service, is it one company that does it? Is it multiple companies? I mean, you mentioned a SIM 27 stock, so I mean is that typically one specific software platform that you can deploy or is its multiple kind of software applications that you're using?

Michael Cowley (07:32):
Yeah, really great question. There are many, many platforms out there for both EDR and the SIEM and network detection response, MDR for that matter. And you know, as a company, Kroll leverages many different platforms, right? So, we have multiple different EDR tools that we'll use. We have multiple different SIEM tools that will use. And kind of the lengthy answer, well the short answer to the lengthy answer is there is no one perfect fit. There are some major players, major vendors in the EDR space and in the SIEM space and there's obviously front runners who, you know, are recognized by your analysts like Gartner, like Forrester as being leaders of the pack. But despite how those leaders look, we'll always say that actually the right technology choice for a client's environment often depends on the type of environment they're looking to cover, the risks that that individual organization has and are trying to mitigate. And then the features, the functionalities that they're looking for, and then the way it's going to interact with existing tools or existing systems that are already in place. And then again, thinking about the people and the process element you can integrate from a technology perspective, but then how can you enable your users, enable your business processes to leverage that tool and get the most out of it. So, deciding on which tool is the right tool is often a little bit more nuanced than just picking the front leader.

Bobby Horn (08:52):
Yeah. So, in other words, it's, you know, not all providers are created equal and it's important to do your due diligence in investigating not only the right fit for your company, but you know, make sure that you're getting the most out of each provider, whether it's EDR, MDR or whomever. So, it's not just something you can just buy subscription to and ask your IT folks to deploy it. There's a lot more that goes on behind the scenes that is needed to insure is being addressed and looked after.

Michael Cowley (09:16):
Yeah, exactly. There are independent bodies out there. If you've heard of MITRE Engenuity, they're an independent body that actually go and look to evaluate the various technology tools from a real-world experience perspective. So, if you're not familiar with MITRE Engenuity, then I'd, I'd really encourage people to look that up. But then as I kind of alluded to earlier, it's not just about the car and how fast it drives, it's actually about the driver. And another key part is actually having the right skillset to get the most out of that tool so that the talk can operate at peak efficiency.

Bobby Horn (09:48):
So, Michael, what would you say is the expectation from, you know, insurability standpoint, you know, for clients to take out and utilize an EDR tool?

Michael Cowley (09:58):
So, I think insurers are becoming much more mature in their approach to insuring companies, now. If we go back just a couple of years, the expectation from insurers was that clients would have AV installed, in instant response scenarios, actually, whether or not the AV was installed wasn't something that was always tracked necessarily as part of the initial response. These days, what we're actually seeing though is, as you alluded to earlier, insurers are actually being a lot more prescriptive as to what companies need to have in place, specifically stipulating next generation antivirus tools, which is the heuristics behavior-based capabilities that can identify far less attacks as well as EDR, so endpoint detection and response technologies that, that we mentioned earlier. The reason that they're coming with more stringent requirements is really in the context of where you see the average number of days before breach detection.

Michael Cowley (10:55):
So, if you look at some of the recent statistics, they will tell you that the average number of days to detect a breach in your average organization is 287 days. That's known as dwell time, so time between initial infection and identification. And in 287 days, a lot can be achieved by an adversary in an environment. And really what insurers are looking to do by putting in place these rules or these guidelines around types of tools that need to be in place, is to really minimize that dwell time and as a result, minimize the impact that breaches are having on organizations and the amount of damage or collateral that that's causing.

Bobby Horn (11:34):
Yeah, that's really interesting and I think that actually coincides with a lot what we're seeing on the brokerage side and the move to third party IT providers and a lot of that is being driven by the carriers themselves, right? The requirements that they're putting on their policyholders to have certain controls in place, otherwise they're going to be without coverage. I mean, I can tell you from experience that, you know, without EDR, at a minimum, without having an EDR tool in place, you're very likely to have either a sub limited amount of coverage for ransomware attacks or no coverage at all. I think that our clients have recognized that there's a need to get these types of controls in place and they're recognizing that maybe they don't have the expertise in house to do that. That's why you're seeing a shift to third party providers. So, it's, it's a really interesting comment you made. Well, I'd like to thank Michael Cowley once again for joining us. I really appreciate his time and expertise in this area. If you'd like more information on this, you can visit us at www.Alliant.com. Thank you.