Follow these five steps to get the best possible ROI on your endpoint detection and response solution. Credit: iStock The traditional network perimeter has been on a slow and steady decline since the advent of mobile computing and smartphones – and the COVID-19 pandemic has hastened the perimeter’s demise. Without the predictable and logical network boundaries to guide security practices, security teams have had to shift their posture away from perimeter protections like firewalls, and toward endpoint detection and response (EDR).The challenge is figuring out how to get the most out of EDR investments, since there is a downside to deploying them – for example, the solutions can generate unexpectedly high volumes of alerts if they’re not carefully tuned and refined. But when carefully customized, EDR solutions have tremendous value for organizations working to increase visibility into security systems. Follow these five steps to ensure you’ll see the best possible ROI for your EDR.Build relationships inside and outside of cybersecurity and IT departmentsIf your security team collects insights from all departments, it stands a better chance of fully understanding what “normal” looks like – and in the process, identifying malicious activity with higher fidelity. Take this scenario for example: The development team creates a script that automates part of their job. When they run the script, the EDR solution identifies the file as malicious. If the security team is in close touch with the people who are part of this process, they’ll know the purpose of the script, and can approve the file name and process in a watchlist – or approve the hash or file path in a policy.Apply a standardized tuning methodology to reduce false positivesThe tuning methodology is essential for gaining insights about the security environment – for example, how often alerts fire and what they’re firing on. The steps in the tuning lifecycle include event identification, which is done by turning the feed on to see what’s firing; an auditing stage, which helps shed light on the normal good environment versus the abnormal one; and proposed tuning, where teams decide which alerts should continue to fire, perhaps for gathering metrics.Measure visibility coverage of EDR and across the security tech stack At this stage, the security team should track tuning changes to measure visibility improvements, which can help show ROI for the EDR solution. Choose a framework that’s relevant to your industry. A good starting point is MITRE ATT&CK™, which provides evaluations on how different technologies identify techniques used by threat actors. Tracking MITRE coverage is a great foundational starting point to understand what coverage you already have with the EDR’s out-of-box detection content. Close visibility gaps through a research and development cycleAfter identifying gaps in visibility, security teams can create new alerts to close those gaps. A good starting point is to conduct research via the community forums for particular EDR solutions, including:Carbon Black: carbonblack.comSentinelOne: sentinelone.comCrowdStrike: crowdstrike.comApply automation to low-brain tasksHigh-repetition, low-brain tasks are well-suited to automation, which can remove these tasks from security team workloads. The automation found in EDR solutions adds value to security teams by speeding up processes such as remediation, as well as banning hashes and pulling files. Security teams should agree on which automations would reduce the greatest amount of time, risk, and effort, while also increasing quality and efficiency.EDR solutions offer unparalleled visibility into infrastructure, even down to application and user levels. They can also break down barriers among siloed environments. The key is spending time with the tips above to make sure your EDR solution is operating at maximum effectiveness.Chris Weckerly, vice president, security operations, is passionate about helping ReliaQuest customers achieve predictable security outcomes. Chris brings years of experience as a security analyst and SOC leader with the U.S. Government and ReliaQuest, has deep understanding of SIEM, EDR and SOAR technologies, and has been critical in defining requirements for ReliaQuest GreyMatter, the company’s unified platform for threat detection, investigation and response. Leveraging GreyMatter, he and his team help customers reduce up to 89% of the noise in their environments to reduce risk and mature their security operations programs. Related content brandpost Sponsored by ReliaQuest The Top 3 Most Common Cloud Attacks and How to Avoid Them Security teams should be aware of the most common attack classes used against AWS, Azure, and GCP. By Joe Partlow Apr 15, 2021 7 mins Cloud Security brandpost Sponsored by ReliaQuest Why Choose Open XDR? It's the Integration If XDR is about integrating varying tools across the security stack, Open XDR goes a step further. By Erin Sweeney Apr 13, 2021 4 mins Security brandpost Sponsored by ReliaQuest Hack to the Future: Why Attack Simulations are the Future of Security Control Testing Security teams have prioritized attack simulations as organizations drive innovation and manage complexity. By Marcus Carey Mar 10, 2021 5 mins Security brandpost Sponsored by ReliaQuest 4 Strategies for Improving Visibility into Your Cloud Data These techniques can help security teams gain visibility of data across multi-cloud environments and generate new business opportunities. By Joe Partlow Mar 03, 2021 4 mins Cloud Security Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe