top of page
cyber hacker beagle thinking.jpg
Search

CrowdStrike Outage: Hardening EDR Solutions


IT Beagle

Regardless of whether you are a security professional or a corporate office employee, it is important to understand how crucial an Endpoint Detection and Response (EDR) solution is. However, the proper maintenance and utilization of these expensive solutions to prevent cyber threats are often overlooked.


Customers of CrowdStrike recently experienced an update on Friday, July 19th, 2024, which led to a global tech outage on Windows machines. This resulted to major airlines, banks, and hospitals to not be available for public use. This event serves as a reminder of the significant impact—both positive and negative—that EDR solutions can have. This article will highlight key areas for evaluating and maintaining a security appliance. It is a collection of standards and processes shared within the cybersecurity community. Thank you all for contributing your knowledge and collaborating to learn!



Understanding EDR From a Customer Perspective

If deployed and maintained correctly, an EDR solution can be a fantastic security mechanic to protect an endpoint from cyber risks and threats happening at the endpoint layer. Depending on your corporate environment, EDR solutions sometimes come with a third-party monitoring service, also referred to as a Managed Security Service Provider (MSSP) service. Contracts with these EDR vendors for MSSP can be a great checkbox for cyber insurance, a second set of eyes on alerts, or a way to have someone monitor alerts if your budget cannot provide an internal Cyber Defense program.


When buying an EDR service, salespeople might use buzzwords like "AI" or "XDR." It's important to understand what is needed in a product to ensure getting value for the investment and not be swayed by sales jargon. Below is a table to assist those evaluating an EDR but unsure how to proceed. This table is designed to help build a list of priorities when selecting an EDR solution. It also helps avoid the "shiny tool" syndrome, where there's a temptation to buy the latest cyber protection gadgets without understanding the company's specific cyber needs.



Item

Description

Logging abilities

An EDR solution captures logs for audits (changes made within the console), alerts (alerts created by the application), and agent logs (logs from the EDR agent). Depending on the EDR solution, logs may only be retained for 30 days. By enabling logging to the SIEM, this allows internal control for how long logs can be stored in hot and cold storage.

Exclusion capability

What do exclusions look like for the EDR solution? Consider hash exclusions or file path exclusions. Even with a more layered approach, determine if there is a capability to provide exclusions for a group or specific user?

Grouping and Policies

Can endpoints be categorize to know which ones are high priority or deemed "sensitive"? Examples of this would be the CEO's asset or a server that holds HR data. This can allow better visibility and escalation for these endpoints.

Customer Support and Contact

Review whether the customer support for the vendor is well-praised. Reviews often be found online. It's possible to have a reputable product but poor customer service for answering questions.

MSSP

Does the vendor offer MSSP through their contracts? What is the scope of the MSSP? Consider whether an MSSP is needed to assist in escalating findings, close alerts in the console, and the expected time for them to triage and investigate.

Agent and Console Upgrades

Does the vendor offer release notes for vendor and console upgrades? Consider if this is something that can be receive through. Additionally, are these updates automated, or is this something an internal admin can manage?

MFA/SSO

Does the EDR solution offer a layer of authentication and usability for logging in?

Custom alerts

There will be times when a custom alert is needed to provide additional visibility and monitoring. Does the EDR solution offer this capability, or do they manage their own service? Do they provide a service for writing custom alerts?

Application Privileges

How do permissions work in the console? Does everyone have admin access, or can some users have read-only access? This is important for enforcing a "need-to-know" basis for your EDR solution. Also consider the access their MSSP should have if applicable.

Vendor Training

Does the vendor provide training for anyone using the application? Are there workshops available to help employees become familiar with the application? Having proper training is a good foundation for managing the product effectively.

30-90 Day Trial

If requested, vendors may offer a free beta trial of their product. This is a good opportunity to assess whether the product is usable and compatible with the environment in which it will be deployed.

Vendor Documentation

Is the vendor's documentation usable and easy to navigate? A good place to start is by looking at the log forwarding section or identity access. The documentation should be easy to follow and up to date with the product.


