The traditional network perimeter has been on a slow and steady decline since the advent of mobile computing and smartphones \u2013 and the COVID-19 pandemic has hastened the perimeter\u2019s demise. Without the predictable and logical network boundaries to guide security practices, security teams have had to shift their posture away from perimeter protections like firewalls, and toward endpoint detection and response (EDR).The challenge is figuring out how to get the most out of EDR investments, since there is a downside to deploying them \u2013 for example, the solutions can generate unexpectedly high volumes of alerts if they\u2019re not carefully tuned and refined. But when carefully customized, EDR solutions have tremendous value for organizations working to increase visibility into security systems. Follow these five steps to ensure you\u2019ll see the best possible ROI for your EDR.Build relationships inside and outside of cybersecurity and IT departmentsIf your security team collects insights from all departments, it stands a better chance of fully understanding what \u201cnormal\u201d looks like \u2013 and in the process, identifying malicious activity with higher fidelity. Take this scenario for example: The development team creates a script that automates part of their job. When they run the script, the EDR solution identifies the file as malicious. If the security team is in close touch with the people who are part of this process, they\u2019ll know the purpose of the script, and can approve the file name and process in a watchlist \u2013 or approve the hash or file path in a policy.Apply a standardized tuning methodology to reduce false positivesThe tuning methodology is essential for gaining insights about the security environment \u2013 for example, how often alerts fire and what they\u2019re firing on. The steps in the tuning lifecycle include event identification, which is done by turning the feed on to see what\u2019s firing; an auditing stage, which helps shed light on the normal good environment versus the abnormal one; and proposed tuning, where teams decide which alerts should continue to fire, perhaps for gathering metrics.Measure visibility coverage of EDR and across the security tech stack At this stage, the security team should track tuning changes to measure visibility improvements, which can help show ROI for the EDR solution. Choose a framework that's relevant to your industry. A good starting point is MITRE ATT&CK\u2122, which provides evaluations on how different technologies identify techniques used by threat actors. Tracking MITRE coverage is a great\u00a0foundational starting point to understand what coverage you already have\u00a0with\u00a0the EDR\u2019s\u00a0out-of-box detection content.\u00a0\u00a0Close visibility gaps through a research and development cycleAfter identifying gaps in visibility, security teams can create new alerts to close those gaps. A good starting point is to conduct research via the community forums for particular EDR solutions, including:Carbon Black: carbonblack.comSentinelOne: sentinelone.comCrowdStrike: crowdstrike.comApply automation to low-brain tasksHigh-repetition, low-brain tasks are well-suited to automation, which can remove these tasks from security team workloads. The automation found in EDR solutions adds value to security teams by speeding up processes such as remediation, as well as banning hashes and pulling files. Security teams should agree on which automations would reduce the greatest amount of time, risk, and effort, while also increasing quality and efficiency.EDR solutions offer unparalleled visibility into infrastructure, even down to application and user levels. They can also break down barriers among siloed environments. The key is spending time with the tips above to make sure your EDR solution is operating at maximum effectiveness.Chris Weckerly, vice president, security operations, is passionate about helping ReliaQuest customers achieve predictable security outcomes. Chris brings years of experience as a security analyst and SOC leader with the U.S. Government and ReliaQuest, has deep understanding of SIEM, EDR and SOAR technologies, and has been critical in defining requirements for\u00a0ReliaQuest GreyMatter, the company\u2019s unified platform for threat detection, investigation and response. Leveraging GreyMatter, he and his team help customers reduce up to 89% of the noise in their environments to reduce risk and mature their security operations programs.