I've spent over 30 years working in cybersecurity, dedicating much of that time to securing various organizations' assets, responding to countless cyber incidents, and uncovering the causes behind the chaos.

This journey has revealed a surprising truth. Breaches don't typically occur because of subpar technology, security controls, or advanced hacking techniques. The real culprit is often the mundane yet critical misconfigurations of security tools that leave organizations vulnerable. Over the past few years, endpoint detection and response (EDR) misconfigurations have been the root cause of numerous breaches.

Deploying a robust EDR solution is crucial for protecting your organization's digital infrastructure. FortiEDR is a powerful tool in this battle, offering real-time protection, detection, and response capabilities. However, the efficiency of any EDR tool is deeply contingent on its correct deployment. Missteps in the deployment and ongoing management processes can nullify its effectiveness and may actively contribute to security vulnerabilities. Below are five common pitfalls organizations face when deploying an EDR solution and tips for avoiding these issues.

Pitfall#1: The Incomplete Deployment

One common oversight is failing to install your EDR collector on all hosts. This lapse can be dire, as unmonitored hosts are often the epicenter of cyber compromises. These vulnerable nodes can serve as the initial breach point, enabling threat actors to establish a stronghold within your network and remain unnoticed. To prevent this, ensure comprehensive coverage by installing collectors on every host across your organization.

With FortiEDR and FortiXDR (extended detection and response), every bundle contains attack surface reduction features like device discovery. These enable users to find unprotected and rogue devices on their networks and push the security client to them. In the case of discovered IoT devices, you can create communication control policies for them to reduce the attack surface, given that an agent can't be pushed to most of these devices.

Pitfall#2: The Neglected Security Policy

Another critical error is neglecting to set your security policy for prevention. Many EDR tools have different policies, and each can be deactivated or activated one at a time. It's not unusual for organizations to disable prevention settings during tuning or testing phases, like in development environments, and forget to re-enable them. This leaves your system in simulation mode. And even though a good EDR solution should still trace and report malicious activity, the solution will not block it. While tracing and reporting provide valuable insights for eradication and remediation, prevention is paramount. Always double-check your security policies to ensure that prevention settings are active post-testing.

Pitfall#3: Alert Apathy

Ignoring or misunderstanding the alerts in your EDR console is akin to disregarding the warning signs on a treacherous road. Continuous monitoring and a thorough understanding of the alerts are vital for early detection and response to threats. Routinely review and analyze these alerts to stay ahead of potential security incidents. One common indication of analyst burnout is the rapid use of exception or exclusion building. (Check out our tips below for managing this challenge in Pitfall#4.)

Many organizations will outsource a part of their security operations to a managed detection and response provider. For example, the FortiGuard Managed Detection and Response Service team performs advanced security operations center duties for customers worldwide. Our in-house team goes beyond basic activities to help organizations conduct threat detection, hunting, and alerting and perform remediation following malicious events. They inform customers of anything suspicious and malicious and do routine reporting. This team also works closely with the Global Incident Response team. If a customer experiences a major incident, our teams can engage immediately to remediate instead of waiting to get third-party support.   

Pitfall#4: The Exception Excess

Broad exceptions and exclusions can severely undermine the effectiveness of even the best EDR solution. Organizations sometimes configure exceptions too generously from the outset. Our advice is to start narrow with exceptions and expand them cautiously, if necessary, during tuning. Typical misconfigurations include:

• Overly permissive settings for potentially unsafe applications (often referred to as "LOLbins")
• Exclusions for critical processes such as 'svchost.exe' or 'rundll32.exe' interacting with sensitive information like 'lsass.exe.'
• Generic allowances for PowerShell scripts rather than restrictions to specific, verified scripts
• Blanket exclusions for command processors like 'cmd.exe' or 'PowerShell.exe'

Tailor exceptions specifically and narrowly to maintain robust security. If you believe an analyst has mistakenly or overused this ability, administrators can review all actions taken by the analysts since they're archived for evaluation. Exceptions and exclusions made by other team members can quickly be reversed.

Pitfall#5: Overlooked Playbooks

Not configuring automatic playbooks or failing to routinely check if security policies and default settings have been altered are two missteps that expose your organization. Administrators should clearly document any changes they make and share additional context regarding associated risks related to deviating from the recommended settings. Regular audits of system changes help maintain accountability and the integrity of your security posture. 

Finally, don't forget about strong authentication controls for your EDR solution. Our recent FortiGuard Incident Response Report shows that more than 60% of all the investigations the FortiGuard IR team helped to resolve involved initial access through valid accounts. This means the threat actor already had the right access to log in to the environment and make exceptions or exclusions to allow their malware tools to run. 

Avoid These Common Mistakes to Optimize Your EDR Solution

Deploying an EDR solution is a strategic step toward fortifying your cyber defenses, but its benefits can only be fully realized through meticulous and correct implementation. Avoiding these common mistakes will optimize your EDR tool's performance and solidify your organization's overall security posture. The key to leveraging any advanced security solution lies in its deployment's precision, its management's rigor, and its checks and balances.

Learn howFortiEDRcan help your organization guard against today's increasingly complex threat landscape.