Maintaining an EDR Solution

Buying an EDR is the first step in securing endpoints in your environment, but, like any other security tool, it is not 100% guaranteed to protect or integrate seamlessly with your current technology environment. Even updates can occasionally contain faulty signatures that might detect and block critical business artifacts. Therefore, it is important to understand how to maintain a product that can significantly impact both security and user experience. Below are ten suggestions to consider when managing an EDR solution:


  1. Agent upgrades: Ensure automatic upgrades are disabled for high-profile machines that may impact business revenue or functionality. Establish a test group for agent upgrades and determine how long "testing" should be conducted before deploying to additional smaller batches. This test group could include your security or IT staff. This approach allows for visibility into any issues, such as problematic signatures or system impacts (e.g., high CPU usage).

  2. Whitelist Review: Whitelisting and blacklisting are common features within an EDR application. However, improper whitelisting can lead to a loss of visibility into security risks or threats. Ensure that any whitelists are documented, including what they are, the accepted risk of not alerting on these items, and when the last review was conducted. Reviews of exclusions should occur at least once a year, if not more frequently. This practice helps prevent technical debt and ensures that any outdated exclusions are archived.

  3. Vendor Health Checks: Health checks are valuable when working with a vendor. They ensure that policies, rules, and deployments align with the vendor's recommendations. However, remember that these are only recommendations. The vendor does not operate day-to-day in your corporate environment, so if something might create an impact or does not seem practical, make sure to document these considerations.

  4. User Audit: Identity access should be carefully considered. Review the roles and who has access, as not everyone needs admin privileges to view alerts or information. As a rule of thumb, just as there is an onboarding process, there should also be a process for handling terminations. Remove old accounts or those belonging to individuals who no longer require access upon their departure. Identities should be reviewed at least once a year, if not more frequently.

  5. Inventory Management: Conduct an annual review, or more frequently, of the assets reporting to your application. If the number appears low, ensure that admins have a process in place to receive real-time alerts when an agent hasn't reported to the console within a specified period. Cyber defenders can only protect what they know and can see. An endpoint that fails to report to an EDR poses a risk, as it hampers the ability to fully analyze and protect that asset.

  6. Custom Rule Audit: Custom rules should undergo an annual review process, and proper documentation should be maintained. This helps explain why the rule was created and whether any modifications have been made since it was moved to production. Old rules that are no longer applicable should be retired and documented accordingly.

  7. Documentation: Documentation is crucial. While vendor documentation is valuable, internal documentation is equally important. It helps new personnel managing the application understand how to maintain, mature, and deploy within the EDR tool. Documentation should be accurate, current, and easy to read. For example, if certain configurations are disabled, this should be documented for future reference. The goal of documentation is to ensure that anyone can understand what was done and the purpose of each action.

  8. Onboarding and Continuous Education: Ensure there are proper onboarding instructions for any new EDR administrators within your business. This should include vendor training, permissions, and an overview of day-to-day responsibilities. Vendors often provide new training or free resources to help keep up with emerging threats and technologies.

  9. Roadmaps: Having a roadmap can facilitate setting goals and advancing the maturity of the product. This may include budget considerations for future years, personnel for supporting an initiative, or deployment plans for endpoints in the environment. While roadmaps will vary depending on the environment, they can provide clarity and guidance for the maturity of your security tools.

  10. Alignment With Vendor: Technical Account Managers (TAMs) are a great resource to troubleshoot and ensure the appliance is current to industry standards. Setting up monthly or biweekly meetings is a great way to continue to foster and mature your professional relationship with the vendor.




There is no definitive "guidebook" on how to shop for or maintain a security tool. However, cybersecurity is a collaborative community where we all share knowledge and learn from each other. Look forward to discovering how others in the cybersecurity community support their tools.


Want to write for CyberSpeak Labs LLC? Check the below link for further information: Write For Us! | CyberSpeak Labs LLC



 
 
 

Comments

bottom of page